Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Wireshark sees Ethernet LLC, but packet is probably Ethernet raw

Hello,

I'm working with some packet traces that appear to have 802.3 raw Ethernet. In other words, after the destination and source MAC addresses, instead of an Ethertype like 0x0800, I see a length field, and then content, e.g.

Frame 3: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Encapsulation type: Ethernet (1)
Arrival Time: May  7, 2019 18:19:10.073296000 UTC
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1557253150.073296000 seconds
[Time delta from previous captured frame: 0.000003000 seconds]
[Time delta from previous displayed frame: 0.000003000 seconds]
[Time since reference or first frame: 0.000024000 seconds]
Frame Number: 3
Frame Length: 66 bytes (528 bits)
Capture Length: 66 bytes (528 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:llc:data]

IEEE 802.3 Ethernet Destination: fc:ec:da:49:e0:10 Address: fc:ec:da:49:e0:10 .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: 38:ba:f8:12:7d:bb Address: 38:ba:f8:12:7d:bb .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Length: 56 [Expert Info (Error/Malformed): Length field value goes past the end of the payload] [Length field value goes past the end of the payload] [Severity level: Error] [Group: Malformed] Logical-Link Control DSAP: Unknown (0x45) 0100 010. = SAP: Unknown .... ...1 = IG Bit: Group SSAP: LLC Sub-Layer Management (0x02) 0000 001. = SAP: LLC Sub-Layer Management .... ...0 = CR Bit: Command Control field: U, func=Unknown (0x0B) 000. 10.. = Command: Unknown (0x02) .... ..11 = Frame type: Unnumbered frame (0x3) Data (49 bytes) Data: 84d98d86b5400649eec0a80460341512db97ac0d0be3422a... [Length: 49]

0000 fc ec da 49 e0 10 38 ba f8 12 7d bb 00 38 45 02 ...I..8...}..8E. 0010 0b 84 d9 8d 86 b5 40 06 49 ee c0 a8 04 60 34 15 [email protected]`4. 0020 12 db 97 ac 0d 0b e3 42 2a 57 83 49 c2 ea c8 ec .......B*W.I.... 0030 01 28 17 6f 00 00 01 01 08 0a 01 8f f1 de ed 7f .(.o............ 0040 a5 4a

You can see Tshark (and Wireshark) decode this as Ethernet with a LLC header. I need it to decode this as Ethernet with a raw header. I'm trying to troubleshoot why this traffic exists, as it is unexpected. It could be an issue with Linux on VirtualBox on Linux.

I'm familiar with "decode as" but I don't see how to apply it in this situation, or if Wireshark can help with this format.

Thank you,

RIchard

click to hide/show revision 2
None

Wireshark sees Ethernet LLC, but packet is probably Ethernet raw

Hello,

I'm working with some packet traces that appear to have 802.3 raw Ethernet. In other words, after the destination and source MAC addresses, instead of an Ethertype like 0x0800, I see a length field, and then content, e.g.

Frame 3: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
 Encapsulation type: Ethernet (1)
 Arrival Time: May  7, 2019 18:19:10.073296000 UTC
 [Time shift for this packet: 0.000000000 seconds]
 Epoch Time: 1557253150.073296000 seconds
 [Time delta from previous captured frame: 0.000003000 seconds]
 [Time delta from previous displayed frame: 0.000003000 seconds]
 [Time since reference or first frame: 0.000024000 seconds]
 Frame Number: 3
 Frame Length: 66 bytes (528 bits)
 Capture Length: 66 bytes (528 bits)
 [Frame is marked: False]
 [Frame is ignored: False]
 [Protocols in frame: eth:llc:data]

IEEE 802.3 Ethernet Destination: fc:ec:da:49:e0:10 Address: fc:ec:da:49:e0:10 .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: 38:ba:f8:12:7d:bb Address: 38:ba:f8:12:7d:bb .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Length: 56 [Expert Info (Error/Malformed): Length field value goes past the end of the payload] [Length field value goes past the end of the payload] [Severity level: Error] [Group: Malformed] Logical-Link Control DSAP: Unknown (0x45) 0100 010. = SAP: Unknown .... ...1 = IG Bit: Group SSAP: LLC Sub-Layer Management (0x02) 0000 001. = SAP: LLC Sub-Layer Management .... ...0 = CR Bit: Command Control field: U, func=Unknown (0x0B) 000. 10.. = Command: Unknown (0x02) .... ..11 = Frame type: Unnumbered frame (0x3) Data (49 bytes) Data: 84d98d86b5400649eec0a80460341512db97ac0d0be3422a... [Length: 49]

