Analyzing [|llc] frames in enterprise traffic trace
The LBNL/ICSI Enterprise Tracing Project provides a trace of an enterprise's network from 2005.
Upon reading these files with tcpdump, along with regular packets that appear like-
12:04:51.696971 IP 18.104.22.168.netbios-ssn > 22.214.171.124.ehome-ms: P 507590:507654(64) ack 168291 win 8484[|SMB]
12:04:51.729840 IP 126.96.36.199.ehome-ms > 188.8.131.52.netbios-ssn: P 168291:168354(63) ack 507654 win 64479[|SMB]
12:04:51.730201 IP 184.108.40.206.netbios-ssn > 220.127.116.11.ehome-ms: P 507654:507902(248) ack 168354 win 8421[|SMB]
there are some strange frames that show up-
12:04:51.781545 [|llc]34:c9:c8:fa:af:5e (oui Unknown) > a9:71:1d:9f:85:27 (oui Unknown), 802.3, length 404:
12:04:51.781670 [|llc]34:c9:c8:fa:af:5e (oui Unknown) > a9:71:1d:9f:85:27 (oui Unknown), 802.3, length 395:
I am trying to analyze these.
So far, I understand that-
1. The communication is between 2 devices that operate on the Data Link Layer, since IP address is missing. (802.3 wired ethernet switches?)
2. OUI- the Organization Unique Identifier is unknown because it is identified by the first 3 bytes of MAC address but the MAC address of the machines has been translated for anonymity purposes.
3. When I open this trace file using Wireshark, these particular frames show "Packet Size limited during capture" under the Info section. tcpdump has a default capture limit of 68 bytes and looks like these frames are bigger in size.
4. The ASCII payload in these frames is either
So, the question is- Is this a legacy protocol/device? Has anyone come across anything like this?
Any information on this would be much appreciated.