Wireshark-dev: Re: [Wireshark-dev] Strip Ethernet broadcast / locally administered flags from a
On 8/15/07, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> Sounds good.
>
> In particular doing this for the LocallyAdministrated would make sense
> since many active/passive cluster implementations pick a MAC address
> to represent the active node by
> taking the MAC address of the primary NIC of the primary node and then
> setting the locally administrated bit, to make sure there is a single
> mac address that follows the cluster ip address during failover.
>
> MS cluster for example does this.
>
>
> The multicast bit is tricker since there is for unknown reasons some 3
> byte prefixes that already have this bit set ! But they are so few
> and rare it hardly matters and they can probably be ignored.
>
>
> I would suggest only doing this for when matching with the three byte prefixes
> of the form AA:BB:CC
>
>
> Additionally, maybe if you find a match for
> AA:BB:CC Vendor
> and if the LA bit was set then you could change the string it resolved into
> to "Vendor(Cluster)" instead of just "Vendor"
>
Ah crap, you need to do it in two passes since there are real MACs
that already come with the LA bit set.
So when matching the AA:BB:CC entries in manuf
1, First try to match it exactly
if you find a match, then thats the match.
i.e. 52:54:4C Novell2000
which would resolve into "Novell2000"
2, If that fails, then try to match it by stripping off the LA bit with & 0xfd
In that case 3E:00:00:xx:xx:xx would match
3C:00:00 3Com
But the original address would have the LA bit set so it should then be
resolved into "3Com(Cluster)"
You have to be careful in which order you try to resolve them as well so that
you dont mixup
00:01:00 EquipTrans
and
02-01-00-00-00-00/16 MS-NLB-PhysServer-01
I think the optimal would be to resolve your examples as
04:05:06 -> Xerox
06:05:06 -> Xerox(Cluster)
