Unknown EtherType Data

[Elca]

Hi, all!

I found Unknown ethertype data on Sniffer trace files.
There are many unknown ethertype numbers like below...
7343,7463,3D0D,536C,453D,4233,322E,4158,4E61,4B62,3069,5243,886D,3863,4741,4141,3EOD,6D71,7777,524F,4243,7572,...

How can I interpret this frames and what's mean?

Any helps will be appreciated.
Regards,

- Elca

 

[alail]

Elca,
Yikes! Looks like there are incorrect protocol settings. What topology are you sniffing? Have you configured the sniffer to let it know what traffic type your looking at?

-Andy Lail

 

[alail]

I found this in the Sniffer support website:

Unknown Ethertype decode in WAN
Error Message

This could be caused by a proprietary Frame Relay header or one that is not supported by Sniffer Pro

The "0021" & "0031" Hex values are PPP's LCP values and not Ethertype

This could also be caused by setting to Sniffer to the wrong WAN encapsulation

Re-capture the network using HDLC\Router\Bridge (for PPP) encapsulation instead of Frame Relay:
Tools|Options|WAN Medium Extension|Encapsulation|HDLC\Router\Bridge

 

[Elca]

Thanks your reply! Andy,

There are two cases.
First, I tapped in 3Com Superstack II 3300 with port mirroring (roving analysis). SS II 3300 is connected to IDC's Catalyst 5/6000. Foundry ServerIron XL is connected to SS II 3300. (i.e. Catalyst <-> SS II 3300 <-> ServerIron)
It's all switched environment.

I captured traffic from two ports of Catalyst's uplink FE port and ServerIron's downlink FE port.
In the result, I saw the Unknown Ethertype frames in Others protocol of MAC Layer.
Also I can see many symptoms about &quot;DLC source address multicast&quot;.

Second, I hubbed out between Firewall and 3Com CoreBuilder 7000 ATM Switch's FE port.
(i.e. WAN Router <-> Firewall <-> 10/100 Hub <-> CB7K)
I saw the Unknown Ethertype frames with collision like these 003434343434 or 004343434343.
Also I can see same symptoms about &quot;DLC source address multicast&quot; in DLC Layer.

I understood jam signal in Hub.
I heard that my customer had experienced Fast Ethernet duplex mismatch problem with ServerIron XL connected some servers in First case.

In conclusion, I think that is problem caused by duplex mismatch problem.

Any other clues?

- Elca

 

[alail]

Elca,
Could you send me a trace of the conversation? I can sit down with the trace file and some of the decode guys and see what is happening. Also, please go back over your setup one more time to be sure it isn't a simple matter. I've seen NICs auto-negotiate for 10MB on a 100MB segment. With the environment you've mentioned and a trace file we should be able to figure it out, perhaps it's a network problem, or it may be propriatary protocols that Sniffer doesn't decode.
Let me know, here is my email address:
alail@nai.com
-Andy

 

[Guest_imported]

hello guys, do any one know what protocol 886d is? can you give me info on this protocol and where to look for it.

 

[Anith]

Hi

Well this EtherTypes are most like by Intel Adapters hearbeat signals (check you server/Workstaion Intel Adaptor setting)

I am 100% sure of 886D type is of Intel Enet cards's Hearbeat signal which should be disabled if not required


Anith
Sniffer Technologies
ASIA PACIFIC