Guy, >> If you are referring to Cisco's management packets, then WinPCap >> does capture them. I just saw this yesterday while checking >> out Ethereal (see http://www.ethereal.com ) in a WiFi-equipped >> coffee shop with a Cisco router. > >Ethereal running on Windows?
Yes, Windows 2000 Pro. >If so, what sort of management packets are those? Are those sent as >802.11 data packets with an 802.2 LLC header and, probably, a SNAP >header? Actually, I know nothing about Cisco's stuff. Ethereal logged and reported Cisco management packets, describing them as "STP" (Spanning Tree for Bridges) protocol. Sadly, I can't cut and paste the lovely, detailed description of the packet from Ethereal, and I don't have time right now to transcribe it for all to see. The header was described as "Logical Link Control", with the fields "DSAP", "IG Bit", "SSAP", "CR Bit", and "Control Field". The Spanning Tree Protocol portion of the packet contained a number of other interesting fields, like "Bridge Identifier", "Hello Time", "Forward Delay", and so on. The hex of a sample captured packet was... $01,$80,$C2,$00,$00,$00,$00,$0F,$66,$31,$A6,$8B,$00,$2E,$42,$42, $03,$00,$00,$00,$00,$00,$80,$00,$00,$0F,$66,$31,$A6,$89,$00,$00, $00,$00,$80,$00,$00,$0F,$66,$31,$A6,$89,$80,$02,$00,$00,$14,$00, $02,$00,$00,$00,$A5,$A5,$A5,$A5,$A5,$A5,$A5,$A5 ...if you'd like to hand-decode it. Looks to me as if Ethereal detected the target MAC as being a "magic cookie", as it created the comment, "spanning-tree-for- bridges" on the expanded information line about that odd-looking MAC, "$01,$80,$C2,$00,$00,$00". I trust you'll know a heck of a lot more about this than I do... (or care to :). Cheers, Rob--- ----------------------------------------------------------------- LapTwo Technology Corporation Phone: 763-633-9434 16820 Highway 10, Suite 130 Fax: 253-276-2755 Elk River, Minnesota 55330 http://www.laptwo.com ----------------------------------------------------------------- ================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==================================================================
