Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Unknown ethertype

Status
Not open for further replies.
GaZZaW

GaZZaW

Technical User
Sep 3, 2002
44
0
0
NL
A collegue sent me a cap of 300 frames from his local network and there seems to be a multicast frame there thats generated every 40 msec and we have no idea what it is.
Scource and destination dont make sense,Cant find them on network ???

Source Destination
70 0 70 489CFEB60120 0180C2000001 39335416 60 120 0:00:00.041 0.041.932 03/10/2003 01:50:13 PM

also says Ethertype=8808 (unknown)
What protocol is it???

Im stumped....(but thats not hard)
Any ideas please

Gary


 
Sort by date Sort by votes
That looks a lot like a MAC control frame that is send by a switch. Below a story and a hex dump of a Linux box sending also these frame types by mistake. Normally MAC control frames are used bu a switch (Full Duplex only) for flowcontrol. Check if your switch is sending these out. The multicast dest address is the right one. The source adres should be the switch port on your were measuring.

The Linux story:

My linux box (RH 6.0 with RH supplied kernel, version 2.2.5) is
putting a weird packet out the ethernet port which is causing a Cisco
ethernet switch to go insane, spewing out packets wildly & bringing
the network down. This isn't exactly wining lots of friends for Linux
over here. I also can reproduce this effect fairly easily, at least I
could until my box was banned from the net for this!

Here's a hex dump of the packet:

01 80 C2 00 00 01 00 A4 00 80 D2 9C 88 08 00 01
40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00

The network guys here got that from a sniffer they put on the line.
They say the weird things about the packet are the ethertype of 8808,
that it's shorter than the minimum packet size of 64 bytes, and that
it's a multicast broadcast packet. So, why my box is putting it on
the wire (especially given that I'm not doing any multicast), and how
do I stop it? BTW, rebuilding the kernel without multicast support
doesn't stop these weird packets from going out.

Hope this helps you out.
Robert
Robert A.H. Wullems
Sniffer University Instructor
SCM / CNX / MCP
Citee Education
the Netherlands
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

benhogan73
  • Locked
  • Question
Unknown ethertype 2002
Replies
1
Views
31
benhogan73
benhogan73
fortunat
  • Locked
  • Helpful tip
Ethertype 8781
Replies
2
Views
32
fortunat
fortunat
Elca
  • Locked
  • Question
Unknown EtherType Data
Replies
6
Views
67
Anith
Anith
nilremdrol
  • Locked
  • Question
Making Unknown Ports Known
Replies
4
Views
42
AlfSutherland
AlfSutherland
ASLtechnical
  • Locked
  • Question
Ethertypes
Replies
3
Views
31
ASLtechnical
ASLtechnical

Part and Inventory Search

Sponsor

Back
Top