This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decoding IP(IPv4/IPv6) packets with LLC SNAP header

0

I see that for IPv4/IPv6 packets which have a LLC SNAP header, wireshark does not decode the L3 and L4 layers.Only for ENET II type(DIX) it decodes L3 and L4 layers.

asked 05 Apr '17, 03:56

pkn's gravatar image

pkn
6223
accept rate: 0%

There's no question here. In general this looks like it should be turned into a bug report instead. Go to https://bugs.wireshark.org and enter a complete bug description. Don't forget screenshots and/or pcaps, so the developers can understand what the problem is.

(05 Apr '17, 08:29) Jasper ♦♦
1

More info on bug reporting available on the wiki ReportingBugs page.

(05 Apr '17, 08:58) grahamb ♦
2

Don't forget screenshots and/or pcaps

...with capture files very strongly preferred over screenshots! With a capture file, we can test Wireshark/TShark with the file, and test any fixes with the file as well.

(06 Apr '17, 00:03) Guy Harris ♦♦

One Answer:

0

If an IPv4/IPv6 packet has a CORRECT LLC SNAP header, with an OUI of 00:00:00 and a PID of 0x0800 for IPv4 or 0x86dd for IPv6, wireshark does decode them.

If, however, it has a packet with some other OUI and a PID of 0x0800 or 0x86dd, the only reason why it should decode them as IPv4 or IPv6, respectively, would be if the organization to whom that OUI belongs decided to use 0x0800 as a PID for IPv4 or use 0x86dd as a PID for IPv6.

In a SNAP header, the OUI matters!

answered 06 Apr '17, 17:46

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks Harris for the clarification!

(06 Apr '17, 21:06) pkn