Skip to main content

The IEEE 802.3 SNAP Frame Format

While the original 802.3 specification worked well, the IEEE realized that some upper layer protocols required an Ethertype to work properly. For example, TCP/IP uses the Ethertype to differentiate between ARP packets and normal IP data frames. In order to provide this backwards compatibility with the Version II frame type, the 802.3 SNAP (SubNetwork Access Protocol) format was created.

The SNAP Frame Format consists of a normal 802.3 Data Link Header followed by a normal 802.2 LLC Header and then a 5-byte SNAP field, followed by the normal user data and FCS.

You can see the above mentioned headers in the 3D diagram of the frame below:

The Data Link Header

Ethernet 802.3 SNAP Frame Format - Analysis

 Offset 0-5: The Destination Address

  • The first six bytes of an Ethernet frame make up the Destination Address. The Destination Address specifies to which adapter the data frame is being sent. A Destination Address of all ones specifies a Broadcast Message that is read in by all receiving Ethernet adapters.
  • The first three bytes of the Destination Address are assigned by the IEEE to the vendor of the adapter and are specific to the vendor.
  • The Destination Address format is identical in all implementations of Ethernet.

Offset 6-11: The Source Address

  • The next six bytes of an Ethernet frame make up the Source Address. The Source Address specifies from which adapter the message originated. Like the Destination Address, the first three bytes specify the vendor of the card.
  • The Source Address format is identical in all implementations of Ethernet.

Offset 12-13: Length

  • Bytes 13 and 14 of an Ethernet frame contain the length of the data in the frame, not including the preamble, 32 bit CRC, DLC addresses, or the Length field itself. An Ethernet frame can be no shorter than 64 bytes total length and no longer than 1518 bytes total length.

The 802.2 Logical Link Control (LLC) Header

Ethernet 802.3 SNAP Frame Format - Analysis

Following the Datalink Header is the Logical Link Control (LLC) Header, which is described in the IEEE 802.2 Specification. The purpose of the LLC header is to provide a "hole in the ceiling" of the Datalink Layer. By specifying into which memory buffer the adapter places the data frame, the LLC header allows the upper layers to know where to find the data.

Offset 15: The Destination Service Access Point (DSAP)

  • The Destination Service Access Point or DSAP, is a 1 byte field that simply acts as a pointer to a memory buffer in the receiving station. It tells the receiving network interface card in which buffer to put this information. This functionality is crucial in situations where users are running multiple protocol stacks, etc...

Offset 16: The Source Service Access Point (SSAP)

  • The Source Service Access Point or SSAP is analogous to the DSAP and specifies the Source of the sending process.
  • In order to specify that this is a SNAP frame, the SSAP is set to AA hex.

Offset 17: The Control Byte

  • Following the SAPs is a one byte control field that specifies the type of LLC frame that this is.

The Sub-Network Access Protocol (SNAP) Header

Ethernet 802.3 SNAP Frame Format - Analysis

Offset 18-20: The Vendor Code

  • The first 3 bytes of the SNAP header is the vendor code, generally the same as the first three bytes of the source address although it is sometimes set to zero.

Offset 21-22: The Local Code

  • Following the Vendor Code is a 2 byte field that typically contains an Ethertype for the frame. This is where the backwards compatibility with Version II Ethernet is implemented.

 

User Data And Frame Check Sequence (FCS)

Ethernet 802.3 SNAP Frame Format - Analysis

Data: 38-1492 Bytes

  • Following the 802.2 header are 38 to 1492 bytes of data, generally consisting of upper layer headers such as TCP/IP or IPX and then the actual user data.

FCS: Last 4 Bytes

  • The last 4 bytes that the adapter reads in are the Frame Check Sequence or CRC. When the voltage on the wire returns to zero, the adapter checks the last 4 bytes it received against a checksum that it generates via a complex polynomial. If the calculated checksum does not match the checksum on the frame, the frame is discarded and never reaches the memory buffers in the station.

This completes our anaylsis of the IEEE 802.3 SNAP frame format.

Back to Ethernet Frame Formats Section

Your IP address:

18.222.163.134

All-in-one protection for Microsoft 365

All-in-one protection for Microsoft 365

FREE Hyper-V & VMware Backup

FREE Hyper-V & VMware Backup

Wi-Fi Key Generator

Generate/Crack any
WEP, WPA, WPA2 Key!

Network and Server Monitoring

Network and Server Monitoring

Follow Firewall.cx

Cisco Password Crack

Decrypt Cisco Type-7 Passwords on the fly!

Decrypt Now!

Bandwidth Monitor

Zoho Netflow Analyzer Free Download

Free PatchManager

Free PatchManager

EventLog Analyzer

ManageEngine Eventlog Analyzer

Security Podcast

Hornet-Security-The-Swarm-Podcast

Firewall Analyzer

zoho firewall analyzer