Wireshark-dev: Re: [Wireshark-dev] Strip Ethernet broadcast / locally administered flags from a
From: "ronnie sahlberg" <[email protected]>
Date: Wed, 15 Aug 2007 07:39:11 +1000
Sounds good.

In particular doing this for the LocallyAdministrated would make sense
since many active/passive cluster implementations pick a MAC address
to represent the active node by
taking the MAC address of the primary NIC of the primary node and then
setting the locally administrated bit, to make sure there is a single
mac address that follows the cluster ip address during failover.

MS cluster for example does this.


The multicast bit is tricker since there is for unknown reasons some 3
byte prefixes that already have this bit set !   But they are so few
and rare it hardly matters and they can probably be ignored.


I would suggest only doing this for when matching with the three byte prefixes
of the form AA:BB:CC


Additionally, maybe if you find a match for
AA:BB:CC Vendor
and if the LA bit was set then you could change the string it resolved into
to "Vendor(Cluster)" instead of just "Vendor"

I think it is very rare that this bit is set nowadays except for when
one is using some sort of clustering software with ip and mac
failover.




On 8/15/07, Ulf Lamping <[email protected]> wrote:
> Hi List!
>
> The current Ethernet manuf name resolving (resolve the manufacturer name - the first three bytes of the Ethernet address, e.g. 04:05:06 -> Xerox) doesn't work if the address uses the Ethernet broadcast or locally administered flags (see http://wiki.wireshark.org/Ethernet?highlight=%28ethernet%29#head-93bbcf02a0070b56eaae6b5f3f4ba6112c64522a for details about these flags).
>
> Currently only the resolving of 04:05:06 -> Xerox does work, 05:05:06, 06:05:06 and 07:05:06 are not resolved, although the manufaturer part is the same.
>
> I've implemented an experimental change in epan/addr_resolv.c, which strips down both flags before doing the actual manuf resolvings - which is working well:
>
> 04:05:06 -> Xerox
> 05:05:06 -> Xerox
> 06:05:06 -> Xerox
> 07:05:06 -> Xerox
>
> Unfortunately, this "hides" both flags a little bit (although the display of these flags wasn't very "prominent" already before), so I'm unsure if the change should go into the Wireshark sources or not.
>
> I think only the manuf resolvings as described above should be changed, the wka (well-known-addresses) aka full address resolution (00-E0-2B-00-00-00 -> Extreme-EDP) should not be changed.
>
> Comments?
>
> Regards, ULFL
> __________________________________________________________________________
> Erweitern Sie FreeMail zu einem noch leistungsstärkeren E-Mail-Postfach!
> Mehr Infos unter http://produkte.web.de/club/?mc=021131
>
> _______________________________________________
> Wireshark-dev mailing list
> [email protected]
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>