Ethereal-users: RE: [Ethereal-users] Meaning of Trailer in Ethernet frames

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Visser, Martin" <martin.visser@xxxxxx>
Date: Fri, 3 Jun 2005 11:55:11 +1000
 
Bad implementation of network stacks often do not explicitly set the
padding data to anything. I know of one old implementation of an OSI
routing stack that would fill the pad contents of it's ISIS broadcasts
with what just happened to be in the buffer at the time. This meant that
on the attached ethernet segment what previously traversed the router as
unicast traffic, including personal information in one case, ended up
inside the regular ISIS broadcasts that anyone could see.  (This is not
an ethernet tralier thing, but the same principle applies)

  

Martin Visser, CISSP
Network and Security Consultant 
Consulting & Integration
Technology Solutions Group - HP Services

410 Concord Road
Rhodes NSW  2138
Australia 

Mobile: +61-411-254-513
Fax: +61-2-9022-1800     
E-mail: martin.visserAThp.com

This email (including any attachments) is intended only for the use of
the individual or entity named above and may contain information that is
confidential, proprietary or privileged. If you are not the intended
recipient, please notify HP immediately by return email and then delete
the email, destroy any printed copy and do not disclose or use the
information in it.


-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Friday, 3 June 2005 7:59 AM
To: Ethereal user support
Cc: "Arnold Nipper"@ethereal.com; " <arnold@xxxxxxxxx>"@b.mail.sonic.net
Subject: Re: [Ethereal-users] Meaning of Trailer in Ethernet frames

Arnold Nipper said:
> As I'm referring to the same Source MAC (which is a GE port) this 
> should at least by consistent, shouldn't it?

Why should it be?

> So if it uses bogus data for filling when sending the first frame it
will also do when sending the
> next.

It isn't necessarily "filling" anything; it might just be using whatever
happens to be in memory after the Ethernet payload.  (It arguably
*shouldn't*, as that can leak the contents of memory onto the wire,
but....)

Don't assume that the trailer is necessarily being explictly set to a
given value; that's not necessarily the case, so it's not necessarily
the case that the trailer contents indicate anything significant.

> And it looks quite unlikely to me to see the same pattern/trailer 
> ~5900 times when looking at ~9200 frames ... Right?

I know too little about the networking implementation on the OS that's
sending the packets to which you're referring, or the driver for the
adapter used to send the packets, to say whether that'd be unlikely or
not.


_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users