This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Help Finding IP from this log ( I-Am-Router-To-Network )

0

I am at a loss of finding the IP of the following device. Previous Firmwares would display the IP however all I am finding as the source is ( SclEleme_00:1f:a0 )

Is there any option with in Wireshark that could deceiver the IP ?

SclEleme_00:1f:a0   Broadcast   BACnet-NPDU I-Am-Router-To-Network  200.821781000   1137    60

SclEleme_00:1f:a0 Broadcast BACnet-NPDU I-Am-Router-To-Network 200.821781000 1137 60 Frame 1137: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0 Interface id: 0 Encapsulation type: Ethernet (1) Arrival Time: Nov 5, 2014 15:28:35.345502000 Eastern Standard Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1415219315.345502000 seconds [Time delta from previous captured frame: 2.252785000 seconds] [Time delta from previous displayed frame: 2.252785000 seconds] [Time since reference or first frame: 200.821781000 seconds] Frame Number: 1137 Frame Length: 60 bytes (480 bits) Capture Length: 60 bytes (480 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:llc:bacnet:data] [Coloring Rule Name: Broadcast] [Coloring Rule String: eth[0] & 1] IEEE 802.3 Ethernet Destination: Broadcast (ff:ff:ff:ff:ff:ff) Address: Broadcast (ff:ff:ff:ff:ff:ff) …. ..1. …. …. …. …. = LG bit: Locally administered address (this is NOT the fac tory default) …. …1 …. …. …. …. = IG bit: Group address (multicast/broadcast) Source: SclEleme_00:1f:a0 (e4:ad:7d:00:1f:a0) Address: SclEleme_00:1f:a0 (e4:ad:7d:00:1f:a0) …. ..0. …. …. …. …. = LG bit: Globally unique address (factory default) …. …0 …. …. …. …. = IG bit: Individual address (unicast) Length: 12 Padding: 000000000000000000000000000000000000000000000000… Logical-Link Control DSAP: BACnet (0x82) IG Bit: Individual SSAP: BACnet (0x82) CR Bit: Command Control field: U, func=UI (0x03) 000. 00.. = Command: Unnumbered Information (0x00) …. ..11 = Frame type: Unnumbered frame (0x03) Building Automation and Control Network NPDU Version: 0x01 (ASHRAE 135-1995) Control: 0xa0 1… …. = NSDU contains: network layer message, message type field present. .0.. …. = Reserved: Shall be zero and is zero. ..1. …. = Destination Specifier: DNET, DLEN and Hop Count present. If DLEN=0: broadcast , dest. address field absent. …0 …. = Reserved: Shall be zero and is zero. …. 0… = Source specifier: SNET, SLEN and SADR absent …. .0.. = Expecting Reply: Other than a BACnet-Confirmed-Request-PDU, segment of BACnet -ComplexACK-PDU or network layer message expecting a reply present. …. ..0. = Priority: Not a Life Safety or Critical Equipment message. …. …0 = Priority: Normal message Destination Network Address: 65535 Destination MAC Layer Address Length: 0 indicates Broadcast on Destination Network Hop Count: 14 Network Layer Message Type: 01 (I-Am-Router-To-Network) Destination Network Address: 40991 0000 ff ff ff ff ff ff e4 ad 7d 00 1f a0 00 0c 82 82 ……..}……. 0010 03 01 a0 ff ff 00 0e 01 a0 1f 00 00 00 00 00 00 ……………. 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. 0030 00 00 00 00 00 00 00 00 00 00 00 00 …………

asked 05 Nov ‘14, 13:43

Wall-IT's gravatar image

Wall-IT
16114
accept rate: 0%

edited 06 Nov ‘14, 01:54

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

1

From your text dump:

[Protocols in frame: eth:llc:bacnet:data]

So there is no IP protocol in this frame, hence no IP address.

answered 06 Nov '14, 01:55

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Any one with any ideas besides a massive arp request to derive the IP of the device from the MAC that was provided in the broadcast. ?

Up until now the broadcast after power cycling these devices included the IP.

(06 Nov '14, 07:10) Wall-IT

Why a massive arp, surely one will do for the MAC address e4:ad:7d:00:1f:a0?

(06 Nov '14, 07:35) grahamb ♦