This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Trace entries with protocol/type 0xa168

0
Time            Source                Destination           No.    Protocol Length Info
11:50:37.416666 TZ-210W-ROUTER-X0     Broadcast                    0xa168   42     PRI: 0  CFI: 0  ID: 200

Frame 53: 42 bytes on wire (336 bits), 42 bytes captured (336 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Aug 23, 2014 11:50:37.416666000 Central Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1408812637.416666000 seconds
[Time delta from previous captured frame: 0.100000000 seconds]
[Time delta from previous displayed frame: 0.100000000 seconds]
[Time since reference or first frame: 4.116666000 seconds]
Frame Number: 53
Frame Length: 42 bytes (336 bits)
Capture Length: 42 bytes (336 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:vlan:ethertype:data]
[Coloring Rule Name: Broadcast]
[Coloring Rule String: eth[0] & 1]
Ethernet II, Src: TZ-210W-ROUTER-X0 (00:17:c5:42:be:5c), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Address: Broadcast (ff:ff:ff:ff:ff:ff)
…. ..1. …. …. …. …. = LG bit: Locally administered address (this is NOT the factory default)
…. …1 …. …. …. …. = IG bit: Group address (multicast/broadcast)
Source: TZ-210W-ROUTER-X0 (00:17:c5:42:be:5c)
Address: TZ-210W-ROUTER-X0 (00:17:c5:42:be:5c)
…. ..0. …. …. …. …. = LG bit: Globally unique address (factory default)
…. …0 …. …. …. …. = IG bit: Individual address (unicast)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 200
000. …. …. …. = Priority: Best Effort (default) (0)
…0 …. …. …. = CFI: Canonical (0)
…. 0000 1100 1000 = ID: 200
Type: Unknown (0xa168)
Data (24 bytes)
Data: 25010018000000012af0ecc3a7e8df789603113dc54756a6
[Length: 24]


0000  ff ff ff ff ff ff 00 17 c5 42 be 5c 81 00 00 c8   ………B..…
0010  a1 68 25 01 00 18 00 00 00 01 2a f0 ec c3 a7 e8   .h%…….*…..
0020  df 78 96 03 11 3d c5 47 56 a6                     .x…=.GV.


Time            Source                Destination           No.    Protocol Length Info
11:50:37.416666 TZ-210W-ROUTER-X3     Broadcast                    0xa168   38     Ethernet II


Frame 54: 38 bytes on wire (304 bits), 38 bytes captured (304 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Aug 23, 2014 11:50:37.416666000 Central Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1408812637.416666000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 4.116666000 seconds]
Frame Number: 54
Frame Length: 38 bytes (304 bits)
Capture Length: 38 bytes (304 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:data]
[Coloring Rule Name: Broadcast]
[Coloring Rule String: eth[0] & 1]
Ethernet II, Src: TZ-210W-ROUTER-X3 (00:17:c5:42:be:5f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Address: Broadcast (ff:ff:ff:ff:ff:ff)
…. ..1. …. …. …. …. = LG bit: Locally administered address (this is NOT the factory default)
…. …1 …. …. …. …. = IG bit: Group address (multicast/broadcast)
Source: TZ-210W-ROUTER-X3 (00:17:c5:42:be:5f)
Address: TZ-210W-ROUTER-X3 (00:17:c5:42:be:5f)
…. ..0. …. …. …. …. = LG bit: Globally unique address (factory default)
…. …0 …. …. …. …. = IG bit: Individual address (unicast)
Type: Unknown (0xa168)
Data (24 bytes)
Data: 25010018000000012af0ecc3a7e8df789603113dc54756a6
[Length: 24]


0000  ff ff ff ff ff ff 00 17 c5 42 be 5f a1 68 25 01   ………B._.h%.
0010  00 18 00 00 00 01 2a f0 ec c3 a7 e8 df 78 96 03   ……*……x..
0020  11 3d c5 47 56 a6                                 .=.GV.

Does anyone know what these are?

asked 23 Aug ‘14, 10:39

proj964's gravatar image

proj964
11447
accept rate: 0%

edited 25 Aug ‘14, 07:44

This looks a bit strange - I can’t see neither the MAC addresses nor the ether type 0xa168 you mention in the hex dump lines. Did you edit the output?

(25 Aug ‘14, 01:51) Jasper ♦♦

Hi. I didn’t edit the output…just didn’t get it all. I have replaced the original trace entry with two different consecutive samples that show all of the data (I hope).

(25 Aug ‘14, 07:45) proj964

One Answer:

0

The source MAC is apparently a Dell SonicWall TZ-210W (interface X0 and X3). As the frame destination is the broadcast address, this could be part of a propietary SonicWall protocol, maybe part of the HA cluster protocol (if there is a cluster configured) or something similar. If you want to know for sure, please contact the Dell SonicWall support and ask them for an explanation. Please don't forget to add a comment here as well, for the benefit of other sites users ;-))

Regards
Kurt

answered 25 Aug '14, 15:21

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

From Sonicwall Tech Sppt: I just wanted to inform about Ether type 0xa168, it is SDP ( Sonicpoint Discovery Protocol) which is a SonicWALL proprietary protocol and is used to Discover Sonicpoint APs on the network.

(29 Aug '14, 12:20) proj964