On Fri, May 28, 2004 at 11:44:48AM +0100, teresita@xxxxxxxxxxxxx wrote:
> 1- Ethernet II frames have a 2-byte field called "Type"
> 2- Ethernet IEEE 802.3 frames have a 2-byte field called "Type/Lenght"
> 2a.- If the "Type/Lenght" field contains a number higher than
> 0x600 Hex that means type (IP, IPX, whatever) if it's lower it means
> the lenght of the data field.
>
> Then here come two questions :
>
> A) How does the network driver/libpcap/ethereal know where the data
> field of an Ethernet II frame ends ?
The details can be found, I think, in the 802.3 spec; at least for the
lower-speed versions of Ethernet, I think it's based on carrier, as per
Ronnie's mail - higher-speed versions might do it differently.
> B) How does the network driver/libpcap/ethereal know which is the
> type of the data field on an IEEE 802.3 frame if the "Type/Lenght"
> field is below 0x600 HEX ?
If the type/length field is below 0x600, so that it's a length field,
the data field is *supposed* to start with an IEEE 802.2 header, which
has destination and source Service Access Point (SAP) values that
indicate the type of the packet; if the destination and source SAP
values are both 0xAA, following the 802.2 header is a SNAP header,
containing a 3-octet Organizational Unit Identifier (OUI) specifying the
organization who administers the value in the next 2 octets, which is a
Protocol ID (PID) - the OUI and PID specify the packet type. If the OUI
value is all zeroes, the PID is an Ethernet type. (SNAP headers on
Ethernet packets are unlikely to have an OUI of 0, as those packets
could just have been sent with an Ethernet type value, unless the packet
needs an 802.3 length field.)
However, some IPX packets are sent with a length field and an IPX
datagram in the data field; those packets begin with 0xFF 0xFF, so an
implementation can look for 0xFF 0xFF at the beginning of the data and
treat those as IPX packets.
