Wireshark-dev: Re: [Wireshark-dev] Strip Ethernet broadcast / locally administered flags from a
From: Ulf Lamping <[email protected]>
Date: Wed, 15 Aug 2007 01:21:25 +0200
ronnie sahlberg schrieb:
On 8/15/07, ronnie sahlberg <[email protected]> wrote:
Sounds good.

In particular doing this for the LocallyAdministrated would make sense
since many active/passive cluster implementations pick a MAC address
to represent the active node by
taking the MAC address of the primary NIC of the primary node and then
setting the locally administrated bit, to make sure there is a single
mac address that follows the cluster ip address during failover.

MS cluster for example does this.

The multicast bit is tricker since there is for unknown reasons some 3
byte prefixes that already have this bit set !   But they are so few
and rare it hardly matters and they can probably be ignored.

I would suggest only doing this for when matching with the three byte prefixes
of the form AA:BB:CC

Additionally, maybe if you find a match for
AA:BB:CC Vendor
and if the LA bit was set then you could change the string it resolved into
to "Vendor(Cluster)" instead of just "Vendor"

Ah crap, you need to do it in two passes since there are real MACs
that already come with the LA bit set.

So when matching the AA:BB:CC entries in manuf
1, First try to match it exactly
   if you find a match, then thats the match.
   i.e.  52:54:4C	Novell2000
   which would resolve into "Novell2000"

2, If that fails, then try to match it by stripping off the LA bit   with & 0xfd
    In that case 3E:00:00:xx:xx:xx would match
    3C:00:00	3Com
    But the original address would have the LA bit set so it should then be
    resolved into "3Com(Cluster)"

You have to be careful in which order you try to resolve them as well so that
you dont mixup
00:01:00	EquipTrans
02-01-00-00-00-00/16	MS-NLB-PhysServer-01

I think the optimal would be to resolve your examples as
04:05:06 -> Xerox
06:05:06 -> Xerox(Cluster)
"Xerox(Cluster)" simply doesn't fit into the buffer present for the MAC address, and I don't to change anything here!
The manuf string is at max the size we have available, so there's just 
no space to put anything like Xerox(Cluster) into it. Beside the fact 
that's simply plain wrong IMHO, this is the locally administered bit 
set, which *might* mean that it's used in a cluster - but that's just 
your interpretation of that flag.
I'll add the "two pass" approach and check the stuff in, so you 
experiment with it ...
Regards, ULFL