tcpdump mailing list archives

What's the point of "oui Unknown"?

From: John Hawkinson <jhawk () mit edu>
Date: Sun, 12 Oct 2014 16:00:57 -0400

I guess it's been a long time since I've run tcpdump -e.
On an 802.11 packet, I see:

15:47:26.928534 0us BSSID:58:f3:9c:e5:a2:cf (oui Unknown) DA:Broadcast
SA:58:f3:9c:e5:a2:cf (oui Unknown) Beacon (MIT N) [18.0 24.0* 36.0 48.0
54.0 Mbit] ESS[|802.11]

That is:

    58:f3:9c:e5:a2:cf (oui Unknown)

is from etheraddr_string() because 58:f3:9c does not appear 
in the list of 14 ouis in oui.c:

     29 /* FIXME complete OUI list using a script */
     30 
     31 const struct tok oui_values[] = {
     32     { OUI_ENCAP_ETHER, "Ethernet" },
     33     { OUI_CISCO, "Cisco" },
     34     { OUI_NORTEL, "Nortel Networks SONMP" },
     35     { OUI_CISCO_90, "Cisco bridged" },
     36     { OUI_RFC2684, "Ethernet bridged" },
     37     { OUI_ATM_FORUM, "ATM Forum" },
     38     { OUI_CABLE_BPDU, "DOCSIS Spanning Tree" },
     39     { OUI_APPLETALK, "Appletalk" },
     40     { OUI_JUNIPER, "Juniper" },
     41     { OUI_HP, "Hewlett-Packard" },
     42     { OUI_IEEE_8021_PRIVATE, "IEEE 802.1 Private"},
     43     { OUI_IEEE_8023_PRIVATE, "IEEE 802.3 Private"},
     44     { OUI_TIA, "ANSI/TIA"},
     45     { OUI_DCBX, "DCBX"},
     46     { 0, NULL }

What's the thinking here?

Obviously there are thousands of OUIs, and most are not going to ever
be in tcpdump's list, and it seems like populating oui.c with 20,000
OUIs may not be the way to go.

The code to do this was added by Hannes Gredler in:

commit 64690e70e5559c14aade6b2bccb3c05f14718d4c
Author: hannes <hannes>
Date:   Sun Apr 10 07:17:00 2005 +0000

    plumb in oui-name resolution

and is currently (addrtoname.c):

    510         if (!nflag) {
    511                 snprintf(cp, BUFSIZE - (2 + 5*3), " (oui %s)",
    512                     tok2str(oui_values, "Unknown", oui));
    513         } else


It seems to me that without more robust support this is just annoying
noise and, at the very least, the Unknown oui printing should be
removed.

Thoughts?

--jhawk () mit edu
  John Hawkinson
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

What's the point of "oui Unknown"? John Hawkinson (Oct 17)
- Re: What's the point of "oui Unknown"? Hannes Gredler (Oct 22)
  - Re: What's the point of "oui Unknown"? John Hawkinson (Oct 22)
    - Re: What's the point of "oui Unknown"? Hannes Gredler (Oct 22)
    - Re: What's the point of "oui Unknown"? Michael Richardson (Oct 22)
    - Message not available
    - Re: What's the point of "oui Unknown"? Michael Richardson (Oct 22)
  - Re: What's the point of "oui Unknown"? Michael Haardt (Oct 22)
- Re: What's the point of "oui Unknown"? Rick Jones (Oct 22)
  - Re: What's the point of "oui Unknown"? Michael Richardson (Oct 22)
    - Re: What's the point of "oui Unknown"? Rick Jones (Oct 22)
    - Re: What's the point of "oui Unknown"? John Hawkinson (Oct 22)