Wireshark · Ethereal-dev: Re: [ethereal-dev] Plugin for Cisco ISL

Ethereal-dev: Re: [ethereal-dev] Plugin for Cisco ISL

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Paul Ionescu <paul@xxxxxxxx>

Date: Sun, 23 Jan 2000 01:03:40 +0200

Guy Harris wrote:

Presumably ISL frames have a particular Ethernet type (or are 802.2
frames using a Cisco OUI and a particular protocol ID); you should only
have to dissect those frames. Unfortunately, as indicated, there's not
yet any way to register a plugin that gets handed packets with a
particular Ethernet type.

No, ISL frames are Layer 2 frames (on ISO OSI networking stack), and those ISL frames encapsulate the original frame and a CRC.
This is not the case with the 802.1q which have a Protocol number and is an extension to Ethernet II frame.
For this reason 802.1q introduces a 4 bytes/frame overhead and Cisco ISL introduces 16 bytes/frame overhead (12 header + 4 CRC).
Attached to this email is a capture from a trunk port on an old Catalyst 5000 which support only ISL vlans.
As you will see, ethereal consider the ISL frames to be 802.3+LLC+SNAP frames. He is not very far away from the truth, but there are some differences between ISL frames and 802.3+LLC+SNAP: The 6-th byte from the destination address has a different meaning that in 802.3, PID from SNAP has a different meaning here (it is splited on bits: first 15 bits represent vlan number and the last bit represent something else), and others diferences.
So, ethereal has to decide early in ethernet dissector if the frame is ISL or ethernet(802.3 or Ethernet II), and I don't think that this is possible because at this level the ISL packet looks like a valid ethernet 802.3 packet.

The problem is that I cannot tell ethereal that this capture is not an ethernet capture but a ISL capture because it was snooped on a plain ethernet card. This is why I tried to made a plugin, not because is a non GPL plugin, but because when you enable the plugin, all frames must be interpreted as ISL frames. And when you disable the plugin, all frames would be normal frames. So the plugin would be enabled ONLY if the capture is a ISL capture.

Maybe if I could specify in capture file that the file was captured on an ISL Trunk devide, then I could code in ethereal that packets from ISL trunk device are dissected by ISL dissector.( in this way is made the difference between ethernet and token-ring or other phisical media).

Maybe this last approach is the best, because in fact there is a simulated trunk interface.
(I heard that there are some vendors who make ISL trunk interfaces for servers).

-- 

Air conditioned. Do _NOT_ open Windows.

Attachment: trunk.gz
Description: GNU Zip compressed data

Follow-Ups:
- Re: [ethereal-dev] Plugin for Cisco ISL
  - From: Guy Harris

References:
- [ethereal-dev] Plugin for Cisco ISL
  - From: Paul Ionescu
- Re: [ethereal-dev] Plugin for Cisco ISL
  - From: Guy Harris

Prev by Date: [ethereal-dev] Tethereal now lets you use "-R" for live captures and "-w" for saved captures
Next by Date: RE: [ethereal-dev] Plugin for Cisco ISL
Previous by thread: Re: [ethereal-dev] Plugin for Cisco ISL
Next by thread: Re: [ethereal-dev] Plugin for Cisco ISL
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$