This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Packet with unknown Ethernet type 0x4d45

0

Hey,

I did a capture of a piece of software on my laptop loading firmware to a device. The packets look like this in list view:

687 53.047211 Dell_cb:f1:96 MegaSyst_01:b5:cf 0x4d45 Ethernet II

The source (Dell..) is my laptop and the dest (Mega...) is the device. The protocol is showing up as 0x4d45 (Unknown) and the type is showing up as Ethernet II.

I spoke to a friend who said that sometimes their gear shows up incorrectly in Wireshark as well.

So, my question(s) are:

  1. How can I confirm what the packet protocol and type should be? The mfr of the device is of no help on this.
  2. Can I convert these to a known type (once I find out what the type should be) through Wireshark and if so, how?

Thanks!

asked 28 Dec '10, 10:41

emana's gravatar image

emana
1111
accept rate: 0%

edited 01 Jan '11, 13:13

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

If the ethertype is 0x4d45, it is what it is. Are you trying to prove that it should not be this ethertype? Or do you just want to change it, temporarily, so you can treat it as IP?

(28 Dec '10, 18:34) hansangb

I want to confirm somehow that this is correctly reporting by Wireshark and then figure out how a file is being sent from a piece of software using this protocol. I have to write something in VB to send the same file using the same method used by the packet trace...

(28 Dec '10, 19:12) emana

I got the mfr of the product telling me it should be port 80 TCP...it would appear that Wireshark is somehow misrepresenting the packets...any idea how to correct?

(28 Dec '10, 21:07) emana

We would like to see such eth file on bugs.wireshark.org. Could be a file format reading issue.

(28 Dec '10, 23:44) Jaap ♦

Emana, remember that Ethertype has nothing to do with whether port 80 is being used or not. Obviously, if TCP/IP is being used, ethertyp of 0800 (for IPv4) is what it should be set to. You can use bittwiste to change the ethertype, so you may want to give that a shot. If everything shows up correctly after you modify the ethertype to 0800, then it might be a bug (wireshark or the device).

(29 Dec '10, 08:47) hansangb

Are you able to share a bit more of the file? One (or a few) packets with all bytes?

You could do this by posting the output of "tshark -r <file> -c 5 -x".

(31 Dec '10, 01:32) SYN-bit ♦♦
showing 5 of 6 show 1 more comments

One Answer:

0

If the traffic is really carried as TCP port 80 , but using 0x4d45 instead 0x0800 for ethertype on IP then it sounds like an attempt at security by obscurity. But the vendor should have told you that!

answered 01 Jan '11, 18:59

martyvis's gravatar image

martyvis
8911525
accept rate: 7%