I ran across a "curiosity" today while performing some traffic sniffing in another study and wanted to make sure I understand correctly what is occurring.
I have a packet sniffer running on a SPAN port capturing trunk traffic between two C2950 switches. I notice that when the SPAN monitor was set without encapsulation (monitor session 1 destination interface fax/y) management traffic (CDP, DTP, STP, etc) is framed in 802.3 frames with SNAP headers. IP traffic (such as pings between the switches) is framed in Ethernet II. However, when 802.1q encapsulation is enabled on the SPAN monitor port, the frames are Ethernet II.
I'm assuming that 802.3 with SNAP is used for the PVST, CDP, DTP, etc traffic because there is a need for the Org code and PID in the LLC header to define the traffic type since it is proprietary (Cisco PVST, DTP, CDP). As far as I know, no Ethertype exists for these protocols therefore the PID field is needed for the proprietary typing.
"Normal" traffic (ping) can of course use Ethernet II since it can take advantage of the IPv4 Ethertype, and therefore lack of a LLC header provides a bit of efficiency.
So we come to 802.1q (tagged) traffic, which always lists framing as Ethernet II. I assume this is because the type/length field is 0x8100 (for 802.1q header to follow), and the fact that the standard dictates type/length field > 1536 be Ethernet II Ethertype values (to deconflict with values < 1500 being 802.3 length values). The original Ethertype field, which now follows the 802.1q tag, is now 0xAAAA, indicating SNAP header, which contains the Cisco Org code and PID for respective protocol. "Regular" traffic, however, maintains the IPv4 Ethertype code (0x0800).
Not really a question but I guess I wanted to ensure I understand correctly. 802.1q-tagged traffic will always appear as Ethernet II framing b/c of the TPID (0x8100) identifying the tagged packet. SNAP headers are used for the proprietary protocols (Cisco CDP, PVST, etc) b/c of the lack of standard Ethertype values. When IPv4 traffic is sent, Ethernet II is used to save a few bytes that would be used for the LLC header.