Re: Whose is the traffic ?

[Crist Clark <crist.clark () GLOBALSTAR COM>]

Dmitry Alyabyev wrote:
> Hi
>
> Could anyone describe these packets ?
> It looks like Novell-produced traffic as for me but I'm not sure.
> Any details are welcome.
>
> # tcpdump -n ! tcp and ! udp
>
> 12:38:14.397840 0:2:b9:e2:1c:c7 > 1:80:c2:0:0:0 sap 42 ui/C len=43
>                          0000 0000 0080 0000 02b9 e219 c000 0000
>                          3980 0000 02b9 e21c c080 1303 0014 0002
>                          000f 0000 0000 0000 0000 00
> 12:38:16.403918 0:2:b9:e2:1c:c7 > 1:80:c2:0:0:0 sap 42 ui/C len=43
>                          0000 0000 0080 0000 02b9 e219 c000 0000
>                          3980 0000 02b9 e21c c080 1303 0014 0002
>                          000f 0000 0000 0000 0000 00

I believe those are Spanning Tree Protocol (STP) frames. At least that's
what Ethereal interprets them as. My version of tcpdump (mis)identifies
them as IPX. I did do research on what they were and they looked legit
on the network I was checking out, but it was a while ago and do not
recall the details right now. I think they are IEEE 802.3 frames.
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926