A packet sniffer captures packets from the Ethernet bus. The network interface card (NIC) acts in a mode called promiscious mode. Promiscious mode means that the NIC can look at all traffic on the wire and not just to traffic addressed to itself. Normally, the NIC ignores all traffic except for packets addressed to itself, multicasts and broadcast packets.
The following captured packet is displayed in raw format. Raw format is hexadecimal numbers in rows of 16 digits.
FF FF FF FF FF FF 00 20 AF 10 9A C0 00 25 E0 E0 03 FF FF 00 22 00 11 00 00 00 00 FF FF FF FF FF FF 04 52 00 00 00 00 00 20 AF 10 9A C0 40 0B 00 01 00 04 00 00 00 00 00 00 00 00 00
Raw Captured Packet
Raw captured packets do not display the Preamble, Start Frame Delimiter and the Frame Check Sequence fields. These fields are used to inform the receiving station of a new frame and for error checking.
The breakdown of the packet is according to the Ethernet MAC frame and as follows:
1st 6 bytes: FF-FF-FF-FF-FF-FF Destination MAC address 2nd 6 bytes: 00-20-AF-10-9A-C0 Source MAC address
Next 2 bytes: 0025 Length/Type field - IEEE 802.3 frame
Next 37 bytes Data
Last 9 bytes all 00s Pad
The length of the data in the Info field is 0025h or 37 bytes long. The minimum Info field size is 46 bytes so the data is padded with 9 bytes of 00h.
The Length/Type field value is less than 05DCh (1500 in decimal) which indicates that it is an Ethernet_802.2 frame (IEEE 802.3) with a Logical Link Control layer (covered later) between the MAC layer and the Network layer.
If the value was 0800h, it would indicate an Ethernet_II frame used for TCP/IP.
If it were 8137, it would indicate an Ethernet_802.3 (raw) frame used by pre 3.12 Netware.
The complete listing of the Length/Type field assignments is covered in Appendix C Ethernet Type Field.
Looking at the MAC block diagram, the data from the Info field is shown broken down (up to be more exact) into the higher levels: Logical Link Control layer, Network layer and the Transport layer. Note: A thorough knowledge of each of the layers and quite a few handy reference books are required in order to determine exactly what is happening. The remaining layers will be examined as an example only.
NOTE: Modern packet sniffer will break down the raw packet's fields for you.
LLC Layer
The first 3 bytes of the data in the Ethernet frame Info field is the header of the Logical Link Control layer (LLC IEEE 802.2).
1st byte: E0 Destination Service Access Port (DSAP) 2nd byte: E0 Source Service Access Port (SSAP) 3rd byte: 03 Control code
E0h indicates that it is a Novell Netware stack talking (source) to a Novell Netware stack (destination). The 03h is the LLC layer's handshaking. The size of the LLC's Data field is 34 bytes. The LLC layer is covered extensively in the following chapter.
Network Layer
The data of the LLC layer becomes the header and data of the layer above it which is the
Network layer. In this case, it is an IPX PDU (Protocol Data Unit) which is indicated by the first 2 bytes being FFFFh - the IPX checksum.
(Hex)
1st 2 bytes: FFFF IPX Checksum (always FFFFh, FCS does error checking)
Next 2 bytes: 0022 IPX PDU length allowable range 001Eh (30) to 0240h (576)
Next byte: 00 Transport control field - hop count, allowed 00 to 0Fh (15)
Next byte: 11 Packet Type 11h (17) is Netware Core Protocol (NCP)
Next 4 bytes: 00000000 Destination network address, all 0s indicate local network
Segment number in server autoexec.ncf file
Next 6 bytes: FFFFFFFFFFFF Destination host address (same as dest MAC address)
Next 2 bytes: 0452 Destination socket , Service Advertising Protocol
Next 4 bytes: 00000000 Source network address (all 0s indicate local network)
Next 6 bytes: 0020AF109AC0 Source host address (same as soruce MAC address)
Next 2 bytes: 400B Source socket (arbitrarily assigned starting at 4000h)
Last 4 bytes: Data
The following tables describe the field values for the IPX PDU's packet type and Socket numbers:
Packet Type Field Value Purpose
NLSP 00h Netware Link Services Protocol
RIP 01h Routing Information Protocol
SAP 04h Service Advertising Protocol
SPX 05h Sequenced Packet Exchange
NCP 11h Netware Core Protocol
NetBIOS 14h NetBIOS and other propagated packets
IPX Packet Type Field Netware Socket Numbers and Processes
Socket Number Process
9001 Netware Link Services Protocol (NLSP) 9004 IPXWAN Protocol
Transport Layer
The Network layer's Data field becomes the Transport layer's PDU. In this case it is only 4 bytes long.
1st 2 bytes: 0001 Packet type (Standard Server Request) Next 2 bytes: 0004 Service type (file server)
The following tables describe the values of the Service Advertising Protocol's Packet Type and Service Type fields:
8000 All values are reserved up to 8000
FFFF Wildcard
Example Packet Sniffing Summary
This packet is commonly called a Standard Server Request that is broadcast (Destination FF-FF-FF-FF-FF-FF) on the local network (00-00-00-00) from a Novell Netware client. The client is
looking for a file server to login in to. The server would respond with a Server Advertising Protocol PDU listing its services.
36j. Packet Sniffing Block Diagram Next
37. IEEE 802.2 LLC - Logical Link Control Layer
The Logical Link Control Layer resides in the upper portion of the Data Link Layer. The LLC layer performs these functions:
a. Managing the data-link communication b. Link Addressing
c. Defining Service Access Points (SAPs) d. Sequencing
The LLC provides a way for the upper layers to deal with any type of MAC layer (ex. Ethernet - IEEE 802.3 CSMA/CD or Token Ring IEEE 802.5 Token Passing).
The Data field of the MAC layer Frame transmits the LLC Protocol Data Unit.
LLC PDU Format