This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Do all ethernet frames contain an LLC header?

0

Hello,

As the title states: do all ethernet frames contain an LLC header? In other words, is 802.2 mandatory?

When doing pcap using wireshark, the llc filter shows no results.

If LLC is not mandatory, when is it used, and what indicates whether that header is in the frame.

Note that http://www.ieee802.org/2/ states that 802.2 has been disbanded.

Thank you.

This question is marked "community wiki".

asked 16 May '13, 09:21

blackmirror's gravatar image

blackmirror
16115
accept rate: 0%

802.2 was disbanded because their work is done; 802.2 was also published as ISO/IEC 8802-2, and the IEEE decided to withdraw the standard (perhaps there needs to be an active standards group for a non-withdrawn standard, and they didn't want to bother keeping the standards group around).

The standard isn't obsolete, however, as all the other 802.x physical layers, including 802.11, use it.

(17 May '13, 13:05) Guy Harris ♦♦

2 Answers:

2

No they don't. In fact, most frames do not have an LLC header, since most frames today are transporting IPv4/IPv6 via ETHERNET II header. 802.3 does have an LLC header though. The different frame formats are indicated by the preceding start frame delimiter (Preamble) which ends in "11" instead of "10" for 802.3 formatted frames. You can't capture the preamble with Wireshark though.

answered 16 May '13, 15:28

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

I see. Thank you for the clarification and detailed response.

Here is an excerpt from wikipedia (article on "ethernet frame"), regarding the type/length field:

"Thus if the field's value is greater than or equal to 1536, the frame must be an Ethernet v2 frame, with that field being a type field. If it's less than or equal to 1500, it must be an IEEE 802.3 frame, with that field being a length field. Values between 1500 and 1536, exclusive, are undefined."

This seems to be in addition of the preamble, which has to do with ethernet ii (aka DIX) not making use of an SOF (start of frame) byte right after the 8-byte preamble; whereas ethernet 802.3 has a 7-byte preamble and 1 byte SOF.

Is that correct?

Thanks again.

(17 May '13, 05:37) blackmirror

Yes, that is correct, and AFAIK that is also the way how Wireshark (and other analyzers) determine whether a frame is 802.3 or ETHERNET II for decoding purposes, because they have no access to whatever the preamble/SOF was.

(17 May '13, 06:38) Jasper ♦♦
1

ethernet ii (aka DIX) not making use of an SOF (start of frame) byte right after the 8-byte preamble; whereas ethernet 802.3 has a 7-byte preamble and 1 byte SOF.

The DIX version 1.0 spec says, in section 7.5.1.3 "Preamble Generation", that the 8-byte preamble has 7 bytes of 10101010 and 1 byte of 10101011.

The 2000 version of 802.3 says in section 4.2.5 "Preamble generation" that the 7-byte preamble has 7 bytes of 10101010, followed by the Start Frame Delimiter, and says in section 3.2.2 "Start Frame Delimiter (SFD) field" that the SFD is 1 byte of 10101011.

I.e., the only difference in what they say goes on the wire is that DIX calls the 8th byte, the one with 10101011, part of the preamble, while 802.3 calls it the SFD; what actually goes on the wire is the same in both specs. It's not as if the preamble/SOF will tell you whether there's a type field or a length field - both types of frame begin with 7 bytes of 10101010, followed by 1 byte of 10101011, followed by the destination field, followed by the source field, followed by the 2-byte type/length field, followed by the payload.

(I don't have a copy of DIX 2.0, so I don't know whether it speaks of an 8-byte preamble or a 7-byte preamble and 1 byte of SFD.)

And the "Ethernet frame" Wikipedia article also says "Many years later, the 802.3x-1997 standard, and later versions of the 802.3 standard, formally approved of both types of framing.", so, as of 1997, frames with a type field and frames with a length field are both "802.3 frames"; a better terminology might be "frames with a type field" vs. "frames with a length field".

(17 May '13, 13:02) Guy Harris ♦♦

The different frame formats are indicated by the preceding start frame delimiter (Preamble) which ends in "11" instead of "10" for 802.3 formatted frames.

No, they're not, unless DIX version 2.0 had 10101010 as the last byte of the 8-byte sequence at the beginning of the frame. Don't be confused by DIX 1.0 (and maybe 2.0) calling the entire 8-byte sequence the preamble and 802.3 calling the first 7 bytes the preamble and the 8th byte the SOF delimiter - what goes on the wire for DIX and 802.3 is exactly the same.

(17 May '13, 13:08) Guy Harris ♦♦

I wasn't confused by preamble and SOF, I was just looking at a bad/unclear ethernet documentation as it seems. For DIX it said that the preamble is "10101010...", so I guess the guy writing that document was just too lazy too mention that it ends with "11", not "10" as the "..." suggests. For 802.3 he mentioned the "11" at the end, so I guess that was the difference.

You are probably right about the preamble being the same pattern. In that case the length/type field is the only way to decide what kind of frame format it is.

(17 May '13, 17:17) Jasper ♦♦

Yup, bad documentation.

See Gordon Bell's scanned copy of the DIX Ethernet 1.0 specification and Section One of IEEE Std 802.3-2008.

And, if you can, let whoever wrote that documentation know that it needs to be fixed to clarify that the preamble/SOF part is the same in DIX and 802.3; the value of the type/length field is what determines whether it contains a type or a length (and, as of 1997, both are "802.3" frames).

(18 May '13, 14:36) Guy Harris ♦♦

Yeah, I will. Thanks for the link to the scanned PDF, that's a cool one!

(18 May '13, 16:23) Jasper ♦♦
showing 5 of 7 show 2 more comments

1

If LLC is not mandatory, when is it used

It's used for:

  • protocols that require the length field (because - unlike, for example, IPv4 and IPv6 - they don't have a length field of their own, or anything else to allow the handler for the protocol to distinguish payload from trailer);
  • protocols that require one of the Service Access Point fields of the 802.2 layer to indicate that the payload is for that protocol;
  • protocols that use the control field of the 802.2 layer (such as the NetBIOS Frame protocol, which actually uses the flow-control and acknowledgment features);
  • protocols that otherwise expect an 802.2 header;
  • protocols that use SNAP to maintain a vendor-private "protocol ID" space.

These days, most traffic of that sort is either the Spanning Tree Protocol or protocols using SNAP.

and what indicates whether that header is in the frame.

The value in the type/length field. That's specified in 802.3; in 802.3-2008, it's in section 3.2.6 "Length/Type field", which says:

This two-octet field takes one of two meanings, depending on its numeric value. For numerical evaluation, the first octet is the most significant octet of this field.

a) If the value of this field is less than or equal to 1500 decimal (05DC hexadecimal), then the Length/ Type field indicates the number of MAC client data octets contained in the subsequent MAC Client Data field of the basic frame (Length interpretation).

b) If the value of this field is greater than or equal to 1536 decimal (0600 hexadecimal), then the Length/Type field indicates the nature of the MAC client protocol (Type interpretation). The Length and Type interpretations of this field are mutually exclusive.

When used as a Type field, it is the responsibility of the MAC client to ensure that the MAC client operates properly when the MAC sublayer pads the supplied MAC Client data, as discussed in 3.2.7.

answered 17 May '13, 13:16

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 17 May '13, 13:16