tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: decode MPLS-contained packets?

From: Francois-Xavier Le Bail via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Thu, 7 May 2020 03:39:07 -0400 (EDT)
--- Begin Message --- From: Francois-Xavier Le Bail <devel.fx.lebail () orange fr>
Date: Thu, 7 May 2020 09:40:56 +0200
On 07/05/2020 09:17, Guy Harris wrote:

On 07/05/2020 08:53, Guy Harris via tcpdump-workers wrote:


"Looks like a valid Ethernet address" is defined as "the first three octets appear in Wireshark's file giving 
manufacturer names for OUIs".

What if the destination address is ff:ff:ff:ff:ff:ff (broadcast) for e.g. ARP request ?
Or some multicast address ?

In this *particular* case, that test is done only if the uppermost nibble of the uppermost octet is 0, so that would 
only be the case for the source address, which is less likely to be a group address than the destination address.  
There may be other places where that heuristic dissector is used, however.


Ok.
What if the first nibble is <> de 4, 6, 1, 0, e.g. 'f' like the first f of ff:ff:ff:ff:ff:ff ?

-- 
Francois-Xavier

--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: