I'm seeing approx 60 different unknown ethertypes from a capture of about 5000 frames. We recently set our switch SPAN ports to trunks to capture dot1Q tags. Jumbo frames were also recently enabled. I'm not sure if these changes could have anything to do with it. Some frames do show vlan tags. The interfaces are error free. There is a SPAN aggregator device between the network switches and linux capture server. Any ideas why there would be so many of these? Thanks!
Here's a list of them: 0xfe7f;0xfcfe;0xe741;0xe10e;0xe103;0xdee5;0xc4c2;0xc446;0xc0fe 0xbb2b;0xa477;0x9e11;0x980c;0x8eb6;0x8eb5;0x8ea8;0x85c2;0x8562 0x855f;0x81f9;0x8146;0x7ffe;0x7ffd;0x7d38;0x64c9;0x64a7;0x646a 0x6457;0x5f37;0x5ee9;0x5eb4;0x5d1b;0x5d03;0x5d02;0x5d00;0x5bbe 0x5baf;0x5ba7;0x5b97;0x5aa6;0x557f;0x557e;0x551b;0x50fe;0x504e 0x504a;0x4b01;0x4687;0x39ad;0x38ae;0x35a7;0x29ce;0x290b;0x2909 0x2125;0x0b92;0x0b47;0x0b21;0x0b1f
asked 29 Nov '12, 19:50
As @Guy Harris already mentioned, there are allways 4 bytes in front of what looks like ethertype + IP header. As you mentioned it's 802.1q I thought it could be the VLAN tag and then I modified the (random) ethertype to 0x8100 (vlan tag). Now it looks reasonable, if those IP addresses are on your network. The whole ethernet frame (strange mac addresses, maybe wrong VLAN ID, etc.) seems to be kind of 'randomized'.
So something is consistently modifying (randomizing) the ethernet frame, up to the 802.1q tag. As you mentioned a SPAN aggregator device, it could be that device. What do you see if you capture directly on a SPAN port?
answered 01 Dec '12, 01:54
Kurt Knochner ♦
edited 01 Dec '12, 02:08