Broadcast frame with unknown Ethertype

2

On my Linux system I captured this Ethernet frame:
It consists of 62 bytes: 

FF FF FF FF FF FF  00 12 3F 8C BB C2  00 54  E0 E0 03 FF FF 00 50 00

Any idea what Ethertype "00 54" is?

This is what I get with tcpdump:

10:06:07.093666 IPX 00000000.00:12:3f:8c:bb:c2.0455 > 00000000.ff:ff:ff:ff:ff:ff.0455: ipx-netbios 50 0x0000: ffff ffff ffff 0012 3f8c bbc2 0054 e0e0 ........?....T..

    0x0010:  03ff ff00 5000 1400 0000 00ff ffff ffff  ....P...........

    0x0020:  ff04 5500 0000 0000 123f 8cbb c204 5500  ..U......?....U.

    0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................

    0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................

    0x0050:  0157 4f52 4b47 524f 5550 2020 2020 2020  .WORKGROUP......

    0x0060:  1eff                                     ..

papy006

Posted 2019-12-11T16:17:53.803

Reputation: 21

Answers

2

That's not an Ethertype.

Ethernet frames can have a few different header formats – "Ethernet II" aka "DIX" is the most common one, but it isn't what the IEEE 802 standard had originally specified.

In the standard 802.2 format (aka "LLC"), the MAC addresses are followed by a 2-byte frame length field, followed by a 3-byte LLC header which contains two 'SAP' values (usually identical) indicating the IEEE-assigned protocol number.

(It's easy to distinguish the two formats – an Ethernet II "Ethertype" is always above 0x0600, while 802.2 "frame length" is always below 0x0600.)

FF FF FF FF FF FF    destination MAC
00 12 3F 8C BB C2    source MAC
00 54                frame length (84 bytes)
E0 E0 03             LLC header
├─E0                   DSAP (E0=NetWare)
├─E0                   SSAP (E0=NetWare)
└─03                   control
FF FF 00 50 00...    data

In this case, you are looking at a frame with SSAP=0xE0, DSAP=0xE0, which indicates Novell NetWare IPX. The packet data starts at FF FF ..., which also matches the usual NetWare IPX packet format.

Update

10:06:07.093666 IPX 00000000.00:12:3f:8c:bb:c2.0455 > 00000000.ff:ff:ff:ff:ff:ff.0455:
ipx-netbios 50
     0x0000:  ffff ffff ffff 0012 3f8c bbc2 0054 e0e0 ........?....T..
     0x0010:  03ff ff00 5000 1400 0000 00ff ffff ffff  ....P...........
     0x0020:  ff04 5500 0000 0000 123f 8cbb c204 5500  ..U......?....U.
     0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
     0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
     0x0050:  0157 4f52 4b47 524f 5550 2020 2020 2020  .WORKGROUP......
     0x0060:  1eff

According to your tcpdump output, it is indeed IPX, and the packet is being sent on socket 0x0455, which belongs to Microsoft NetBIOS and not to any NetWare protocol. (IPX socket numbers are kinda like UDP port numbers.)

NetBIOS over IPX works exactly like NetBIOS over TCP/IPv4 – it handles hostname lookup, it handles "Network Neighbourhood" / "My Network Computers" discovery, and most importantly it carries SMBv1 – the old Windows file & printer sharing protocol.

I don't know about this specific packet, but WORKGROUP followed by 0x1E usually means "Browser Service Elections" – again, just part of the whole LAN computer discovery thing. (If it were sent over UDP/IP, it would be a completely normal packet that's seen everyday on Windows LANs.)

I would recommend using tcpdump -uw mypackets.pcap and opening the captured .pcap file in Wireshark, which can fully decode all of these protocols.

I would also recommend disabling IPX on the device. (And while you're at it, check if the device has AppleTalk enabled – disable that as well.)

user1686

Posted 2019-12-11T16:17:53.803

Reputation: 283 655

Thanks for opening my eyes. This is what I get with tcpdump – papy006 – 2019-12-11T18:13:36.207

Asked: 2019-12-11T16:17:53.803

Viewed: 41 times

Active: 2019-12-11T19:26:31.150