Realtek Level 2 Protocol

2026-02-11 (Last Modified: 2026-02-12)

I bought a 8-port Netgear GS308E switch. I plugged it in, and it worked, but I noticed the LEDs on the RJ-11 ethernet socket flickered regularly.

I ran tcpdump -i eno1 on the only computer I had plugged in to the GS308E. Some weird “unknown type” packets appeared every 2 seconds. Unknow network garbage irritates me irrationally, so I did some investigation.

I finally settled on this tcpdump command to see the packets and their contents:

sudo tcpdump -X -i eno1 ether proto 0x8899

tcpdump prints the packets (they’re all the same as near as I can tell) like this:

09:40:33.175193 28:94:01:79:d0:94 (oui Unknown) > Broadcast, Realtek unknown type 0x25
        0x0000:  2500 0000 2894 0179 d094 0000 0000 0028  %...(..y.......(
        0x0010:  9401 79d0 94ff 0701 0050 8fd6 1000 0091  ..y......P......
        0x0020:  4906 cd6e 5010 05b4 0000 0000 404b       I..nP.......@K

The following is a hexadecimal representation of all 60 bytes of the packets.

0000   ff ff ff ff ff ff 28 94 01 79 d0 94 88 99 25 00
0010   00 00 28 94 01 79 d0 94 00 00 00 00 00 28 94 01
0020   79 d0 94 ff 06 d5 e2 86 dd 43 14 3e b0 7d 80 a1
0030   b6 0b 2a 2e 62 2e 38 f1 30 33 40 4b

It’s an ethernet frame, so the first 14 bytes have a well-known format. We can guess at the 15th and 16th bytes.

offset	dest MAC address	src MAC address	EtherType	Protocol	Pad?
0000	ff ff ff ff ff ff	28 94 01 79 d0 94	88 99	25	00

EtherType value 0x8899 does mean Realtek Remote Control Protocol (RRCP), sometimes called “Realtek Level 2 Protocol”.

The only problem is that Realtek hadn’t documented a value of 0x25 for RRCP “type” or “protocol”. The hex dump above doesn’t look much like any of the documented RRCP packets. The “documentation” for RRCP is apparently given in some Realtek data sheets.

It look like the MAC address of the Netgear switch (28:94:01:79:d0:94) appears in the data twice. None of the documented RRCP packets have a switch’s MAC address except in the ethernet frame header.

I finally found a TP-Link support page that says these packets are loop detection.

I turned off loop detection in the web management interface, and the packets quit appearing.

The problem is that the Realtek Level 2 Protocol as documented in some of their chip’s data sheets loop detection packets that have a type of 0x03, not 0x25, and the packets have mostly 0-value bytes to make up a 60-byte minimum packet size.

Realtek makes a number of chips and chip sets that get used by a variety of vendors to do cheaper ethernet switches. My guess is that Netgear used a Realtek RTL8370M or RTL8370N chip in the switch. I’m not going to crack the case to see right now.

I guess I could have plugged a jumper cable between 2 RJ-11 sockets to create a loop, then see if the Netgear GS308E freaked out. I don’t care enough to do that right now, I just don’t want random proprietary vendor packets polluting my network.