49] 0000 fc ec da 49 e0 10 38 ba f8 12 7d bb 00 38 45 02 ...I..8...}..8E. 0010 0b 84 d9 8d 86 b5 40 06 49 ee c0 a8 04 60 34 15 [email protected]`4. 0020 12 db 97 ac 0d 0b e3 42 2a 57 83 49 c2 ea c8 ec .......B*W.I.... 0030 01 28 17 6f 00 00 01 01 08 0a 01 8f f1 de ed 7f .(.o............ 0040 a5 4a

4a

You can see Tshark (and Wireshark) decode this as Ethernet with a LLC header. I need it to decode this as Ethernet with a raw header. I'm trying to troubleshoot why this traffic exists, as it is unexpected. It could be an issue with Linux on VirtualBox on Linux.

I'm familiar with "decode as" but I don't see how to apply it in this situation, or if Wireshark can help with this format.

Thank you,

RIchard

click to hide/show revision 3
None

Wireshark sees Ethernet LLC, but packet is probably Ethernet raw

Hello,

I'm working with some packet traces that appear to have 802.3 raw Ethernet. In other words, after the destination and source MAC addresses, instead of an Ethertype like 0x0800, I see a length field, and then content, e.g.

Frame 3: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: May  7, 2019 18:19:10.073296000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1557253150.073296000 seconds
    [Time delta from previous captured frame: 0.000003000 seconds]
    [Time delta from previous displayed frame: 0.000003000 seconds]
    [Time since reference or first frame: 0.000024000 seconds]
    Frame Number: 3
    Frame Length: 66 bytes (528 bits)
    Capture Length: 66 bytes (528 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:llc:data]
IEEE 802.3 Ethernet
    Destination: fc:ec:da:49:e0:10
        Address: fc:ec:da:49:e0:10
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 38:ba:f8:12:7d:bb
        Address: 38:ba:f8:12:7d:bb
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
     .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Length: 56
        [Expert Info (Error/Malformed): Length field value goes past the end of the payload]
            [Length field value goes past the end of the payload]
            [Severity level: Error]
            [Group: Malformed]
Logical-Link Control
    DSAP: Unknown (0x45)
        0100 010. = SAP: Unknown
        .... ...1 = IG Bit: Group
    SSAP: LLC Sub-Layer Management (0x02)
        0000 001. = SAP: LLC Sub-Layer Management
        .... ...0 = CR Bit: Command
    Control field: U, func=Unknown (0x0B)
        000. 10.. = Command: Unknown (0x02)
        .... ..11 = Frame type: Unnumbered frame (0x3)
Data (49 bytes)
    Data: 84d98d86b5400649eec0a80460341512db97ac0d0be3422a...
    [Length: 49]

0000  fc ec da 49 e0 10 38 ba f8 12 7d bb 00 38 45 02   ...I..8...}..8E.
0010  0b 84 d9 8d 86 b5 40 06 49 ee c0 a8 04 60 34 15   [email protected]`4.
0020  12 db 97 ac 0d 0b e3 42 2a 57 83 49 c2 ea c8 ec   .......B*W.I....
0030  01 28 17 6f 00 00 01 01 08 0a 01 8f f1 de ed 7f   .(.o............
0040  a5 4a

You can see Tshark (and Wireshark) decode this as Ethernet with a LLC header. I need it to decode this as Ethernet with a raw header. I'm trying to troubleshoot why this traffic exists, as it is unexpected. It could be an issue with Linux on VirtualBox on Linux.

I'm familiar with "decode as" but I don't see how to apply it in this situation, or if Wireshark can help with this format.

Thank you,

RIchard

Wireshark sees Ethernet LLC, but packet is probably Ethernet raw

Hello,

I'm working with some packet traces that appear to have 802.3 raw Ethernet. In other words, after the destination and source MAC addresses, instead of an Ethertype like 0x0800, I see a length field, and then content, e.g.

