Re: [Wireshark-dev] Funky packet, bad capture, bad display or what?

Guy Harris Tue, 11 Jul 2006 01:20:02 -0700

John McDermott wrote:
> A friend sent me a trace with this packet:
> Frame 1 (78 bytes on wire, 78 bytes captured)
>      Arrival Time: Jul  9, 2006 13:58:01.527266000
>      Time delta from previous packet: 0.000000000 seconds
>      Time since reference or first frame: 0.000000000 seconds
>      Frame Number: 1
>      Packet Length: 78 bytes
>      Capture Length: 78 bytes
> Ethernet II, Src: 00:00:80:11:ea:96, Dst: 45:00:00:4e:91:fd
>      Destination: 45:00:00:4e:91:fd (45:00:00:4e:91:fd)
>      Source: 00:00:80:11:ea:96 (CrayComm_11:ea:96)
>      Type: Unknown (0xa9fe)
> Data (64 bytes)
> 
> 0000  6a 0e a9 fe ff ff 00 89 00 89 00 3a c8 f8 e1 e0   j..........:....
> 0010  01 10 00 01 00 00 00 00 00 00 20 46 44 45 4e 46   .......... FDENF
> 0020  45 46 41 43 4f 46 4a 45 42 45 4f 45 45 45 46 46   EFACOFJEBEOEEEFF
> 0030  49 43 4f 46 43 46 46 43 41 41 41 00 00 20 00 01   ICOFCFFCAAA.. ..
> 
> First, the hex does not seem to match with the EthernetII decode.


The hex dump might be of the data following the (presumed) Ethernet 
header, rather than of the entire packet.

A destination address starting with 0x45 looks suspiciously as if the 
Ethernet header is missing, and the packet starts with an IP header (the 
sequence of letters looks suspiciously like the encoding of a NetBIOS 
name in NetBIOS-over-TCP).

In that case, the full packet would be

        45 00 00 4e 91 fd 00 00  80 11 ea 96 a9 fe 6a 0e
        a9 fe ff ff 00 89 00 89  00 3a c8 f8 e1 e0 01 10
        00 01 00 00 00 00 00 00  20 46 44 45 4e 46 45 46
        41 43 4f 46 4a 45 42 45  4f 45 45 45 46 46 49 43
        4f 46 43 46 46 43 41 41  41 00 00 20 00 01

The IP header would be

        45              IPv4, 20-byte header
        00              TOS - default
        00 4e           total length - 78 bytes
        91 fd           ID
        00 00           flags + fragment offset - no fragmentation
        80              TTL - 128
        11              protocol - 17 (UDP)
        ea 96           header checksum
        a9 fe 6a 0e     source address - 169.254.106.14
        a9 fe ff ff     destination address - 169.254.255.255

The UDP header would be

        00 89           source port - 137 (NetBIOS name service)
        00 89           destination port - 137
        00 3a           length - 58
        c8 f8           checksum

and the NetBIOS name service header would be

        e1 e0           transaction ID
        01 10           opcode, name flags, rcode - name query, recursion 
desired, 
packet is broadcast
        00 01           number of names in question section - 1
        00 00           number of RR's in answer section
        00 00           number of RR's in authority section
        00 00           number of RR's in additional records section

followed by the compressed name in the question section.

On what OS was this capture done?  And was it done with 
Ethereal/Wireshark, or some other application?
_______________________________________________
Wireshark-dev mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-dev

Re: [Wireshark-dev] Funky packet, bad capture, bad display or what?

Reply via email to