The LBNL/ICSI Enterprise Tracing Project provides a trace of an enterprise's network from 2005.

Upon reading these files with tcpdump, along with regular packets that appear like-
12:04:51.696971 IP 128.3.189.248.netbios-ssn > 128.3.44.26.ehome-ms: P 507590:507654(64) ack 168291 win 8484[|SMB]
12:04:51.729840 IP 128.3.44.26.ehome-ms > 128.3.189.248.netbios-ssn: P 168291:168354(63) ack 507654 win 64479[|SMB]
12:04:51.730201 IP 128.3.189.248.netbios-ssn > 128.3.44.26.ehome-ms: P 507654:507902(24 ack 168354 win 8421[|SMB]

there are some strange frames that show up-
12:04:51.781545 [|llc]34:c9:c8:fa:af:5e (oui Unknown) > a9:71:1d:9f:85:27 (oui Unknown), 802.3, length 404:
12:04:51.781670 [|llc]34:c9:c8:fa:af:5e (oui Unknown) > a9:71:1d:9f:85:27 (oui Unknown), 802.3, length 395:

I am trying to analyze these.
So far, I understand that-

1. The communication is between 2 devices that operate on the Data Link Layer, since IP address is missing. (802.3 wired ethernet switches?)
2. OUI- the Organization Unique Identifier is unknown because it is identified by the first 3 bytes of MAC address but the MAC address of the machines has been translated for anonymity purposes.
3. When I open this trace file using Wireshark, these particular frames show "Packet Size limited during capture" under the Info section. tcpdump has a default capture limit of 68 bytes and looks like these frames are bigger in size.
4. The ASCII payload in these frames is either
.q...'4....^.. or
.q...'4....^.}


So, the question is- Is this a legacy protocol/device? Has anyone come across anything like this?
Any information on this would be much appreciated.


Sunjeet