Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Interpreting [|llc] frames in enterprise traffic trace
Special Forums IP Networking Interpreting [|llc] frames in enterprise traffic trace Post 302380586 by sstatla on Tuesday 15th of December 2009 03:16:16 PM
Old 12-15-2009
Java Interpreting [|llc] frames in enterprise traffic trace
The LBNL/ICSI Enterprise Tracing Project at LBNL/ICSI Enterprise Tracing Project - Project Overview provides a trace of an enterprise's network from 2005.

Upon reading these files with tcpdump, along with regular packets that appear like-
12:04:51.696971 IP 128.3.189.248.netbios-ssn > 128.3.44.26.ehome-ms: P 507590:507654(64) ack 168291 win 8484[|SMB]
12:04:51.729840 IP 128.3.44.26.ehome-ms > 128.3.189.248.netbios-ssn: P 168291:168354(63) ack 507654 win 64479[|SMB]
12:04:51.730201 IP 128.3.189.248.netbios-ssn > 128.3.44.26.ehome-ms: P 507654:507902(248) ack 168354 win 8421[|SMB]

there are some strange frames that show up-
12:04:51.781545 [|llc]34:c9:c8:fa:af:5e (oui Unknown) > a9:71:1d:9f:85:27 (oui Unknown), 802.3, length 404:
12:04:51.781670 [|llc]34:c9:c8:fa:af:5e (oui Unknown) > a9:71:1d:9f:85:27 (oui Unknown), 802.3, length 395:

I am trying to analyze these.
So far, I understand that-

1. The communication is between 2 devices that operate on the Data Link Layer, since IP address is missing. (802.3 wired ethernet switches?)
2. OUI- the Organization Unique Identifier is unknown because it is identified by the first 3 bytes of MAC address but the MAC address of the machines has been translated for anonymity purposes.
3. When I open this trace file using Wireshark, these particular frames show "Packet Size limited during capture" under the Info section. tcpdump has a default capture limit of 68 bytes and looks like these frames are bigger in size.
4. The ASCII payload in these frames is either
.q...'4....^.. or
.q...'4....^.}


So, the question is- Is this a legacy protocol/device? Has anyone come across anything like this?
Any information on this would be much appreciated.


Sunjeet
 

7 More Discussions You Might Find Interesting

1. IP Networking

Frames problems

I'm using ethereal to analyse my network from my pc. There're too many TCP Bad checksum 1. between my PC and unix servers (checksum: 0x6660 ) 2. between my PC and other servers (windows, novell) checksum: 0x6644 ) There're too many NBNS and BOOTP/DHCP Malformed Packet(Exception occured) ... (0 Replies)
Discussion started by: nymus7
0 Replies

2. Web Development

Compatibility with different browsers for frames

Hi, I am writing a web application using Perl CGI. And I have defined an frame within like this "<iframe id=\"iframe01\" name=\"iframe01\" height=480 width=800 frameborder=0 scrolling=no></iframe>" My problem is that this iframe appears differently on different browsers - IE6, IE7, Mozilla... (0 Replies)
Discussion started by: garric
0 Replies

3. IP Networking

Modifying ARP frames

Hi All, Is there any way to modify or filter the ARP frames?? thanks! (2 Replies)
Discussion started by: lagigliaivan
2 Replies

4. Linux

Ether header for tagged frames

Hi, Need Help! I'm porting VxWorks code to Linux. Here in VxWorks I have a structure called ether_tag_header. What is the equivalent structure in Linux? Note: struct ether_tag_header { u_char ether_dhost; u_char ether_shost; u_char etherTag; u_short... (0 Replies)
Discussion started by: ytrew
0 Replies

5. Shell Programming and Scripting

How to put html frames in for loop in perl?

Hi, I have to insert html frames in for loop. Here is the code. for($k=0;$k<3;$k++) { print<<HTML; <html> <head> <title> HTML Horizontal Frames </title> </head> <frameset cols="25%,75%"> <frame src="a.html"> <frame src="b.html"> </frameset> (0 Replies)
Discussion started by: vanitham
0 Replies

6. AIX

HMC Hardware Discovery does not work for p595 frames

Hi, I require help with hardware discovery while running a command from an HMC with firmware V7.3.5 SP 3. The two frames I am running the command for are p 5 595's. Command input: lshwres -m swdc-c02-9119-595-SN02780CF -r io --rsubtype slotchildren -F lpar_name Error output: The managed... (1 Reply)
Discussion started by: AIXNEWBIE62
1 Replies

7. Programming

Ethernet programming (not MAC, LLC, but Preamble, SFD and FCS)

Hello everybody, I've been working with raw sockets since long time ago. I've coded TCP/UDP, ICMP/IP and ARP applications, all resting encapsulated over relative "raw" ethernet frames; but in reality, Ethernet uses MAC addresses and LLC protocol codes (from layer 2) and that's the maximum access... (1 Reply)
Discussion started by: Zykl0n-B
1 Replies

LEARN ABOUT ULTRIX

trace

trace(1)						      General Commands Manual							  trace(1)

Name
       trace - trace system calls of programs

Syntax
       trace [options] cmd args...

Description
       The  command  with  no flag arguments traces for the given cmd and args all system calls made and prints a time stamp, the PID, call and/or
       return values and arguments and puts its output in the file trace.dump.

Options
       -f filename
	       Puts dump in file filename.

       -z      Echos arguments only.

       Only one of the following option arguments can be specified at one time.

       -c#     Traces given PIDs and their children.  Up to sixteen PIDs can be specified.

       -g#     Traces given groups only.  Up to sixteen Group IDs can be specified.

       -p#     Traces given PIDs only.	Up to sixteen PIDs can be specified.

       -s#     Traces given system calls only.	Up to sixteen PIDs can be specified.

       -u#     Traces given UIDs only.	Up to sixteen PIDs can be specified.

Examples
       trace -f ls.dump ls -l /dev >ls.out
       runs the cmd ls -l /dev and puts the trace in ls.dump and output in ls.out.
       trace -f csh.trace -p $$ &
       will trace your login shell in the background. To stop the trace just send it a termination signal (that is, kill -TERM trace_pid).

Restrictions
       Due to security, no one, not even the super-user can trace anyone else's programs. This sort of negates some of the usefulness  of  the	-g
       and -u flags.

       The program cannot be traced.

       Only 16 numbers can be given to the -c, -p, -g, -u, and -s flags.

       The kernel configuration file must contain the following:
       options	       SYS_TRACE
       pseudo-device   sys_trace

       In addition, the superuser must use the following command sequence to create the device:
       cd /dev
       MAKEDEV trace
       If both lines are not in the configuration file or if the device is not made, the message "Cannot open /dev/trace" appears.

Files
       /dev/trace     read only character special device for reading syscall data.

       trace.dump     default file for the system call trace data.

See Also
       open(2), close(2), ioctl(2), select(2), read(2), trace(5)

																	  trace(1)
All times are GMT -4. The time now is 06:25 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy