Strange ethrenet frame
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||||||||
|
Posted by Mr Lex on October 4, 2006, 10:54 am
Please log in for more thread options Hi all, I have a stange behavior when listening traffic on a NO CARRIER interface.(i know it's stupid, but i'm doing tests ...) I try to reach a connected host and I listen on interface output with tcpdump and some traffic seem so be dumped of an "unknown ethertype". I have a very bad ethenet link connected to this interface, that makes it in NO CARRIER state. When all is right, packet dumped are ARP one. So i have many question about the bahaviour in order to validate my test. Did it possible to send traffic on a no carrier interface (that did not detect link activity) ? Did the dumped traffic is really sent or is it just traffic that "seem" to be sent (software garbage not physical send)? Did that mean that some ethernet traffic can go out of my (no carrier) ethernet card ? I'm douin my tests with a pcn device and a PC runnning FreeBSD 5.3. Thx for your answers | ||||||||||||||||||||||
|
Posted by Mr Lex on October 10, 2006, 2:31 pm
Please log in for more thread options No answer, no idea ? Nobody could help me solving my problem ? I'm blocked .... Mr Lex wrote: | ||||||||||||||||||||||
|
Posted by glen herrmannsfeldt on October 10, 2006, 2:58 pm
Please log in for more thread options
> No answer, no idea ?
> Nobody could help me solving my problem ? > I'm blocked .... It isn't an easy question, especially without knowing the exact hardware and software in use. It is possible that tcpdump can see data sent to an interface, but not actually transmitted. It is possible that it is up long enough for data to be received. Post the actual data from one packet and you will likely get more answers. -- glen | ||||||||||||||||||||||
|
Posted by Mr Lex on October 11, 2006, 12:53 pm
Please log in for more thread options
glen herrmannsfeldt wrote: > > No answer, no idea ?
> > Nobody could help me solving my problem ? > > I'm blocked .... >
> It isn't an easy question, especially without knowing the > exact hardware and software in use. > > It is possible that tcpdump can see data sent to an interface, > but not actually transmitted. > > It is possible that it is up long enough for data to be received. > > Post the actual data from one packet and you will likely get > more answers. > > -- glen Hi all, Thanks for answers Here is the dump of the traffic : %tcpdump -i pcn2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pcn2, link-type EN10MB (Ethernet), capture size 96 bytes 23:09:18.851391 00:00:01:02:5e:8c > 45:c0:00:1c:ca:2c, ethertype
Unknown (0xac14), length 28:
0x0000: 0452 e000 0001 1164 ee9b 0000 0000 .R.....d...... 23:09:20.768080 00:00:01:02:ca:2e > 46:00:00:20:ca:3e, ethertype
Unknown (0xac14), length 32:
0x0000: 0452 e000 0004 9404 0000 1600 09fb e000 .R.............. 0x0010: 0004 .. 23:09:23.965991 00:00:01:02:ca:20 > 46:00:00:20:ca:4e, ethertype
Unknown (0xac14), length 32:
0x0000: 0452 e000 0002 9404 0000 1600 09fd e000 .R.............. 0x0010: 0002 And the status of my interface. %ifconfig pcn2 pcn2: flags=128b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
ether 00:d0:1c:xx:xx:xx media: Ethernet 100baseTX <full-duplex>
status: no carrier
This traffic is generated by ARP request on the interface (as i can see when all is right). But MAC adresses are nor my device one nor broadcast one... A stange point is the similarity between all frames... Thanks for your help, i appreciate. | ||||||||||||||||||||||
|
Posted by Mr Lex on October 23, 2006, 12:37 pm
Please log in for more thread options
Does anyone have an idea ? Have Someone ever see this type of traffic ? Lex Mr Lex wrote: > glen herrmannsfeldt wrote:
> > > No answer, no idea ?
> > > Nobody could help me solving my problem ? > > > I'm blocked .... > >
> > It isn't an easy question, especially without knowing the > > exact hardware and software in use. > > > > It is possible that tcpdump can see data sent to an interface, > > but not actually transmitted. > > > > It is possible that it is up long enough for data to be received. > > > > Post the actual data from one packet and you will likely get > > more answers. > > > > -- glen >
> Hi all, > > Thanks for answers > Here is the dump of the traffic : > > %tcpdump -i pcn2 > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on pcn2, link-type EN10MB (Ethernet), capture size 96 bytes > > 23:09:18.851391 00:00:01:02:5e:8c > 45:c0:00:1c:ca:2c, ethertype > Unknown (0xac14), length 28: > 0x0000: 0452 e000 0001 1164 ee9b 0000 0000 > .R.....d...... > 23:09:20.768080 00:00:01:02:ca:2e > 46:00:00:20:ca:3e, ethertype > Unknown (0xac14), length 32: > 0x0000: 0452 e000 0004 9404 0000 1600 09fb e000 > .R.............. > 0x0010: 0004 .. > 23:09:23.965991 00:00:01:02:ca:20 > 46:00:00:20:ca:4e, ethertype > Unknown (0xac14), length 32: > 0x0000: 0452 e000 0002 9404 0000 1600 09fd e000 > .R.............. > 0x0010: 0002 > > And the status of my interface. > %ifconfig pcn2 > pcn2: > flags=128b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> > mtu 1500 > ether 00:d0:1c:xx:xx:xx > media: Ethernet 100baseTX <full-duplex> > status: no carrier > > This traffic is generated by ARP request on the interface (as i can see > when all is right). > But MAC adresses are nor my device one nor broadcast one... > A stange point is the similarity between all frames... > > Thanks for your help, i appreciate. | ||||||||||||||||||||||
| Similar Threads | Posted |
| Strange ethrenet frame | October 4, 2006, 10:54 am |
| Strange MAC Addresses | July 29, 2004, 7:32 pm |
| Strange results from a tcpdump, can anyone help? | March 29, 2006, 2:51 pm |
| Strange problem with Ethernet switch | September 7, 2004, 12:57 pm |
| strange ethernet electric problem | June 22, 2007, 5:39 am |
| Strange switch behaviour in VLAN network | July 6, 2005, 12:53 pm |
| 802.1q frame with tag | November 28, 2004, 8:38 am |
| under sized frame | February 2, 2007, 9:37 am |
| Use of ethernet frame without TCP/IP | March 17, 2008, 5:48 am |
| IEEE 802.3 PAUSE frame | January 5, 2005, 6:24 pm |
| Ethernet Frame size | January 17, 2005, 8:01 pm |
| Pause Frame transmission | May 19, 2006, 7:05 pm |
| Maximum size of Ethernet frame | November 11, 2004, 9:40 am |
| SMII Frame format queries | April 27, 2005, 1:34 am |
| detecting end/length of Ethernet II frame? | April 28, 2005, 2:03 pm |
>
> I have a stange behavior when listening traffic on a NO CARRIER
> interface.(i know it's stupid, but i'm doing tests ...)
>
> I try to reach a connected host and I listen on interface output with
> tcpdump and some traffic seem so be dumped of an "unknown ethertype".
> I have a very bad ethenet link connected to this interface, that makes
> it in NO CARRIER state.
> When all is right, packet dumped are ARP one.
> So i have many question about the bahaviour in order to validate my
> test.
> Did it possible to send traffic on a no carrier interface (that did not
> detect link activity) ?
> Did the dumped traffic is really sent or is it just traffic that "seem"
> to
> be sent (software garbage not physical send)?
> Did that mean that some ethernet traffic can go out of my (no carrier)
> ethernet card ?
>
> I'm douin my tests with a pcn device and a PC runnning FreeBSD 5.3.
>
> Thx for your answers