Wireshark-dev: Re: [Wireshark-dev] Strip Ethernet broadcast / locally administered flags from a
From: "ronnie sahlberg" <[email protected]>
Date: Wed, 15 Aug 2007 07:55:12 +1000
On 8/15/07, ronnie sahlberg <[email protected]> wrote:
> Sounds good.
> In particular doing this for the LocallyAdministrated would make sense
> since many active/passive cluster implementations pick a MAC address
> to represent the active node by
> taking the MAC address of the primary NIC of the primary node and then
> setting the locally administrated bit, to make sure there is a single
> mac address that follows the cluster ip address during failover.
> MS cluster for example does this.
> The multicast bit is tricker since there is for unknown reasons some 3
> byte prefixes that already have this bit set !   But they are so few
> and rare it hardly matters and they can probably be ignored.
> I would suggest only doing this for when matching with the three byte prefixes
> of the form AA:BB:CC
> Additionally, maybe if you find a match for
> AA:BB:CC Vendor
> and if the LA bit was set then you could change the string it resolved into
> to "Vendor(Cluster)" instead of just "Vendor"

Ah crap, you need to do it in two passes since there are real MACs
that already come with the LA bit set.

So when matching the AA:BB:CC entries in manuf
1, First try to match it exactly
   if you find a match, then thats the match.
   i.e.  52:54:4C	Novell2000
   which would resolve into "Novell2000"

2, If that fails, then try to match it by stripping off the LA bit   with & 0xfd
    In that case 3E:00:00:xx:xx:xx would match
    3C:00:00	3Com
    But the original address would have the LA bit set so it should then be
    resolved into "3Com(Cluster)"

You have to be careful in which order you try to resolve them as well so that
you dont mixup
00:01:00	EquipTrans
02-01-00-00-00-00/16	MS-NLB-PhysServer-01

I think the optimal would be to resolve your examples as
04:05:06 -> Xerox
06:05:06 -> Xerox(Cluster)