Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] Understanding IEEE 802.15.4 Packets [wireshark]

From: Rahul Jain <rahul@xxxxxxxxxxx>
Date: Thu, 7 May 2009 00:27:38 +0200
Hello all,

I am running the following setup:
http://www.sics.se/contiki/tutorials/tutorial-running-contiki-with-uipv6-and-sicslowpan-support-on-the-atmel-raven.html

I am trying to understand the following packet:

16	35.577489	02:12:13:ff:fe:14:15:16	Broadcast	IEEE 802.15.4	Data,
Dst: Broadcast, Src: 02:12:13:ff:fe:14:15:16, Bad FCS

Frame 16 (111 bytes on wire, 111 bytes captured)
Ethernet II, Src: MS-NLB-PhysServer-18_13:14:15:16
(02:12:13:14:15:16), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
IEEE 802.15.4 Data, Dst: Broadcast, Src: 02:12:13:ff:fe:14:15:16, Bad FCS
Data (78 bytes)

Now, as I understand the setup, the RZ Raven USB bridges 802.15.4
packets to the ethernet. Now when I analyze the frame it tells me that
there are three protocols in it (eth:wpan:data).

Comparing the above frame with frame 15:
15	35.561236	fe80::12:13ff:fe14:1516	ff02::1	ICMPv6	Router advertisement

Comparing IPv6 local link and MAC address I see that the frames are
from the RZ Raven USB. The Ethernet II frame is same for the both,
while the IPv6 frame in 15 is replaced by a 802.15.4 frame in 16 (Is
this the result of 6lowpan? and if I get it right 6lowpan takes place
on RZ Raven...) and then there is a frame called data (varying bytes
in each 802.15.4 frame) which could be said to correspond to the
ICMPv6 frame. What is this data?

So, if I get it right the router daemon running on the usb0 interface
sends out daemon advertisements which are then encapsulated into
802.15.4 through 6lowpan on the RZ Raven USB - but how come wireshark
still sees this packets - for they are no longer generated on the host
pc?
Also, what is this date protocol in the 802.15.4 packet?

Please inform me
Rahul Jain