Frame 3: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
 Encapsulation type: Ethernet (1)
 Arrival Time: May  7, 2019 18:19:10.073296000 UTC
 [Time shift for this packet: 0.000000000 seconds]
 Epoch Time: 1557253150.073296000 seconds
 [Time delta from previous captured frame: 0.000003000 seconds]
 [Time delta from previous displayed frame: 0.000003000 seconds]
 [Time since reference or first frame: 0.000024000 seconds]
 Frame Number: 3
 Frame Length: 66 bytes (528 bits)
 Capture Length: 66 bytes (528 bits)
 [Frame is marked: False]
 [Frame is ignored: False]
 [Protocols in frame: eth:llc:data]
 IEEE 802.3 Ethernet
 Destination: fc:ec:da:49:e0:10
     Address: fc:ec:da:49:e0:10
     .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
     .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
 Source: 38:ba:f8:12:7d:bb
     Address: 38:ba:f8:12:7d:bb
     .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
     .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
 Length: 56
     [Expert Info (Error/Malformed): Length field value goes past the end of the payload]
         [Length field value goes past the end of the payload]
         [Severity level: Error]
         [Group: Malformed]
 Logical-Link Control
 DSAP: Unknown (0x45)
     0100 010. = SAP: Unknown
     .... ...1 = IG Bit: Group
 SSAP: LLC Sub-Layer Management (0x02)
     0000 001. = SAP: LLC Sub-Layer Management
     .... ...0 = CR Bit: Command
 Control field: U, func=Unknown (0x0B)
     000. 10.. = Command: Unknown (0x02)
     .... ..11 = Frame type: Unnumbered frame (0x3)
 Data (49 bytes)
 Data: 84d98d86b5400649eec0a80460341512db97ac0d0be3422a...
 [Length: 49]
 

0000 fc ec da 49 e0 10 38 ba f8 12 7d bb 00 38 45 02 ...I..8...}..8E. 0010 0b 84 d9 8d 86 b5 40 06 49 ee c0 a8 04 60 34 15 [email protected]`4. 0020 12 db 97 ac 0d 0b e3 42 2a 57 83 49 c2 ea c8 ec .......B*W.I.... 0030 01 28 17 6f 00 00 01 01 08 0a 01 8f f1 de ed 7f .(.o............ 0040 a5 4a 4a .J

You can see Tshark (and Wireshark) decode this as Ethernet with a LLC header. I need it to decode this as Ethernet with a raw header. I'm trying to troubleshoot why this traffic exists, as it is unexpected. It could be an issue with Linux on VirtualBox on Linux.

I'm familiar with "decode as" but I don't see how to apply it in this situation, or if Wireshark can help with this format.

Thank you,

RIchard

PS: I tried to format it as best I could!

Wireshark sees Ethernet LLC, but packet is probably Ethernet raw

Hello,

I'm working with some packet traces that appear to have 802.3 raw Ethernet. In other words, after the destination and source MAC addresses, instead of an Ethertype like 0x0800, I see a length field, and then content, e.g.

Frame 3: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Encapsulation type: Ethernet (1)
Arrival Time: May  7, 2019 18:19:10.073296000 UTC
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1557253150.073296000 seconds
[Time delta from previous captured frame: 0.000003000 seconds]
[Time delta from previous displayed frame: 0.000003000 seconds]
[Time since reference or first frame: 0.000024000 seconds]
Frame Number: 3
Frame Length: 66 bytes (528 bits)
Capture Length: 66 bytes (528 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:llc:data]

IEEE 802.3 Ethernet
Destination: fc:ec:da:49:e0:10
    Address: fc:ec:da:49:e0:10
    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 38:ba:f8:12:7d:bb
    Address: 38:ba:f8:12:7d:bb
    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Length: 56
    [Expert Info (Error/Malformed): Length field value goes past the end of the payload]
        [Length field value goes past the end of the payload]
        [Severity level: Error]
        [Group: Malformed]

Logical-Link Control
DSAP: Unknown (0x45)
    0100 010. = SAP: Unknown
    .... ...1 = IG Bit: Group
SSAP: LLC Sub-Layer Management (0x02)
    0000 001. = SAP: LLC Sub-Layer Management
    .... ...0 = CR Bit: Command
Control field: U, func=Unknown (0x0B)
    000. 10.. = Command: Unknown (0x02)
    .... ..11 = Frame type: Unnumbered frame (0x3)

Data (49 bytes)
Data: 84d98d86b5400649eec0a80460341512db97ac0d0be3422a...
[Length: 49]

0000 `0000 fc ec da 49 e0 10 38 ba f8 12 7d bb 00 38 45 02 ...I..8...}..8E. 0010 0b 84 d9 8d 86 b5 40 06 49 ee c0 a8 04 60 34 15 [email protected]`4. 0020 12 db 97 ac 0d 0b e3 42 2a 57 83 49 c2 ea c8 ec .......B*W.I.... 0030 01 28 17 6f 00 00 01 01 08 0a 01 8f f1 de ed 7f .(.o............ 0040 a5 4a .J

.J `

You can see Tshark (and Wireshark) decode this as Ethernet with a LLC header. I need it to decode this as Ethernet with a raw header. I'm trying to troubleshoot why this traffic exists, as it is unexpected. It could be an issue with Linux on VirtualBox on Linux.

I'm familiar with "decode as" but I don't see how to apply it in this situation, or if Wireshark can help with this format.

Thank you,

RIchard

PS: I tried to format it as best I could!