It has something to do with Aironet wireless devices. I see similar packets
on my network, and we have several of these wireless access points in our
LAN.
I can't seem to find any aironet MIBs anywhere, though, or we might be able
to figure it out.
Here are some similar things that Ethereal doesn't understand (attached).
In autotopology.bay.cap, you'll see two different L2 multicasts to the
groups 01:00:81:00:01:00 (this segment) and 01:00:81:00:01:01 (all segments
in the bridged LAN). IIRC, devices that understand Bay autotopology frames
*will* forward the :01 frames as a L2 multicast, but will *not* forward the
:00 frames.
I don't know how to decode the whole data portion, but there are some things
that are recognizable to me deeper in the frames. For example, the first
four bytes of the data payload in both type of autotopology frames are the
IP address of the switch sending the frame. In the case shown, the IP is
128.206.95.252, which is the switch I connect to.
In the :01 frames:
If the byte at offset 0x031 is 0x41, then at offset 0x024 we see the MAC
address of the next switch upstream +0x01. The next switch upstream is a
Nortel Passport. Passports have different MAC's for damn near everything.
The base MAC address of the Passport in question is 00:04:DC:A0:98:00. Add
one and you get the MAC seen in the frames in this capture. This MAC
address is what the Passport uses as it's bridge address for Spanning Tree
in Spanning Tree Group 1 (Passports don't do per-VLAN STP; they use STG's).
If the byte at offset 0x031 is not 0x41, then at offset 0x024 we see the MAC
address of the switch sending the frame +0x1e, which is also the source MAC
on the frame. The way a BayStack 450 works, the MAC address of the base
unit in a stack is used for a bunch of other things as well. You add 0x1e
to get the MAC used for autotopology. Add 0x1f and you get the MAC address
used by the IP stack. Even weirder is that if the switch is a stand-alone
(not stacked with other BayStacks), all three MAC addresses are simply that
of the unit itself (00:80:2D:97:61:E0 in this case).
In the :00 frames:
If the byte at offset 0x031 is 0x41, we see the MAC of the Passport again at
0x024.
If the byte at offset 0x031 is not 0x41, then at 0x024 we see something
*similar* to eth.dst of the frame, but with the bytes in reverse order, and
with the 81 byte as 18 instead. Could be coincidence since I don't *really*
know what any of these fields are.
I really oughta go into our test lab and compare these to what I get from
other Nortel switches and what I get if I change STP settings, etc.
Does anybody have any other info about these frames?
--J
> -----Original Message-----
> From: Joe Tomasone [mailto:joe@xxxxxxxx]
> Sent: Friday, October 05, 2001 2:59 PM
> To: ethereal-users@xxxxxxxxxxxx
> Subject: [Ethereal-users] Weird Cisco packet?
>
>
> Anyone know what this packet is?
>
> Looks like some funky Cisco thing, since the source MAC is
> embedded in the
> data portion.
> Whatever it is, Ethereal didn't know what to do with it.
>
>
> - Joe
>
>
Attachment:
aironet.mcast.cap
Description: Binary data
Attachment:
autotopology.bay.cap
Description: Binary data
