Listen to this Post

Introduction:
Before IEEE finalized the 802.3 Ethernet standard, Novell implemented its own “raw” 802.3 frame type, creating a subtle but critical incompatibility: the absence of an LLC header. Understanding this historical quirk is not just trivia—it sharpens your ability to spot anomalous frames, dissect legacy protocol traps, and apply packet-level forensics to both modern cloud environments and industrial control systems where oddball protocols still linger.
Learning Objectives:
- Differentiate between IEEE 802.3 (with LLC header) and Novell’s 802.3 Raw frame types by analyzing Ethernet frame structures.
- Capture and interpret raw packets using Wireshark, tcpdump, and Windows Packet Monitor to identify missing Logical Link Control (LLC) fields.
- Apply forensic techniques to detect misconfigured or malicious frame types that evade signature-based security tools.
You Should Know:
- The Great Ethernet Frame Debate: IEEE 802.3 vs. Novell 802.3 Raw
The core difference lies in how the payload protocol is identified. IEEE 802.3 uses a Length field followed by an 802.2 LLC header (which contains DSAP/SSAP to indicate the upper-layer protocol, like IP or IPX). Novell’s early 802.3 implementation omitted the LLC header entirely—the frame carried IPX directly after the Length field, with the Length field often set to 0xFFFF (a value never used by IEEE, which caps at 0x05DC for length). This “raw” frame type breaks compatibility with standard Ethernet and creates a perfect training ground for packet analysis.
Step-by-Step Guide to Identifying Frame Types:
1. Capture raw Ethernet frames (Linux):
sudo tcpdump -i eth0 -e -v -c 100 -w netware_frames.pcap
The `-e` flag prints link-level headers; look for the Ethernet type/length field.
2. Analyze with tshark (Windows/Linux):
tshark -r netware_frames.pcap -T fields -e eth.len -e eth.type -e wlan_llc.dsap
If `eth.len` shows `65535` (0xFFFF) and no DSAP field exists, it’s likely Novell 802.3 Raw.
3. In Wireshark, apply display filter: `eth.len == 0xFFFF && !llc` – this isolates raw frames.
4. On Windows (Packet Monitor):
pktmon filter add -p 0xFFFF -m 0xFFFF pktmon start --capture --pkt-size 1514 pktmon stop pktmon format output.etl -o netware_raw. pcap
Why this matters for cybersecurity:
- Ransomware groups occasionally use non-standard frame types to evade IDS/IPS that only parse standard IEEE 802.3.
- SCADA and legacy manufacturing networks still run IPX/SPX; an attacker injecting raw 802.3 frames could cause denial-of-service or packet misinterpretation.
- Legacy Protocol Pitfalls: IPX/SPX and Modern Attack Surfaces
IPX (Internetwork Packet Exchange) is a connectionless protocol that Novell used alongside its raw frame type. While obsolete in most enterprise networks, IPX remains in niche industrial systems, older aviation ground networks, and retro computing environments. Attackers who compromise a single legacy node can use IPX-based exploits—like the old “IPX Ping of Death” (fragmented IPX packet causing reboot) or “NetWare Core Protocol” (NCP) buffer overflows—to pivot laterally.
Step-by-step lab: Simulating IPX traffic on a modern Linux host
1. Install IPX utilities:
sudo apt-get install ipx_utils sudo modprobe ipx
2. Configure an IPX interface (example with eth0):
sudo ipx_interface add eth0 802.3raw 0x12345678
3. Send a test IPX packet to broadcast:
echo "Hello IPX" | sudo ipx_send -s 0x12345678 -d 0xFFFFFFFF -c 0x0457
4. Capture on another host:
sudo tcpdump -i eth0 -e -v 'ipx'
Notice the absence of LLC header and EtherType `0x8137` (official IPX) vs. raw 802.3 with length 0xFFFF.
Hardening recommendations:
- Block legacy EtherTypes (0x8137, 0x8138) and raw length `0xFFFF` at switch port ACLs.
- Use `ebtables` (Linux bridge firewalling) to drop non-standard frames:
sudo ebtables -A FORWARD -p 0x8137 -j DROP sudo ebtables -A FORWARD --pkt-type-type 0xFFFF -j DROP
- Hands-On Packet Forensics: Automated Detection with Wireshark and Zeek
To proactively hunt for anomalous Ethernet frames, integrate frame-type checks into your SIEM or network monitoring pipeline.
