Ethereal-users: Re: [Ethereal-users] ISO8073 OSI COTP over Ethernet

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Martin Regner" <martin.regner@xxxxxxxxx>
Date: Tue, 27 May 2003 18:18:48 +0100
Guy Harris wrote:

>On Tue, May 27, 2003 at 11:41:19AM +0100, CNS - Matthew Bradley wrote:
>> I've spoken to one of our suppliers who lives and breathes OSLAN.
>> 
>> He says that ICL were the only company in the world to choose LLC SAP 0x54
>> for their mainframes, and he suggested this was a unilateral decision. My
>> contact's experience is that all OSLAN hosts other than ICL mainframes
>> normally use a SAP 0x14. 
>> 
>> So I fear that it will not be possible to identify OSLAN based on LLC alone.
>
>Well, if neither a SAP value of 0x14 or of 0x54 is used for anything
>*other* than OSLAN, then OSLAN traffic can be identified based on LLC
>alone as traffic for SAP 0x54 *or* SAP 0x14.
>
>Is it the case that 14 and 54 are both used for OSLAN and nothing else?

I converted the capture to NAI Sniffer DOS format and loaded it into four other protocol analysers.
I didn't have time to expirement more today, but can maybe later edit the capture a bit with text2pcap
and see what results I get some different combinations of SAP values.

NAI Sniffer:
----------------
The packets were decoded as ISO-TP (i.e. COTP)  over CLNP (Null).
There was no specific indication what SAP 0x14 or 0x54 meant.

Wandel & Goltermann Examine:
--------------------------------------------
The packets were decoded as ISO-TP (i.e. COTP)  over CLNP (Null).
SAP 0x14 was indicated as "0x14 (ISO)"
SAP 0x54 was indicated as "0x54 (ISO)"

Finisar Surveyor (demo version):
---------------------------------------------
Only the Ethernet and LLC part decoded, the rest of the packet shown as "Data".

Microsoft Network Monitor:
-------------------------------------
Only the Ethernet and LLC part decoded.