0

I'm looking at traffic my CPE from Comcast in Wireshark, and for every packet, there is an additional packet that is the exact same, except for 4 additional bytes at the beginning of the frame (obviously, screwing up wireshark's parking of the packet).

The 4 prefix bytes changes from packet to packet, but almost always end in FF.

In addition, it seems that the first two octets represent the length of the original packet in little endian order.

Any ideas?

Loki
  • 101
  • 3

1 Answers1

0

I suspect for some reason your CPE is configured to send the packets with 802.1q VLAN tagging:

http://en.wikipedia.org/wiki/IEEE_802.1Q

This would be the case if the prepended tag started with 0x8100.

It could also be a bug in the CPE firmware, or some other kind of tagging, perhaps. Duplicating the packets seems odd.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
  • I considered that, but the octets are prepended to the ethernet frame. In all the docs I can find on VLAN tagging, the VLAN tag comes *after* the SA and DA. Also, editing the question to indicate that the first byte of the four octets always indicates the length of the original packet – Loki Jul 23 '14 at 05:28
  • make that the first two octets represent the length of the original packet in little endian order. – Loki Jul 23 '14 at 05:33