From: SMTP%"brydon@dsn.SINet.slb.com" 13-DEC-1993 17:00:07.31 To: EVERHART CC: Subj: Re: ethermon vs. SNIFFER(tm) X-Newsgroups: comp.dcom.lans.ethernet,comp.os.vms,vmsnet.networks.misc Subject: Re: ethermon vs. SNIFFER(tm) Message-ID: <2ea53n$ntl@sndsu1.sinet.slb.com> From: brydon@dsnvx1.tulsa.dowell.slb.com (Harvey Brydon (918)250-4312) Date: 10 Dec 1993 15:37:27 GMT Reply-To: brydon@dsn.SINet.slb.com Organization: Schlumberger Dowell, Tulsa, Oklahoma NNTP-Posting-Host: 163.185.87.50 Lines: 206 To: Info-VAX@CRVAX.SRI.COM X-Gateway-Source-Info: USENET In article <2e7ojs$o5o@fnnews.fnal.gov>, morphis@D0TAGE.FNAL.GOV writes: >Dear Folks, > > We are having some problems with our ethernet and in order to track >down the sources of our problems I have used ETHERMON v2.4 BETA #4 to >analyze our ethernet. My analysis showed the overwhelming majority of the >traffic to LAVC (60-07). However, when the local network folks plugged in >their SNIFFER(tm) they saw mostly DECNET. > These two analyses were done at different times and the Sniffer >analysis was somewhat short, but ... I was wondering if this rings any >bells? Some stupid (TM) protocol analyzers lump all DEC protocols (60-0x and 80-xx) as DECnet, which they are obviously not. Below here is a list of all known (by me) protocol codes. Your software (ethermon or sniffer) should be able to break the packets down to protocol number. If it can't, throw it away. Also, be aware that on many (all?) platforms, most (all?) analysis software will not be able to see packets that are destined for that machine. If you want to count or analyze LAVC packets, you have to do it on a machine not in an LAVC cluster. If you want to see LAT traffic, you have to do it on a machine not running LAT...etc. This is documented for the MONLAT, MONLAV, MONHWA packages, and I think is the case in general for other analysis software. This is a general argument for a machine (PC, etc.) that is dedicated for use as a protocol analyzer rather that using software on your VMS box (what's the politically correct generic term for VAX/AXP anyhow?). > Just what uses DECNET vs. LAVC? [snip] DECnet (protocol 60-03) is the peer-to-peer inter-host routable networking protocol from DEC. All routing traffic uses this, as well as: "set host", "copy" (FAL), mail, phone and others. LAT (protocol 60-04) is not routable and its main purpose is communications between terminal servers and (mainly VMS) hosts. Protocol list ============= This lists all known (by me) ethernet protocols, obtained from various sources. I have lost track of which source was used for which protocol type/number. If you have any additions or corrections to this list, please let me know at the address listed below. number(s) Protocol description ----------------------------------------------------- 00-00:05-DC IEEE 802.3 length field (0-1500) 00-08 (old) TCP/IP (as implemented by 4.2BSD UNIX) 01-01:01-FF Experimental 02-00 (old) Xerox PUP 02-01 (old) Xerox PUP address translation 02-55 LLAP Broadcast 04-00 ? - Nixdorf Computer, AG 06-00 Xerox NS-Internet (XNS) 08-00 DoD Transport/IP 08-01 X.75 Internet 08-02 NBS Internet 08-03 ECMA Internet 08-04 CHAOSnet (proposed by Symbolics, Inc) 08-05 X.25 Level 3 08-06 Ethernet Address Resolution Protocol (ARP - for IP and CHAOS) 08-07 XNS Compatibility 08-1C Symbolics (Private) 08-88:08-89 Xyplex Terminal server 08-8A Xyplex Reserved 09-00 Ungermann-Bass Network Debugger 0A-00 Xerox PUP (802.3 compliant) 0A-01 Xerox PUP Address Translation (AT) (802.3 compliant) 0B-AD Banyan/Vines StreetTalk 0B-AF Banyan Vines Echo 10-00 IP/Berkeley Trailer (negotiation) 10-01:0F IP trailer block (below), Berkeley Trailer encapsulation 10-01 IP trailer 1 block 10-02 IP trailer 2 block ... 10-0F IP trailer 15 block 10-18 ? 