Re: Nettl HP-UX

[Guy Harris <guy () alum mit edu>]

On Jun 28, 2011, at 1:57 PM, Chris Maynard wrote:

> Guy Harris <guy@...> writes:
>
> > maxValidFrame is 1500.  (And, yes, this means that values of the length/type
> field between 1501 and 1535
> > are, apparently, illegal.)
>
> So how should Wireshark handle such invalid frames?

Good question.

> As a simple test, I
> manually modified an IEEE 802.3 Ethernet packet and changed its length from 38
> bytes (with 8 bytes of trailer) to 1501 bytes.  Wireshark displayed it as an
> Ethernet II frame of "Type: unknown (0x05dd)" and payload of 46 bytes.

Yes, the code currently treats all type/length field values < IEEE_802_3_MAX_LEN=1500 as type field values.

> But if 1501-1535 are invalid, maybe at the very least an Expert Info should be added to
> report it?

Yes.

My copy of version 1 of the DEC/Intel/Xerox Ethernet spec doesn't say anything about valid type field values, unless I 
missed it.  Perhaps version 2 does; in any case, perhaps we should dissect frames with type/length fields in that range 
as invalid rather than as having a type *or* length field.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe