Making Things Work Better, One bit At A Time

A tool in the wrong hands is more dangerous than no tool at all.

Packet Decodes

Not all decodes are the same.  I have started a list of specific protocols that all analyzers decode VERY differently. 

Below you will find Fluke Protocol Expert, Network General Sniffer, Ethereal and Wildpackets Etherpeek NX decodes.

TCP Scaling Windows

If you use TCP window sizes larger than 65 kB, you should make sure your understand what your analyzer is telling you.

Here's the ENC trace file. Here's the Notes

Enterasys SecureFast VLAN Interswitch Message Protocol

The InterSwitch Message protocol (ISMP) provides a consistent method of encapsulating and transmitting control messages exchanged between switches to create and maintain the databases and provide other control services and functionality required by the SecureFast VLAN (SFVLAN) product.

Here's the ENC trace file. Here's the Notes

Ethernet IP IndustrialEtherNet/IP

Ethernet IP IndustrialEtherNet/IP is an industrial networking standard that takes advantage of commercial off-the-shelf Ethernet communication chips and physical media. IP, stands for 'industrial protocol' and is what distinguishes this network.

Here's the ENC trace file. Here's the Notes

Secure Sockets Layer

Secure Sockets Layer (SSL) is a cryptographic protocol to provide secure communications on the Internet.

Here's the ENC trace file. Here's the Notes

Common Unix Printing System Browsing Protocol
CUPS provides "printer browsing", which allows clients to automatically see and use printers from any server on a LAN. This means that you only need to configure the server and the clients will automatically see the printers and classes on it.

Here's the ENC trace file. Here's the Notes

Nortel Bay Topology Discovery Packets
This document shows how Sniffer, Ethereal, Fluke and Wildpackets display Nortel Bay Topology Discovery Packets.

Here's the ENC trace file. Here's the Notes

NFS Read Filter
The easiest way to define an NFS READ filter is to use the offset value for RPC READ.  For RPC over UDP, the offset 62 (HEX) with a HEX value of 0000006.

ARP Packet
Slide from the TCP/IP outline/course.

Here's the Notes

Ethertype 8781 Packets
While Sniffing at a customer site I found some Ethernet II packets with an Ethertype of 8781.  Several of my protocol analyzers decoded up to the Type portion of the packet and then indicated that the rest of the payload was not interpreted or decoded.
After some poking around I found that Ethertype 8780 - 8785 belongs to Symbol, as evident from the source MAC address (also Symbol).
These packets were being transmitted from a Symbol access point.

That's when chaos broke out since the customer was adamant that there wasn't any wireless in their environment.  My wireless tools couldn't pick up a signal from an Access Point so this was surprising to me as well.

We used some software to identify with switch/slot/port this MAC address originated from and busted the wireless cowboy.

Just another reason not to ignore an undecoded packet.

Here's the ENC trace file. Here's the Notes

Load Balancing 886D Packets
The other day I saw packets being transmitted at a "fast and furious" rate.  None of my analyzers could decode past the Ethertype 886 header.  So after some poking around, I came up with this:

Here's the ENC trace file.

Here's the Notes


Pulling the plug on wireless
At some customer sites I've run across more and more wireless gear that we couldn't easily find with some of the WLAN discovery tools.
So I've started to compile a list of wireless OUI's to look for.
Happy hunting:

00:01:03, 00:04:76, 00:50:da, 08:00:02, 00:40:33, 00:90:d1, 00:50:18, 00:30:65, 00:40:96, 00:04:25, 00:20:d8, 00:10:e7 00:01:f4, 00:e0:63, 00:00:ff, 00:50:8b, 00:05:5d, 00:40:05, 00:90:4b, 00:30:ab, 00:02:b3, 00:03:2f, 00:04:5a, 00:02:2d, 00:60:1d, 02:02:2d, 00:e0:03, 00:00:f0, 00:02:78, 00:02:6f, 00:e0:29, 00:90:d1, 00:80:c6, 08:00:46, 00:a0:f8, 00:a0:0f, 00:60:b3, 00:40:36