John McDermott wrote:
A friend sent me a trace with this packet:
Frame 1 (78 bytes on wire, 78 bytes captured)
Arrival Time: Jul 9, 2006 13:58:01.527266000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 78 bytes
Capture Length: 78 bytes
Ethernet II, Src: 00:00:80:11:ea:96, Dst: 45:00:00:4e:91:fd
Destination: 45:00:00:4e:91:fd (45:00:00:4e:91:fd)
Source: 00:00:80:11:ea:96 (CrayComm_11:ea:96)
Type: Unknown (0xa9fe)
Data (64 bytes)
0000 6a 0e a9 fe ff ff 00 89 00 89 00 3a c8 f8 e1 e0 j..........:....
0010 01 10 00 01 00 00 00 00 00 00 20 46 44 45 4e 46 .......... FDENF
0020 45 46 41 43 4f 46 4a 45 42 45 4f 45 45 45 46 46 EFACOFJEBEOEEEFF
0030 49 43 4f 46 43 46 46 43 41 41 41 00 00 20 00 01 ICOFCFFCAAA.. ..
First, the hex does not seem to match with the EthernetII decode.
The hex dump might be of the data following the (presumed) Ethernet
header, rather than of the entire packet.
A destination address starting with 0x45 looks suspiciously as if the
Ethernet header is missing, and the packet starts with an IP header (the
sequence of letters looks suspiciously like the encoding of a NetBIOS
name in NetBIOS-over-TCP).
In that case, the full packet would be
45 00 00 4e 91 fd 00 00 80 11 ea 96 a9 fe 6a 0e
a9 fe ff ff 00 89 00 89 00 3a c8 f8 e1 e0 01 10
00 01 00 00 00 00 00 00 20 46 44 45 4e 46 45 46
41 43 4f 46 4a 45 42 45 4f 45 45 45 46 46 49 43
4f 46 43 46 46 43 41 41 41 00 00 20 00 01
The IP header would be
45 IPv4, 20-byte header
00 TOS - default
00 4e total length - 78 bytes
91 fd ID
00 00 flags + fragment offset - no fragmentation
80 TTL - 128
11 protocol - 17 (UDP)
ea 96 header checksum
a9 fe 6a 0e source address - 169.254.106.14
a9 fe ff ff destination address - 169.254.255.255
The UDP header would be
00 89 source port - 137 (NetBIOS name service)
00 89 destination port - 137
00 3a length - 58
c8 f8 checksum
and the NetBIOS name service header would be
e1 e0 transaction ID
01 10 opcode, name flags, rcode - name query, recursion desired,
packet is broadcast
00 01 number of names in question section - 1
00 00 number of RR's in answer section
00 00 number of RR's in authority section
00 00 number of RR's in additional records section
followed by the compressed name in the question section.
On what OS was this capture done? And was it done with
Ethereal/Wireshark, or some other application?