Hi,
Yep, SNA runs on top of LLC, so that is were Wireshark is going first.
Indeed disabling LLC gives you the raw data.
Thanx,
Jaap
On Wed, 31 Jan 2007, Jeff Morriss wrote:
>
> Are those ports assigned to LLC?
>
> http://www.iana.org/assignments/port-numbers
>
> says:
>
> > entextxid 12000/tcp IBM Enterprise Extender SNA XID Exchange
> > entextxid 12000/udp IBM Enterprise Extender SNA XID Exchange
> > entextnetwk 12001/tcp IBM Enterprise Extender SNA COS Network Priority
> > entextnetwk 12001/udp IBM Enterprise Extender SNA COS Network Priority
> > entexthigh 12002/tcp IBM Enterprise Extender SNA COS High Priority
> > entexthigh 12002/udp IBM Enterprise Extender SNA COS High Priority
> > entextmed 12003/tcp IBM Enterprise Extender SNA COS Medium Priority
> > entextmed 12003/udp IBM Enterprise Extender SNA COS Medium Priority
> > entextlow 12004/tcp IBM Enterprise Extender SNA COS Low Priority
> > entextlow 12004/udp IBM Enterprise Extender SNA COS Low Priority
>
>
> Anyway, the problem is Martin's traffic is running on the ports the LLC
> dissector expects to find LLC traffic on. It would be good if the LLC
> dissector could be made a "new style" dissector that attempts some
> heuristics on the payload and doesn't dissect anything if it thinks the
> traffic doesn't belong to it. I'm not sure if that's possible, though.
>
> Martin, another workaround (besides changing ports) would be to disable
> the LLC dissector.
>
> Jaap Keuter wrote:
> > Hi,
> >
> > According to RFC 2353 this decoding is correct. See paragraph 2.6.1.
> > These UDP/TCP ports are assigned by IANA to this protocol. It is
> > implemented as such in the LLC dissector.
> >
> > Thanx,
> > Jaap
> >
> > On Tue, 30 Jan 2007, Martin Pokorny wrote:
> >
> >> Hi,
> >>
> >> I think I may have stumbled onto a wireshark bug (ethereal version
> >> 0.99.0, libpcap version 0.8.3 on RHEL4). An application on which I'm
> >> working is receiving UDP packets over gigabit Ethernet from some custom
> >> hardware. The packets have a fixed source and destination UDP port
> >> number, which we had set to 12001 and 12000, respectively. Wireshark
> >> shows an LLC header after the UDP header, which is simply not present;
> >> see first attachment (bad.pcap). In the process of poking around a bit,
> >> I changed the UDP port numbers to 12032 and 12048 in the pcap file, and
> >> wireshark no longer reported the LLC header; see second attachment
> >> (good.pcap). Unless I'm totally missing something about LLC (definite
> >> possibility), this looks like a bug in wireshark or libpcap.
> >>
> >> I'm not subscribed to this list, please send questions to me directly.
> >>
> >> --
> >> Martin
> >>
> >
> > _______________________________________________
> > Wireshark-users mailing list
> > Wireshark-users@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-users
> >
> >
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>