What do "Unknown SSAP" and "Unknown DSAP" mean in tcpdump?
One thing they could mean that the frames being sent have 802.2 headers following the link-layer header (which is true of all 802.11 data frames, and true of Ethernet frames where the type/length field has a length rather than an Ethernet type), and that the source and destination Service Access Points in those headers have values that tcpdump doesn't know about. (Wireshark doesn't know about them, either.)
The IEEE listing of Service Access Point values shows no public assignment for 0xde, 0xe2, 0xe4, 0xe8, or 0xea.
They could also mean that, for some reason, tcpdump isn't properly dissecting the packet data, or that it's encrypted at the link layer (i.e., WEP or WPA/WPA2 frames) and tcpdump isn't recognizing it as being encrypted.
What version of what OS is the machine on which you ran tcpdump running (if it's Linux, "version" here means "kernel version", but the distribution and distribution version number would also be useful), what version of tcpdump and libpcap are you using (what does tcpdump -h print?), and what type of device are you capturing on (802.11 or Ethernet, and who manufactures it and what type of device from that manufacturer is it?)?
The "OUI unknown" means it didn't find an organization with the OUI 00:24:a5, which are the first 3 octets of the MAC address of the sending machine, and didn't find an organization with the OUI 1c:65:9d, which are the first 3 octets of the MAC address of the receiving machine.
The IEEE database says 00:24:a5 is for "Buffalo, Inc" (who are located in Japan, not Buffalo, New York, USA) and 1c:65:9d is for "Liteon Technology Corporation" in Taiwan.
Related videos on Youtube
23 : 20
18 : 48
02 : 06
23 : 39
00 : 54
lacker
Updated on November 20, 2022Comments
-
lacker over 1 year
While trying to fix a problem with intermittently losing internet connection on a machine with a wireless connection to a router, I ran tcpdump and noticed packets with "Unknown SSAP" and "Unknown DSAP" errors coming at a rate of a few per second.
20:27:21.703178 00:24:a5:af:24:f6 (oui Unknown) Unknown SSAP 0xde > 1c:65:9d:48:38:95 (oui Unknown) Unknown DSAP 0xe2 Information, send seq 0, rcv seq 16, Flags [Response], length 171 20:27:21.724726 00:24:a5:af:24:f6 (oui Unknown) Unknown SSAP 0xde > 1c:65:9d:48:38:95 (oui Unknown) Unknown DSAP 0xe2 Information, send seq 0, rcv seq 16, Flags [Response], length 104 20:27:21.746449 00:24:a5:af:24:f6 (oui Unknown) Unknown SSAP 0xde > 1c:65:9d:48:38:95 (oui Unknown) Unknown DSAP 0xe4 Information, send seq 0, rcv seq 16, Flags [Response], length 88 20:27:21.970963 00:24:a5:af:24:f6 (oui Unknown) Unknown SSAP 0xde > 1c:65:9d:48:38:95 (oui Unknown) Unknown DSAP 0xe8 Information, send seq 0, rcv seq 16, Flags [Response], length 76 20:27:22.016565 00:24:a5:af:24:f6 (oui Unknown) Unknown SSAP 0xde > 1c:65:9d:48:38:95 (oui Unknown) Unknown DSAP 0xea Information, send seq 0, rcv seq 16, Flags [Response], length 88 20:27:22.038471 00:24:a5:af:24:f6 (oui Unknown) Unknown SSAP 0xde > 1c:65:9d:48:38:95 (oui Unknown) Unknown DSAP 0xea Information, send seq 0, rcv seq 16, Flags [Response], length 171What does the "Unknown SSAP" and "Unknown DSAP" mean, and does it indicate a problem?
-
Admin almost 10 yearsHave you been able to solve your initial problem? -
Admin almost 9 yearsI could finally find and fix that ! see my answer !
-
-
ott-- over 12 yearsSSAP and DSAP are used with 802.2, not 802.3 (see en.wikipedia.org/wiki/IEEE_802.2)
-
Admin almost 8 yearsAnd, these days, 802.3 is the same thing as Ethernet; in one of the late-1990's updates to IEEE Std 802.3 (either 802.3x or 802.3y), the 802.3 standard changed so that the "length" field became a "type/length" field, which could contain either a length or an Ethertype. Packets that have a length field also have an 802.2 header, which is what contains the DSAP and SSAP. (Well, there's also Novell IPX-over-raw-802.3, but that's another matter.)
