Path: news.mitre.org!blanket.mitre.org!philabs!newsjunkie.ans.net!newsfeeds.ans.net!streamer1.cleveland.iagnet.net!qual.net!iagnet.net!news-peer.gip.net!news.gsl.net!gip.net!news-peer.sprintlink.net!news-peer-east.sprintlink.net!news.sprintlink.net!Sprint!rill.news.pipex.net!pipex!main.de.uu.net!Dortmund.Germany.EU.net!dortmund.de.uu.net!spock.skd.de!not-for-mail From: "Stephan Wolf" Newsgroups: comp.os.ms-windows.programmer.nt.kernel-mode Subject: Re: NDIS Driver does not respond to IP packets Date: Fri, 16 Jan 1998 12:42:35 GMT Organization: SysKonnect Lines: 76 Message-ID: <34bf5076.6037361@spock> References: <884879189.1790902283@dejanews.com> NNTP-Posting-Host: swolf.skd.de X-Newsreader: Forte Free Agent 1.11/32.235 On Thu, 15 Jan 1998 09:52:27 -0600, sahota@usa.net wrote: >I have written a NDIS miniport driver for FDDI NIC. ... >MAC address 22-22-22-22-22-22 11-11-11-11-11-11 As Michael Barthelow already stated, the 11-11-11-11-11-11 is an illegal address, since it has the Group bit (when used as a destination address) or Routing Information Indicator (RII) bit (when used as a source address) = 01h set in the first byte of address. MAC address format: First byte of address (LSB format, i.e. canonical): Destination: 01h = Group/Specific Indicator clear: unicast, set: multicast Source: 01h = Routing Information Indicator (RII) clear: no source routing information present set: source routing information present dest/src: 02h = Locally Administered Address Indicator clear: global address, set: local address So make it 12-11-11-11-11-11 and you should be ok. >Now when M/C (A) trys to PING M/C (B) ... >I have analysed both the ARP and the ICMP Ping packet, and both appears >to be OK both IP and ICMP checksum is also valid. But the packets have 8 >bytes after the MAC header which i do not understand. Simple. ARP and IP are sent using a 802.2 SNAP header, i.e. the packet format is: +----+----+----+------+------+-----+------+ 802.2: | FC | DA | SA | DSAP | SSAP | Ctl | Data | +----+----+----+------+------+-----+------+ FC = Frame Control DA = Destination Address SA = Source Address DSAP = Destination Service Access Point SSAP = Source Service Access Point Ctl = Control Now, when you have DSSAP = SSAP = AAh, Ctl = 03h then you also have a SNAP header: +----+----+----+-----+-----+-----+-----+------+------+ SNAP: | FC | DA | SA | AAh | AAh | 03h | OUI | Type | Data | +----+----+----+-----+-----+-----+-----+------+------+ OUI = Organisational Unique Identifier Type = Type Code Now, if OUI = 00-00-00 (Xerox), then the "Type" is a Ethernet II (i.e. DIX) type code, which is as follows: IP = 0800h ARP = 0806h IPX = 8137h etc. Note that in your drawings the 802.2 "Control" field seems to appear twice, which leads me to the assumption that either your drawing is incorrect or the frame actually has an invalid format (or the sniffer has a bug). Hope this helps, Stephan Wolf http://www.syskonnect.de SysKonnect - The Server Connectivity Company