16-00 BBN Simnet, Valid 42-42 PCS Basic Block Protocol 52-08 BBN Simnet; private protocol 59-49 Crosscom bridge mgmt 60-00 DEC Loopback functions, experimental 60-01 DEC DNA Maintenance Operations Protocol (MOP) dump/load 60-02 DEC DNA Maintenance Operations Protocol (MOP) Remote Console 60-03 DECnet network or routing layer (phase IV) 60-04 DEC Local Area Transport (LAT) 60-05 DEC diagnostics 60-06 DEC Customer/User protocol (reserved by DEC for customer use) 60-07 DEC Systems Communication Architecture (LAVC) 60-08 DEC Amber (assigned tentatively) 60-09 DEC DSM/MUMPS (assigned tentatively) 60-10:60-14 3Com reserved 70-00 Ungermann-Bass (download) 70-01 Ungermann-Bass NIU boot 70-02 Ungermann-Bass NIU boot stage broadcast, diagnostic/loopback 70-03 Interlan (selftest) 70-05 UB NIU mgmt 70-20:29 LRT reserved 70-30 Proteon 70-34 Cabletron 80-03 Cronus Industries, Inc (VLN) 80-04 Cronus Industries, Inc (Direct) 80-05 HP Probe protocol 80-06 Nestar 80-08 Stanford U. private use(?)/AT&T 80-10 Excelan private use 80-13 Silicon Graphics (diagnostics) 80-14 Silicon Graphics (network games) 80-15 Silicon Graphics (reserved) 80-16 Stanford U. private use/Silicon Graphics (XNS nameserver) 80-17 Apollo DOMAIN 80-19 Apollo Native Ethernet 80-2E Tymshare 80-2F Tigan, Inc. 80-35 Stanford U. reverse ARP(RARP) 80-36 Aeonic Systems 80-38 DEC LANbridge Spanning Tree 80-39 DEC DSM/DTP (tentative assignment) 80-3A DEC Argonaut console 80-3B DEC VAXeln 80-3C DEC DNA Naming Service (DNS) updates 80-3D DEC CSMA/CD Encryption 80-3E DEC DNA Time service 80-3F DEC LANbridge LAN Traffic Monitor (LTM) 80-40 DEC NetBios Emulator (PCSG) 80-41 DEC Local Area System Transport (LAST) 80-42 DEC Reserved/unassigned 80-44 PRC-Planning Research Corp. 80-46:80-47 AT&T 80-49 Expert Data 80-5B Stanford V Kernel, experimental 80-5C Stanford V Kernel, production 80-5D Evans & Sutherland 80-60 Little Machines 80-62 Counterpoint Computers 80-65:80-66 University of Massachusetts 80-67 Veeco Integrated Automation 80-68 General Dynamics 80-69 AT&T 80-6A AutoPhon 80-6C ComDesign 80-6D Compugraphics 80-6E:80-77 Landmark Graphics 80-7A Matra Corporation 80-7B Dansk Data Elektronik A/S 80-7C University of Michigan/Merit Internodal 80-7D:80-7F Vitalink Bridge Mgmt. 80-80 Vitalink TransLAN III Mgmt. 80-81:80-83 Counterpoint Computers 80-9B Ethertalk/Kinetics Appletalk on Ethernet 80-9C:80-9E Datability 80-9F Spider LAN Monitor (Spider Systems Ltd.) 80-A3 Nixdorf Computer, A.G. 80-A4:80-B3 Siemens Gammasonics 80-C0 Digital Communication Associates 80-C1 DCA Data Exchange Cluster 80-C2 Digital Communication Associates 80-C3 Digital Communication Associates 80-C4 Banyan Vines 80-C5 Banyan Vines Echo 80-C6 Com Design (?)/Pacer Software 80-C7 Applitek Corporation 80-C8:CC Intergraph Corporation 80-CD:CE Harris 80-CF:D2 Taylor Instruments 80-D3:D4 Rosemont Corporation 80-D5 IBM SNA on Ethernet/IBM RT Distributed Services(?)/Ungerman-Bass 80-DD Varian Associates 80-DE Integrated Solutions-Transparent Remote File System(TRFS) 80-DF Integrated Solutions 80-E0:E3 Allen Bradley 80-E4:F0 Datability 80-F2 Retix 80-F3 Kinetics Appletalk Address Resolution Protocol (AARP) 80-F4:F5 Kinetics Appletalk Protocol (AP) 80-F7 Apollo Computers 80-FF:81-03 Wellfleet Communications 81-07:09 Symbolics Private 81-2B Talaris Network Printers 81-30 Waterloo Microsystems 81-31 VG Laboratory Systems 81-37 Novell ("old") Netware 81-38 Novell 81-39:3D KTI 81-4C SNMP via Ethernet 81-4F Network Professor Mgmt 82-54 ? 90-00 Cross-company loopback (Config Test Protocol)- Ethernet II 90-01 Bridge Communications GS/3 overhead/bridge mgmt 90-02 Bridge Communications terminal servers, IB3 bridges... 90-03 Bridge Communications Network mgmt AA-AA ? (DEC - MOP on DEBNI?) AF-AF LogiCraft PC/286 Server D0-4D ? D2-05 ? D4-05 ? FC-FC ? FF-00 BBN VITAL, LANbridge cache wakeups FF-FF ? _______________________________________________________________ Harvey Brydon | Internet: brydon@dsn.SINet.slb.com Schlumberger Dowell | P.O.T.S.: (918)250-4312 Research causes cancer in rats.