On Thu, Jan 01, 2004 at 05:33:51PM -0800, Guy Harris wrote:
> I have some captures where packets with the ISMP Ethertype (0x81fd) are
> dissected as
>
> InterSwitch Message Protocol
> Version: 16962
> Message Type: 768
> Sequence Number: 768
> Auth Code Length: 2
> Auth Data: 99DE
>
> and the packet data after the Ethernet header is
>
> 0000 42 42 03 00 03 00 02 99 de 10 00 00 00 00 00 00 BB..............
> 0010 00 00 00 00 00 00 00 00 00 00 00 04 98 94 90 1b ................
> 0020 00 00 1d f0 94 ae 06 00 00 00 00 00 1d bf b0 ee ................
> 0030 00 00 00 00 00 02 04 00 08 00 00 00 00 00 00 00 ................
..although the "Auth Data" changes from packet to packet.
Also, in the captures I have where the ISMP packets contain EDP packets,
the Module Port (ifIndex num) field appears to be bogus (0x17 0x00 0x00
0x00, 0x0a 0x00 0x00 0x00, etc. - is that field little-endian? The
first of those would be 23, and the latter of those would be 10, if
little-endian, rather than being really huge numbers) and the "Number of
Tuples" field is, if not zero, bogus (but not bogus as in "the wrong
byte order" - switch the byte order and they're still bogus).