Strange ethrenet frame

Strange ethrenet frame
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.lans.ethernet  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Strange ethrenet frame Mr Lex 10-04-2006
Posted by Mr Lex on October 4, 2006, 10:54 am
If you were  Registered and logged in, you could reply and use other advanced thread options


Hi all,

I have a stange behavior when listening traffic on a NO CARRIER
interface.(i know it's stupid, but i'm doing tests ...)

I try to reach a connected host and I listen on interface output with
tcpdump and some traffic seem so be dumped of an "unknown ethertype".
I have a very bad ethenet link connected to this interface, that makes
it in NO CARRIER state.
When all is right, packet dumped are ARP one.
So i have many question about the bahaviour in order to validate my
test.
Did it possible to send traffic on a no carrier interface (that did not
detect link activity) ?
Did the dumped traffic is really sent or is it just traffic that "seem"
to
be sent (software garbage not physical send)?
Did that mean that some ethernet traffic can go out of my (no carrier)
ethernet card ?

I'm douin my tests with a pcn device and a PC runnning FreeBSD 5.3.

Thx for your answers


Pure Networks
Posted by Mr Lex on October 10, 2006, 2:31 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


No answer, no idea ?
Nobody could help me solving my problem ?
I'm blocked ....


Mr Lex wrote:
> Hi all,
>
> I have a stange behavior when listening traffic on a NO CARRIER
> interface.(i know it's stupid, but i'm doing tests ...)
>
> I try to reach a connected host and I listen on interface output with
> tcpdump and some traffic seem so be dumped of an "unknown ethertype".
> I have a very bad ethenet link connected to this interface, that makes
> it in NO CARRIER state.
> When all is right, packet dumped are ARP one.
> So i have many question about the bahaviour in order to validate my
> test.
> Did it possible to send traffic on a no carrier interface (that did not
> detect link activity) ?
> Did the dumped traffic is really sent or is it just traffic that "seem"
> to
> be sent (software garbage not physical send)?
> Did that mean that some ethernet traffic can go out of my (no carrier)
> ethernet card ?
>
> I'm douin my tests with a pcn device and a PC runnning FreeBSD 5.3.
>
> Thx for your answers


Posted by glen herrmannsfeldt on October 10, 2006, 2:58 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


> No answer, no idea ?
> Nobody could help me solving my problem ?
> I'm blocked ....

It isn't an easy question, especially without knowing the
exact hardware and software in use.

It is possible that tcpdump can see data sent to an interface,
but not actually transmitted.

It is possible that it is up long enough for data to be received.

Post the actual data from one packet and you will likely get
more answers.

-- glen

Posted by Mr Lex on October 11, 2006, 12:53 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


glen herrmannsfeldt wrote:
> > No answer, no idea ?
> > Nobody could help me solving my problem ?
> > I'm blocked ....
>
> It isn't an easy question, especially without knowing the
> exact hardware and software in use.
>
> It is possible that tcpdump can see data sent to an interface,
> but not actually transmitted.
>
> It is possible that it is up long enough for data to be received.
>
> Post the actual data from one packet and you will likely get
> more answers.
>
> -- glen

Hi all,

Thanks for answers
Here is the dump of the traffic :

%tcpdump -i pcn2
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on pcn2, link-type EN10MB (Ethernet), capture size 96 bytes

23:09:18.851391 00:00:01:02:5e:8c > 45:c0:00:1c:ca:2c, ethertype
Unknown (0xac14), length 28:
0x0000: 0452 e000 0001 1164 ee9b 0000 0000
.R.....d......
23:09:20.768080 00:00:01:02:ca:2e > 46:00:00:20:ca:3e, ethertype
Unknown (0xac14), length 32:
0x0000: 0452 e000 0004 9404 0000 1600 09fb e000
.R..............
0x0010: 0004 ..
23:09:23.965991 00:00:01:02:ca:20 > 46:00:00:20:ca:4e, ethertype
Unknown (0xac14), length 32:
0x0000: 0452 e000 0002 9404 0000 1600 09fd e000
.R..............
0x0010: 0002

And the status of my interface.
%ifconfig pcn2
pcn2:
flags=128b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
ether 00:d0:1c:xx:xx:xx
media: Ethernet 100baseTX <full-duplex>
status: no carrier

This traffic is generated by ARP request on the interface (as i can see
when all is right).
But MAC adresses are nor my device one nor broadcast one...
A stange point is the similarity between all frames...

Thanks for your help, i appreciate.


Posted by Mr Lex on October 23, 2006, 12:37 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


Does anyone have an idea ?
Have Someone ever see this type of traffic ?

Lex

Mr Lex wrote:
> glen herrmannsfeldt wrote:
> > > No answer, no idea ?
> > > Nobody could help me solving my problem ?
> > > I'm blocked ....
> >
> > It isn't an easy question, especially without knowing the
> > exact hardware and software in use.
> >
> > It is possible that tcpdump can see data sent to an interface,
> > but not actually transmitted.
> >
> > It is possible that it is up long enough for data to be received.
> >
> > Post the actual data from one packet and you will likely get
> > more answers.
> >
> > -- glen
>
> Hi all,
>
> Thanks for answers
> Here is the dump of the traffic :
>
> %tcpdump -i pcn2
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on pcn2, link-type EN10MB (Ethernet), capture size 96 bytes
>
> 23:09:18.851391 00:00:01:02:5e:8c > 45:c0:00:1c:ca:2c, ethertype
> Unknown (0xac14), length 28:
> 0x0000: 0452 e000 0001 1164 ee9b 0000 0000
> .R.....d......
> 23:09:20.768080 00:00:01:02:ca:2e > 46:00:00:20:ca:3e, ethertype
> Unknown (0xac14), length 32:
> 0x0000: 0452 e000 0004 9404 0000 1600 09fb e000
> .R..............
> 0x0010: 0004 ..
> 23:09:23.965991 00:00:01:02:ca:20 > 46:00:00:20:ca:4e, ethertype
> Unknown (0xac14), length 32:
> 0x0000: 0452 e000 0002 9404 0000 1600 09fd e000
> .R..............
> 0x0010: 0002
>
> And the status of my interface.
> %ifconfig pcn2
> pcn2:
> flags=128b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
> mtu 1500
> ether 00:d0:1c:xx:xx:xx
> media: Ethernet 100baseTX <full-duplex>
> status: no carrier
>
> This traffic is generated by ARP request on the interface (as i can see
> when all is right).
> But MAC adresses are nor my device one nor broadcast one...
> A stange point is the similarity between all frames...
>
> Thanks for your help, i appreciate.


Similar ThreadsPosted
Strange results from a tcpdump, can anyone help? March 29, 2006, 2:51 pm
strange ethernet electric problem June 22, 2007, 5:39 am
Strange switch behaviour in VLAN network July 6, 2005, 9:53 am
under sized frame February 2, 2007, 9:37 am
Use of ethernet frame without TCP/IP March 17, 2008, 5:48 am
Pause Frame transmission May 19, 2006, 7:05 pm
SMII Frame format queries April 26, 2005, 10:34 pm
detecting end/length of Ethernet II frame? April 28, 2005, 11:03 am
VLAN tagged PAUSE frame? November 2, 2006, 9:06 pm
About the minimum Eth. frame length determination October 30, 2007, 6:19 am

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map