Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] bogus LLC header in UDP packet

From: Jeff Morriss <jeff.morriss@xxxxxxxxxxx>
Date: Wed, 31 Jan 2007 16:28:13 +0800

Are those ports assigned to LLC?

http://www.iana.org/assignments/port-numbers

says:

entextxid	12000/tcp  IBM Enterprise Extender SNA XID Exchange
entextxid	12000/udp  IBM Enterprise Extender SNA XID Exchange
entextnetwk	12001/tcp  IBM Enterprise Extender SNA COS Network Priority
entextnetwk	12001/udp  IBM Enterprise Extender SNA COS Network Priority
entexthigh	12002/tcp  IBM Enterprise Extender SNA COS High Priority
entexthigh	12002/udp  IBM Enterprise Extender SNA COS High Priority
entextmed	12003/tcp  IBM Enterprise Extender SNA COS Medium Priority
entextmed	12003/udp  IBM Enterprise Extender SNA COS Medium Priority
entextlow	12004/tcp  IBM Enterprise Extender SNA COS Low Priority
entextlow	12004/udp  IBM Enterprise Extender SNA COS Low Priority


Anyway, the problem is Martin's traffic is running on the ports the LLC dissector expects to find LLC traffic on. It would be good if the LLC dissector could be made a "new style" dissector that attempts some heuristics on the payload and doesn't dissect anything if it thinks the traffic doesn't belong to it. I'm not sure if that's possible, though.

Martin, another workaround (besides changing ports) would be to disable the LLC dissector.

Jaap Keuter wrote:
Hi,

According to RFC 2353 this decoding is correct. See paragraph 2.6.1.
These UDP/TCP ports are assigned by IANA to this protocol. It is
implemented as such in the LLC dissector.

Thanx,
Jaap

On Tue, 30 Jan 2007, Martin Pokorny wrote:

Hi,

I think I may have stumbled onto a wireshark bug (ethereal version
0.99.0, libpcap version 0.8.3 on RHEL4). An application on which I'm
working is receiving UDP packets over gigabit Ethernet from some custom
hardware. The packets have a fixed source and destination UDP port
number, which we had set to 12001 and 12000, respectively. Wireshark
shows an LLC header after the UDP header, which is simply not present;
see first attachment (bad.pcap). In the process of poking around a bit,
I changed the UDP port numbers to 12032 and 12048 in the pcap file, and
wireshark no longer reported the LLC header; see second attachment
(good.pcap). Unless I'm totally missing something about LLC (definite
possibility), this looks like a bug in wireshark or libpcap.

I'm not subscribed to this list, please send questions to me directly.

--
Martin


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users