cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
543
Views
17
Helpful
10
Replies

Frame alteration

fvalpondi
Level 1
Level 1

Hi,

I got a conceptual question about frame alteration. I'm developping a concept for a network, and the customer asked me about....I've been thinking for a while, but I do not find any good answer...

Just suppose I got a frame that has been altered and the length field does not match the real frame length. Even though, the frame is smaller than the maximal frame size. The FCS calculation says the frame is correct.

If the frame arrives to a catalyst, that has the default configuration, the frame will still be forwarded, right?

If the frame is forwarded, what will happen once it arrives at the endpoint? The computer will recognize the frame as valid since the FCS is correct. And then?....

I'm out of ideas....

thanks a lot!

Fabio

10 Replies 10

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Fabio,

length field is more used as a protocol type field in ethernet frames so the frame should be delivered to the end destination.

the field is only one but depending on its values is considered a length or a type.

values greater then decimal 1536 are considered types

0x0800 -> decimal 2048 > 1536

if the field is modified the FCS test should fail.

only if using store and forward a switch can detect this otherwise the frame is delivered to intended destination so cut-thorough or modified cut (segment free ) cannot detect this.

the case you are thinking of implies two changes:

a change in type/length field in header and a change in FCS in trailer so that FCS test is passed.

we can consider this unlikely.

Hope to help

Giuseppe

Hi Giuseppe,

thank you for your answer.

I know the situation is highly improbable.

The problem is that the network has to be installed in a highly critical environment, and therefore the customer wants to know as much as possible.

That is the situation he asked for:

- Length indicates a false length (the field indicates length and not type)

- FCS is considered correct.

The alteration would happen just before the FCS calculation.

anyway, thanks again!

rais
Level 7
Level 7

If frame were Ethernet, FCS would fail, since it is calculated based upon destination address, type/length and data fields.

Lets assume FCS is ignored: the length is used by higher layer protocols to find out what length of data should be extracted from the frame. Layer 3 stack should extract fewer octets resulting in transport layer losing data.

Thanks.

Hi,

thank you for the idea.

Well, the FCS may be correct. The frame alteration can happen just before the FCS calculation and after the length/payload encapsulation...

That means that the FCS would be calculated taking into account the alterated information.

best regards.

Hello Fabio,

>> Well, the FCS may be correct. The frame alteration can happen just before the FCS calculation and after the length/payload encapsulation...

That means that the FCS would be calculated taking into account the alterated information.

>>

And where all this should happen inside a LAN switch with its hardware based ASICS chips and so on?

this is not a problem in real world then if you want to sell paperware go on this.

Or probably you would like to enforce the use of encrytion inside a L2 LAN environment...

Hope to help

Giuseppe

Let's say that in the operating environment can come to the situation that some environmental components affect the ASIC operation...

lgijssel
Level 9
Level 9

What protocol should these frames use?

The standard encapsulation for IP on ethernet is Ethernet II which does not have a length field. A type field is used instead.

If you fiddle with the type, the data will not be delivered to the correct protocol stack and hence be lost.

Altering the segment size in the tcp header also requires tweaking the tcp checksum and will cause some data in the packet to be lost. Due to this, your session will crash in no time.

regards,

Leo

The upper layer protocol is ISO-TP4...

In that case, it will depend on the implementation.

If buffer space is allocated based on the ethernet length, data will be lost.

If the higher protocols also contain info about the data size, it may have little impact.

Some (older) switches may forward the frame but in others, the ASIC's may notice the difference between the length field and the real length of the frame. Modern devices are to some extent hardened and should notice this form of crafted packets. In that case, the frame will be discarded. So, this is also a matter of implementation.

thanks for the help :-)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: