THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

What are these packets with an Ethertype of 0x0e00?

  • retag add tags

It turns out that Whenever a device connects to the network on my WNDR3800 router, wireshark shows the unknown ethertype "0x0e00" as its protocol. When really, this ethertype is very special only to that, or other WNDR3800 routers depending on configuration as an NDP or 'Neighbor Discovery protocol" connection, as to which, wireshark does not have a protocol listing for that yet, and needs to be added ASAP.

To prove this, the following packet capture is of 8 ICMPv6 messages (counted as the 5 regular for NDP according to wikipedia, being router Router Solicitation (packets 36, 37, 46, and 63), Router Advertisement, Neighbor Solicitation (packet 21), Neighbor Advertisement, and Redirect (maybe a Multicast Listener Report messages on packets 25 and 35?)) in accordance to this amazing discovery. I hope this stumps this community as I had just made this discovery just recently.

Note: this discovery had been filtered to one device, an acer tablet, so that it can be proved to that as easy as possible, as every other device also does the same thing with this router in this house.

Yalek W's avatar
1
Yalek W
asked 2019-03-30 22:32:06 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2019-03-31 06:55:01 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Hi Yalek,

I'm sorry to hear about the strange ethertype behavior. What will help us most is links (from dropbox, goolge drive, etc.) to the packet captures. Screenshots can also be helpful in addition to pcaps to identify relevant GUI features or elements.

Ross Jacobs's avatar Ross Jacobs (2019-03-30 22:43:42 +0000) edit
more
  • delete
add a comment see more comments

3 Answers

0

The one and only packet in your capture with an Ethernet type of 0x0e00 has, following the Ethernet header:

  • AA AA 03, which would be the DSAP, SSAP, and control field (Unnumbered Information) of an 802.2 header, with AA meaning SNAP;
  • 00 00 00 00 06 00, which would be the OUI if it were a SNAP frame, but which is also a big-endian value equal to 1536, which is 18 bytes more than the maximum Ethernet frame size counting the FCS.

This was, I assume, a capture on a Wi-Fi network; it may either be that 1) the device in question is transmitting bad packets or 2) the hardware and software that's turning Wi-Fi packets into "fake Ethernet" packets is mangling some packets.

The mere fact that the host with the MAC address 68:b3:5e:18:cf:4e happens to be transmitting, among other things, ICMPv6 packets doing Neighbor Discovery does not, in and of itself, mean that the one 0x0e00 packet it also transmits has anything whatsoever to do with ICMPv6 Neighbor Discovery.

Guy Harris's avatar
19.9k
Guy Harris
answered 2019-03-31 06:54:39 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Hmm interesting...ok. I guess I was wrong then?

Yalek W's avatar Yalek W (2019-03-31 15:53:10 +0000) edit
more
  • delete
add a comment see more comments
0

A photo isn't all that helpful. What is helpful is the actual Wireshark capture. This should be attached to an enhancement request at the Wireshark Bugzilla.

grahamb's avatar
23.8k
grahamb
answered 2019-03-30 22:41:34 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Got your capture in a link to drive, I cannot upload the actual file directly here yet.

Yalek W's avatar Yalek W (2019-03-30 22:56:18 +0000) edit
more
  • delete

https://drive.google.com/open?id=1i-7... ^^ Link to the packet capture.

and link, to Neighbor discovery protocol:

https://en.wikipedia.org/wiki/Neighbo...

Yalek W's avatar Yalek W (2019-03-31 02:43:13 +0000) edit
more
  • delete

Yes, we're quite aware of the Neighbor Discovery Protocol...

...which uses the Ethernet type 0x86dd, not 0x0e00.

Guy Harris's avatar Guy Harris (2019-03-31 06:37:19 +0000) edit
more
  • delete
add a comment see more comments
0

wireshark shows the unknown ethertype "0x0e00" as its protocol. When really, this ethertype is very special only to that, or other WNDR3800 routers depending on configuration as an NDP or 'Neighbor Discovery protocol" connection, as to which, wireshark does not have a protocol listing for that yet, and needs to be added ASAP.

It won't be Possible until somebody indicates what that protocol is and what it's name is, so "as soon as possible" means "not until somebody indicates that".

0E00 is not in the IEEE listing of Ethernet types.

Guy Harris's avatar
19.9k
Guy Harris
answered 2019-03-31 00:49:48 +0000
edit flag offensive 0 remove flag delete link
more

Comments

And yes, this was a capture on wifi, for those who are wondering

Yalek W's avatar Yalek W (2019-03-31 15:54:35 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer