["McNutt, Justin M." <McNuttJ@xxxxxxxxxxxx>]

One other note.  "show sys topology" on the Passport showed these things for
itself and 128.206.95.252:

0 /0  128.206.95.254   0   00:04:dc:a0:98:00 75      enetFastGigEnet true
heartbeat
1 /2  128.206.95.252   281 00:80:2d:97:61:fe 48      enetFastGigEnet true
heartbeat

If anybody has any Nortel equipment, look for the file s5emt104.mib in the
BayStack 450 MIBs on Nortel's site (you shouldn't have to have a password to
get the MIBs).  I will try to see if the stuff in these MIBs correlates with
anything in this table or in the packets I captured.

--J

> -----Original Message-----
> From: McNutt, Justin M. [mailto:McNuttJ@xxxxxxxxxxxx]
> Sent: Friday, October 05, 2001 6:35 PM
> To: 'ethereal-users@xxxxxxxxxxxx'
> Subject: RE: [Ethereal-users] Weird Cisco packet?
> 
> 
> It has something to do with Aironet wireless devices.  I see 
> similar packets
> on my network, and we have several of these wireless access 
> points in our
> LAN.
> 
> I can't seem to find any aironet MIBs anywhere, though, or we 
> might be able
> to figure it out.
> 
> Here are some similar things that Ethereal doesn't understand 
> (attached).
> 
> In autotopology.bay.cap, you'll see two different L2 multicasts to the
> groups 01:00:81:00:01:00 (this segment) and 01:00:81:00:01:01 
> (all segments
> in the bridged LAN).  IIRC, devices that understand Bay 
> autotopology frames
> *will* forward the :01 frames as a L2 multicast, but will 
> *not* forward the
> :00 frames.
> 
> I don't know how to decode the whole data portion, but there 
> are some things
> that are recognizable to me deeper in the frames.  For 
> example, the first
> four bytes of the data payload in both type of autotopology 
> frames are the
> IP address of the switch sending the frame.  In the case 
> shown, the IP is
> 128.206.95.252, which is the switch I connect to.
> 
> In the :01 frames:
> 
> If the byte at offset 0x031 is 0x41, then at offset 0x024 we 
> see the MAC
> address of the next switch upstream +0x01.  The next switch 
> upstream is a
> Nortel Passport.  Passports have different MAC's for damn 
> near everything.
> The base MAC address of the Passport in question is 
> 00:04:DC:A0:98:00.  Add
> one and you get the MAC seen in the frames in this capture.  This MAC
> address is what the Passport uses as it's bridge address for 
> Spanning Tree
> in Spanning Tree Group 1 (Passports don't do per-VLAN STP; 
> they use STG's).
> 
> If the byte at offset 0x031 is not 0x41, then at offset 0x024 
> we see the MAC
> address of the switch sending the frame +0x1e, which is also 
> the source MAC
> on the frame.  The way a BayStack 450 works, the MAC address 
> of the base
> unit in a stack is used for a bunch of other things as well.  
> You add 0x1e
> to get the MAC used for autotopology.  Add 0x1f and you get 
> the MAC address
> used by the IP stack.  Even weirder is that if the switch is 
> a stand-alone
> (not stacked with other BayStacks), all three MAC addresses 
> are simply that
> of the unit itself (00:80:2D:97:61:E0 in this case).
> 
> In the :00 frames:
> 
> If the byte at offset 0x031 is 0x41, we see the MAC of the 
> Passport again at
> 0x024.
> 
> If the byte at offset 0x031 is not 0x41, then at 0x024 we see 
> something
> *similar* to eth.dst of the frame, but with the bytes in 
> reverse order, and
> with the 81 byte as 18 instead.  Could be coincidence since I 
> don't *really*
> know what any of these fields are.
> 
> I really oughta go into our test lab and compare these to 
> what I get from
> other Nortel switches and what I get if I change STP settings, etc.
> 
> Does anybody have any other info about these frames?
> 
> --J
> 
> > -----Original Message-----
> > From: Joe Tomasone [mailto:joe@xxxxxxxx]
> > Sent: Friday, October 05, 2001 2:59 PM
> > To: ethereal-users@xxxxxxxxxxxx
> > Subject: [Ethereal-users] Weird Cisco packet?
> > 
> > 
> > Anyone know what this packet is?
> > 
> > Looks like some funky Cisco thing, since the source MAC is 
> > embedded in the 
> > data portion.
> > Whatever it is, Ethereal didn't know what to do with it.
> > 
> > 
> > 	- Joe
> > 
> > 
> 
>