Ethereal-dev: RE: [Ethereal-dev] HSRP Undocumented Opcode

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Baldwin, Nick" <Nick.Baldwin@xxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 22 Sep 2005 11:19:39 +0100
I posed

>> 
>> Could the "Malformed Packet"  be replaced by "Undocumented Opcode"
>> Cisco Hot Standby Router Protocol
>>     Version: 0
>>     Op Code: Unknown (3)
>>     State: Initial (0)
>>     Hellotime: Non-Default (1)
>>     Holdtime: Non-Default (0)
>>     Priority: 14
>>     Group: 2
>>     Reserved: 0
>>     Authentication Data: Non-Default ()
>> [Malformed Packet: HSRP]

Joerg graciously replied

>No, it can't. Beause we already print "Unknown". The malformed packet
is
>(correctly) printed because the packet looks differently from what we
expect
>it to look like: It's 64 bytes in length.
>
>14 Ethernet
> 4 802.1Q
>20 IP
> 8 UDP
>20 HSRP
>
>Sum: 66 but the dissector has access to only 64 bytes.
>
>So it looks like the opcode 3 packets look differently from the 0-2
opcode
>packets. We need to know how an opcode 3 packet looks like.
>
> Ciao
>     Joerg
Joerg

Thanks for taking time to look at this one,
I think that we are close to arguing the same point.

What we need is full documentation from Cisco regarding the format of an
"Op Code 3" HSRP packet

Your sum works on the assumption that all HSRP pay-loads are 20 bytes
long.
The decode also says state: (0) Initial, but we don't know that this is
true for "Op Code 3" HSRP 
This is equally true for the Hellotime, Holdtime etc...

Hence my thought that for any HSRP traffic with "Op Code 3" bail out of
the decode and display "Undocumented Opcode"

Better still, and at the risk of sounding repetetive, Please Cisco would
you kindly fully document HSRP"

Regards
Nick

**********************************************************************
Registered Office:
Marks and Spencer plc
Waterside House
35 North Wharf Road
London
W2 1NW

Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422
Facsimile (020) 7487 2670

<<www.marksandspencer.com>>

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful.