EtherType – Understanding Unknown EtherType

ethernetpacket-analysis

I am parsing an ethernet dataframe.

It has the form : (destination_mac_6_bytes) + (source_mac_6_bytes) + (ether_type_2_bytes).

Usually, I see ethertype like Ox86dd (IPv6).

But I came across this etherType: Ox0036.

The destination mac address was 1:80:c2:0:0:0. The source mac address was the one of the router.

Does anyone know what this is? I couldn't find any reference for this on the internet. Maybe it's not an EtherType, but then what is it?

Thanks

Best Answer

Does anyone know what this is?

As Ron Maupin already wrote, "EtherType" fields with values up to 1500 are interpreted as "length of the data", which is the number of valid data bytes following the EtherType field. ("valid" means: Not including padding bytes at the end of the frame).

0x0036 means that 54 data bytes are following the "EtherType" field.

However, the frame is not necessarily an 802.3 frame but it may also be an 802.2 frame.

If you want to know which type of packet it is, there are the following possibilities:

1) 802.3

802.3 frames contain no information about the packet type carried. There is also no possibility that allows distinguishing 802.2 and 802.3 packets with certainty.

This means that the destination computer must either be able to distinguish the packet type from the payload data or only one single layer-3 protocol (using EtherType fields up to 1500) must be used in the Ethernet network.

Linux (for example) uses the following assumption:

If the two data bytes following the EtherType field are 0xFF 0xFF, these two bytes are the first two bytes of an IPX packet; otherwise the Ethernet frame is an 802.2 frame (see below).

2) 802.2 (LLC)

(See Wikipedia entry)

802.2 frames have an extra header of 3 or 4 bytes length between the EtherType field and the actual data. The EtherType field contains the length of the data including these 3 or 4 bytes.

In the most common case, the first byte after the EtherType field is an even value describing the packet type, which is followed by a byte with the same value or the value plus 1.

Example: If the EtherType is followed by 0xF0 0xF0 or 0xF0 0xF1, the packet is a NetBEUI packet; if it is followed by 0xE0 0xE0, it is an IPX packet.

If the two low bits of the 3rd byte are both set, the extra header is 3 bytes long; otherwise it is 4 bytes long.

3) SNAP

If the two bytes after the "EtherType" field are 0xAA 0xAA (maybe also 0xAA 0xAB), the 3- or 4-byte 802.2 (LLC) extra header is followed by the 40-bit packet type. This may either be an EtherType value (the first 3 bytes are zero) or a manufacturer specific value (the first 3 bytes are the manufacturer code).

Examples (data bytes following the EtherType field):

0xAA 0xAA 0x03 0x00 0x00 0x00 0x86 0xDD ...:

EtherType = 0x86DD (IPv6)
0xAA 0xAB 0x01 0x46 0x00 0x11 0x22 0x12 0x34 ...

Proprietary protocol type 0x1234 of the manufacturer 00:11:22

Related Solutions

Switch – Port mirroring just the Rx (or Tx) direction of a port

On Cisco switches, you can configure whether you mirror rx, tx or both.

For example:

monitor session 1 source interface gi0/1 rx

For receive only:

monitor session 1 source interface gi0/1 tx

For transmit only:

monitor session 1 source interface gi0/1

If you don't specify, you mirror both tx and rx.

Ethernet Neighbor Discovery

To get the MAC address for a given IP(v4) address, your computer will use the Address Resolution Protocol. For IPv6, the Neighbor Discovery Protocol does the same thing.

The purpose of LLDP is to discover other devices on the network, and the messages are always sent from your own MAC address to well known destination MAC addresses.

Best Answer

Related Solutions

Switch – Port mirroring just the Rx (or Tx) direction of a port

Ethernet Neighbor Discovery

Related Topic