Sounds good. In particular doing this for the LocallyAdministrated would make sense since many active/passive cluster implementations pick a MAC address to represent the active node by taking the MAC address of the primary NIC of the primary node and then setting the locally administrated bit, to make sure there is a single mac address that follows the cluster ip address during failover.
MS cluster for example does this. The multicast bit is tricker since there is for unknown reasons some 3 byte prefixes that already have this bit set ! But they are so few and rare it hardly matters and they can probably be ignored. I would suggest only doing this for when matching with the three byte prefixes of the form AA:BB:CC Additionally, maybe if you find a match for AA:BB:CC Vendor and if the LA bit was set then you could change the string it resolved into to "Vendor(Cluster)" instead of just "Vendor" I think it is very rare that this bit is set nowadays except for when one is using some sort of clustering software with ip and mac failover. On 8/15/07, Ulf Lamping <[EMAIL PROTECTED]> wrote: > Hi List! > > The current Ethernet manuf name resolving (resolve the manufacturer name - > the first three bytes of the Ethernet address, e.g. 04:05:06 -> Xerox) > doesn't work if the address uses the Ethernet broadcast or locally > administered flags (see > http://wiki.wireshark.org/Ethernet?highlight=%28ethernet%29#head-93bbcf02a0070b56eaae6b5f3f4ba6112c64522a > for details about these flags). > > Currently only the resolving of 04:05:06 -> Xerox does work, 05:05:06, > 06:05:06 and 07:05:06 are not resolved, although the manufaturer part is the > same. > > I've implemented an experimental change in epan/addr_resolv.c, which strips > down both flags before doing the actual manuf resolvings - which is working > well: > > 04:05:06 -> Xerox > 05:05:06 -> Xerox > 06:05:06 -> Xerox > 07:05:06 -> Xerox > > Unfortunately, this "hides" both flags a little bit (although the display of > these flags wasn't very "prominent" already before), so I'm unsure if the > change should go into the Wireshark sources or not. > > I think only the manuf resolvings as described above should be changed, the > wka (well-known-addresses) aka full address resolution (00-E0-2B-00-00-00 -> > Extreme-EDP) should not be changed. > > Comments? > > Regards, ULFL > __________________________________________________________________________ > Erweitern Sie FreeMail zu einem noch leistungsstärkeren E-Mail-Postfach! > Mehr Infos unter http://produkte.web.de/club/?mc=021131 > > _______________________________________________ > Wireshark-dev mailing list > Wireshark-dev@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-dev > _______________________________________________ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
