07-30-2003 09:03 PM - edited 03-09-2019 04:15 AM
Hi all, when i snoop from my IDS, all the data i snoop was like the following... why is it like that?
anyone can help?
thanks!
? -> * ETHER Type=8100 (Unknown), size = 149 bytes
? -> * ETHER Type=8100 (Unknown), size = 212 bytes
? -> * ETHER Type=8100 (Unknown), size = 149 bytes
? -> * ETHER Type=8100 (Unknown), size = 212 bytes
? -> * ETHER Type=8100 (Unknown), size = 149 bytes
? -> * ETHER Type=8100 (Unknown), size = 212 bytes
? -> * ETHER Type=8100 (Unknown), size = 64 bytes
? -> * ETHER Type=8100 (Unknown), size = 594 bytes
? -> * ETHER Type=8100 (Unknown), size = 594 bytes
? -> * ETHER Type=8100 (Unknown), size = 594 bytes
08-05-2003 07:09 AM
This basically indicates that frames being looked at are of a feature which is not supported. If you are running IOS 12.1, the reason would be that all the frames to the SPAN destination port come with 802.1Q tag which SNOOP does not support. You could use a sniffer to check the same.
08-05-2003 07:32 AM
8100 is the 802.1Q vlan tag type. Snoop does not understand vlan tagging. Try something like tcpdump and ethereal or some other "real" sniffer.
SC
PS. the IDS understands 802.1Q tagging...
08-05-2003 09:09 AM
On the same topic, what does the following sniffed data represent???
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
and
? -> (multicast) ETHER Type=2000 (Unknown), size = 388 bytes
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: