tcpdump mailing list archives

Re: What's the point of "oui Unknown"?

From: Hannes Gredler <hannes () juniper net>
Date: Sun, 19 Oct 2014 23:11:56 +0200

On Sun, Oct 12, 2014 at 04:00:57PM -0400, John Hawkinson wrote:
| I guess it's been a long time since I've run tcpdump -e.
| On an 802.11 packet, I see:
| 
| 15:47:26.928534 0us BSSID:58:f3:9c:e5:a2:cf (oui Unknown) DA:Broadcast
| SA:58:f3:9c:e5:a2:cf (oui Unknown) Beacon (MIT N) [18.0 24.0* 36.0 48.0
| 54.0 Mbit] ESS[|802.11]
| 
| That is:
| 
|     58:f3:9c:e5:a2:cf (oui Unknown)
| 
| is from etheraddr_string() because 58:f3:9c does not appear 
| in the list of 14 ouis in oui.c:
| 
|      29 /* FIXME complete OUI list using a script */
|      30 
|      31 const struct tok oui_values[] = {
|      32     { OUI_ENCAP_ETHER, "Ethernet" },
|      33     { OUI_CISCO, "Cisco" },
|      34     { OUI_NORTEL, "Nortel Networks SONMP" },
|      35     { OUI_CISCO_90, "Cisco bridged" },
|      36     { OUI_RFC2684, "Ethernet bridged" },
|      37     { OUI_ATM_FORUM, "ATM Forum" },
|      38     { OUI_CABLE_BPDU, "DOCSIS Spanning Tree" },
|      39     { OUI_APPLETALK, "Appletalk" },
|      40     { OUI_JUNIPER, "Juniper" },
|      41     { OUI_HP, "Hewlett-Packard" },
|      42     { OUI_IEEE_8021_PRIVATE, "IEEE 802.1 Private"},
|      43     { OUI_IEEE_8023_PRIVATE, "IEEE 802.3 Private"},
|      44     { OUI_TIA, "ANSI/TIA"},
|      45     { OUI_DCBX, "DCBX"},
|      46     { 0, NULL }
| 
| What's the thinking here?
| 
| Obviously there are thousands of OUIs, and most are not going to ever
| be in tcpdump's list, and it seems like populating oui.c with 20,000
| OUIs may not be the way to go.
| 
| The code to do this was added by Hannes Gredler in:
| 
| commit 64690e70e5559c14aade6b2bccb3c05f14718d4c
| Author: hannes <hannes>
| Date:   Sun Apr 10 07:17:00 2005 +0000
| 
|     plumb in oui-name resolution
| 
| and is currently (addrtoname.c):
| 
|     510         if (!nflag) {
|     511                 snprintf(cp, BUFSIZE - (2 + 5*3), " (oui %s)",
|     512                     tok2str(oui_values, "Unknown", oui));
|     513         } else
| 
| 
| It seems to me that without more robust support this is just annoying
| noise and, at the very least, the Unknown oui printing should be
| removed.
| 
| Thoughts?

make it better ;-) - what do you suggest ? - pull in a OUI table frequently ?

/hannes
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

What's the point of "oui Unknown"? John Hawkinson (Oct 17)
- Re: What's the point of "oui Unknown"? Hannes Gredler (Oct 22)
  - Re: What's the point of "oui Unknown"? John Hawkinson (Oct 22)
    - Re: What's the point of "oui Unknown"? Hannes Gredler (Oct 22)
    - Re: What's the point of "oui Unknown"? Michael Richardson (Oct 22)
    - Message not available
    - Re: What's the point of "oui Unknown"? Michael Richardson (Oct 22)
  - Re: What's the point of "oui Unknown"? Michael Haardt (Oct 22)
- Re: What's the point of "oui Unknown"? Rick Jones (Oct 22)
  - Re: What's the point of "oui Unknown"? Michael Richardson (Oct 22)
    - Re: What's the point of "oui Unknown"? Rick Jones (Oct 22)
    - Re: What's the point of "oui Unknown"? John Hawkinson (Oct 22)