I'm trying to solidify some things in my head.
Wikipedia indicates that a SNAP extension is in use if the DSAP and SSAP values in the IEEE 802.3 header are 0xAA or 0xAB. The Network Sorcery page indicates that only 0xAA indicates a SNAP extension, and this seems to be confirmed by Wireshark 2.4.2. If either of the DSAP/SSAP values are 0xAB, Wireshark does not process the upper layer as the specified protocol (e.g., CDP, PAgP, etc.), but instead treats it as a data block.
Assuming that the DSAP and SSAP values are both 0xAA (indicating the SNAP extension is in use), if the Control field in the IEEE 802.3 LLC header is anything other than 0x03, Wireshark breaks out the LLC/SNAP header correctly, but it treats the upper layer as a data block, not the specified protocol.
- For LLC/SNAP, is it required for the SAPs to be 0xAA or can either/both be 0xAB? Perhaps this was once the case and is no longer used in practice?
- Is it required for the Control field to be 0x03, or can it be and 1/2-byte variety? Perhaps this was once the case and is no long used in practice?