Step-by-step: Create a Zeek (formerly Bro) script to flag raw 802.3 frames
1. Save as `detect_raw8023.zeek`:
event ethernet_frame(c: connection, hdr: Ethernet::Hdr, len: count)
{
if ( hdr?$len && hdr$len == 65535 && hdr?$type == 0 )
print fmt("Raw 802.3 frame from %s", hdr$src);
}
2. Run Zeek on a pcap:
zeek -r capture.pcap detect_raw8023.zeek
Windows PowerShell one-liner to detect raw frames in a live capture (using `pktmon` and findstr):
pktmon start --capture --pkt-size 1514 --file-format pcapng Start-Sleep -Seconds 10 pktmon stop pktmon pcapng raw_frames.etl tshark -r raw_frames.pcapng -Y "eth.len == 65535" -T fields -e eth.src
Training courses to master packet analysis:
- Wireshark Network Analysis (by Laura Chappell, referenced in the post)
- SANS SEC503: Intrusion Detection In-Depth
- INE’s Packet Analysis with TCPdump and Wireshark
- From Relic to Red Team: Exploiting Misconfigured Frame Types for Evasion
Red teamers can abuse hybrid network environments where switches and firewalls are not configured to inspect non-standard Ethernet headers. For example, by sending a packet that appears to be a valid IEEE 802.3 frame (with length ≤ 1500) but actually contains a raw IPX payload, some IDS engines may skip deep inspection.
Proof-of-concept using Scapy (Python):
from scapy.all import Build a raw 802.3 frame with no LLC header raw_frame = Ether(dst="ff:ff:ff:ff:ff:ff")/Raw(load=b"\x00\x01\x02\x03") raw_frame.len = 0xFFFF Override length to Novell raw value del raw_frame.type Remove EtherType sendp(raw_frame, iface="eth0", inter=0.1, loop=1)
Run this from a compromised host on a legacy subnet to test if your NDR (Network Detection and Response) alerts on missing LLC headers.
Mitigation: Deploy eBPF-based packet filtering on Linux hosts to reject malformed frames:
sudo bpftrace -e 'kprobe:netif_receive_skb { $skb = (struct sk_buff )arg0; $eth = (struct ethhdr )$skb->head; if ($eth->h_proto == 0xFFFF) { printf("Dropping raw 802.3 from %x\n", $eth->h_source); } }'
- Building Your Packet Analysis Lab: Virtualizing NetWare and Modern Observability
To truly understand the frame-type war, emulate a legacy network using Docker, VMware, or QEMU with NetWare 5.1 and a modern Linux analyzer.
Step-by-step lab setup:
- Download NetWare 5.1 (abandonware for educational use) and install in VMware.
- Configure two VLANs: one for legacy (raw 802.3) and one for modern (IEEE 802.3 with LLC).
- On a Linux bridging host, mirror traffic to a monitoring port:
sudo ip link add mirror0 type dummy sudo tc qdisc add dev eth0 ingress sudo tc filter add dev eth0 parent ffff: protocol all u32 match u32 0 0 action mirred egress mirror dev mirror0
4. Run continuous analysis:
sudo tcpdump -i mirror0 -e -G 300 -W 24 -w legacy_%Y%m%d_%H%M.pcap
5. Automate alerts using `ngrep` on the raw 802.3 signature:
sudo ngrep -d mirror0 -t '^.{12}ffff' matches 6 bytes dest + 6 src + 2 bytes length=0xFFFF
What Undercode Say:
- Legacy knowledge is a force multiplier – understanding historical protocol quirks like Novell 802.3 raw enables defenders to spot anomalies that modern signature-based tools miss.
- Packet-level forensics transcends technology generations – the same skills used to troubleshoot NetWare in the 1990s (looking at headers, understanding encapsulation) apply directly to cloud-native eBPF observability and 5G core network analysis.
- Attackers exploit ambiguity – any gap between IEEE standards and vendor implementations creates evasion opportunities; always test your NDR against non-standard frame types.
Prediction:
As operational technology (OT) and industrial IoT converge with enterprise IT, we will see a resurgence of legacy protocol attacks—not just IPX, but also raw Token Ring, SNA, and DECnet frames embedded in Ethernet-over-IP tunnels. Security teams will need to rebuild packet-level expertise, and tools that can fingerprint “malformed but valid” headers (like raw 802.3) will become critical. The next major breach may well pivot through a forgotten NetWare server in a power plant, using the same 0xFFFF length field trick to bypass next-gen firewalls.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Walterhofstetter Heres – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


