In Common Industrial Protocol (CIP) messaging, 0x96 can be part of a connection path segment.
Crucially, the value 0x0096 is officially listed as "experimental" or "local use" by some legacy registries. However, 0x96 (without leading zeros) is a notable outlier. In big-endian byte order (standard in network traffic), an EtherType of 0x0096 would be interpreted as a length field in older IEEE 802.3 frames, not a type. This ambiguity is the first clue that the is often a product of misconfiguration, specialized hardware, or deliberate obfuscation.
In various communication protocols and firmware environments, data packet type 0x96 often serves as a specialized control or command identifier data-packet-with-type-0x96
import struct
It tells a specific endpoint on a peripheral device that the host is ready to receive data. In Common Industrial Protocol (CIP) messaging, 0x96 can
[*] Packet type 0x96 (150) detected Payload length: 2 bytes Payload (hex): 01ca Status: 1, Flags: 11001010
However, if you see 0x96 in a header position, check your packet offset. Is it possible the packet is an (Subnetwork Access Protocol) frame? In big-endian byte order (standard in network traffic),
If your Intrusion Detection System (IDS) or Wireshark capture flags packets with 0x96 types, it could be a sign of or a Denial of Service (DoS) attempt.
SPD Flash Tool for Bin Packet Error fixer Download
Why does the "data-packet-with-type-0x96" matter? Because in cybersecurity,
Custom eBPF filters were written to drop any frame with EtherType 0x96 on the industrial VLAN.