What do "Unknown SSAP" and "Unknown DSAP" mean in tcpdump?

Question

While trying to fix a problem with intermittently losing internet connection on a machine with a wireless connection to a router, I ran tcpdump and noticed packets with "Unknown SSAP" and "Unknown DSAP" errors coming at a rate of a few per second.

20:27:21.703178 00:24:a5:af:24:f6 (oui Unknown) Unknown SSAP 0xde > 1c:65:9d:48:38:95 (oui Unknown) Unknown DSAP 0xe2 Information, send seq 0, rcv seq 16, Flags [Response], length 171
20:27:21.724726 00:24:a5:af:24:f6 (oui Unknown) Unknown SSAP 0xde > 1c:65:9d:48:38:95 (oui Unknown) Unknown DSAP 0xe2 Information, send seq 0, rcv seq 16, Flags [Response], length 104
20:27:21.746449 00:24:a5:af:24:f6 (oui Unknown) Unknown SSAP 0xde > 1c:65:9d:48:38:95 (oui Unknown) Unknown DSAP 0xe4 Information, send seq 0, rcv seq 16, Flags [Response], length 88
20:27:21.970963 00:24:a5:af:24:f6 (oui Unknown) Unknown SSAP 0xde > 1c:65:9d:48:38:95 (oui Unknown) Unknown DSAP 0xe8 Information, send seq 0, rcv seq 16, Flags [Response], length 76
20:27:22.016565 00:24:a5:af:24:f6 (oui Unknown) Unknown SSAP 0xde > 1c:65:9d:48:38:95 (oui Unknown) Unknown DSAP 0xea Information, send seq 0, rcv seq 16, Flags [Response], length 88
20:27:22.038471 00:24:a5:af:24:f6 (oui Unknown) Unknown SSAP 0xde > 1c:65:9d:48:38:95 (oui Unknown) Unknown DSAP 0xea Information, send seq 0, rcv seq 16, Flags [Response], length 171

What does the "Unknown SSAP" and "Unknown DSAP" mean, and does it indicate a problem?

Have you been able to solve your initial problem? – user1202136 May 26 '14 at 20:42 — user1202136, May 26 '14 at 20:42
I could finally find and fix that ! see my answer ! – neofutur Jul 15 '15 at 04:24 — neofutur, Jul 15 '15 at 04:24

score 4 · Answer 1 · 2014-04-22T17:57:23.897

One thing they could mean that the frames being sent have 802.2 headers following the link-layer header (which is true of all 802.11 data frames, and true of Ethernet frames where the type/length field has a length rather than an Ethernet type), and that the source and destination Service Access Points in those headers have values that tcpdump doesn't know about. (Wireshark doesn't know about them, either.)

The IEEE listing of Service Access Point values shows no public assignment for 0xde, 0xe2, 0xe4, 0xe8, or 0xea.

They could also mean that, for some reason, tcpdump isn't properly dissecting the packet data, or that it's encrypted at the link layer (i.e., WEP or WPA/WPA2 frames) and tcpdump isn't recognizing it as being encrypted.

What version of what OS is the machine on which you ran tcpdump running (if it's Linux, "version" here means "kernel version", but the distribution and distribution version number would also be useful), what version of tcpdump and libpcap are you using (what does tcpdump -h print?), and what type of device are you capturing on (802.11 or Ethernet, and who manufactures it and what type of device from that manufacturer is it?)?

The "OUI unknown" means it didn't find an organization with the OUI 00:24:a5, which are the first 3 octets of the MAC address of the sending machine, and didn't find an organization with the OUI 1c:65:9d, which are the first 3 octets of the MAC address of the receiving machine.

The IEEE database says 00:24:a5 is for "Buffalo, Inc" (who are located in Japan, not Buffalo, New York, USA) and 1c:65:9d is for "Liteon Technology Corporation" in Taiwan.

score 0 · Answer 2 · edited Oct 08 '11 at 04:08

0

Presumably, DSAP and SSAP are used on 802.3 frames to identify higher-level protocols carried on the frame (not the same as Ethernet).

edited Oct 08 '11 at 04:08

MDMarra

100,734
32
197
329

answered Nov 18 '10 at 19:42

ariconstancio

1

SSAP and DSAP are used with 802.2, not 802.3 (see http://en.wikipedia.org/wiki/IEEE_802.2) – ott-- Nov 10 '11 at 01:11
And, these days, 802.3 *is* the same thing as Ethernet; in one of the late-1990's updates to IEEE Std 802.3 (either 802.3x or 802.3y), the 802.3 standard changed so that the "length" field became a "type/length" field, which could contain either a length *or* an Ethertype. Packets that have a length field also have an 802.2 header, which is what contains the DSAP and SSAP. (Well, there's also Novell IPX-over-raw-802.3, but that's another matter.) – May 10 '16 at 23:43

score 0 · Answer 3 · answered Jul 15 '15 at 04:20

I just spent the last 4 hours investigating the same problem, I was even going to add a bounty on this question, but I finally found it ! The malformed packets were sent by a LG smart TV using the the wlan, after shutting down the tv no more of those packets that were slowing my network from 2mbits/s to 4 kb/s )

the next problem is to find how to completely disable the wifi usage on thosse s****y smarttvs, its far from easy theres no option to say "stop using my wifi" and even if you change the password it will get back to the good password after a shutdown ( probably caching the working keys ) so I add this link , some answers give good advices about how to disable the wifi functions of the TV : http://www.cnet.com/forums/discussions/how-to-disable-wi-fi-on-a-lg-smarttv-604718/

( select wired, find a toolbox, or manufactory settings )

What do "Unknown SSAP" and "Unknown DSAP" mean in tcpdump?

3 Answers3