Wireshark-dev: Re: [Wireshark-dev] Funky packet, bad capture, bad display or what?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 11 Jul 2006 01:19:54 -0700
John McDermott wrote:
A friend sent me a trace with this packet:
Frame 1 (78 bytes on wire, 78 bytes captured)
     Arrival Time: Jul  9, 2006 13:58:01.527266000
     Time delta from previous packet: 0.000000000 seconds
     Time since reference or first frame: 0.000000000 seconds
     Frame Number: 1
     Packet Length: 78 bytes
     Capture Length: 78 bytes
Ethernet II, Src: 00:00:80:11:ea:96, Dst: 45:00:00:4e:91:fd
     Destination: 45:00:00:4e:91:fd (45:00:00:4e:91:fd)
     Source: 00:00:80:11:ea:96 (CrayComm_11:ea:96)
     Type: Unknown (0xa9fe)
Data (64 bytes)

0000  6a 0e a9 fe ff ff 00 89 00 89 00 3a c8 f8 e1 e0   j..........:....
0010  01 10 00 01 00 00 00 00 00 00 20 46 44 45 4e 46   .......... FDENF
0020  45 46 41 43 4f 46 4a 45 42 45 4f 45 45 45 46 46   EFACOFJEBEOEEEFF
0030  49 43 4f 46 43 46 46 43 41 41 41 00 00 20 00 01   ICOFCFFCAAA.. ..

First, the hex does not seem to match with the EthernetII decode.

The hex dump might be of the data following the (presumed) Ethernet header, rather than of the entire packet.

A destination address starting with 0x45 looks suspiciously as if the Ethernet header is missing, and the packet starts with an IP header (the sequence of letters looks suspiciously like the encoding of a NetBIOS name in NetBIOS-over-TCP).

In that case, the full packet would be

	45 00 00 4e 91 fd 00 00  80 11 ea 96 a9 fe 6a 0e
	a9 fe ff ff 00 89 00 89  00 3a c8 f8 e1 e0 01 10
	00 01 00 00 00 00 00 00  20 46 44 45 4e 46 45 46
	41 43 4f 46 4a 45 42 45  4f 45 45 45 46 46 49 43
	4f 46 43 46 46 43 41 41  41 00 00 20 00 01

The IP header would be

	45		IPv4, 20-byte header
	00		TOS - default
	00 4e		total length - 78 bytes
	91 fd		ID
	00 00		flags + fragment offset - no fragmentation
	80		TTL - 128
	11		protocol - 17 (UDP)
	ea 96		header checksum
	a9 fe 6a 0e	source address - 169.254.106.14
	a9 fe ff ff	destination address - 169.254.255.255

The UDP header would be

	00 89		source port - 137 (NetBIOS name service)
	00 89		destination port - 137
	00 3a		length - 58
	c8 f8		checksum

and the NetBIOS name service header would be

	e1 e0		transaction ID
01 10 opcode, name flags, rcode - name query, recursion desired, packet is broadcast
	00 01		number of names in question section - 1
	00 00		number of RR's in answer section
	00 00		number of RR's in authority section
	00 00		number of RR's in additional records section

followed by the compressed name in the question section.

On what OS was this capture done? And was it done with Ethereal/Wireshark, or some other application?