Packet Capture, part 2 - Page 6

In this segment from the O'Reilly book, Network Troubleshooting Tools, you will learn all abut how to use the tcpdump in relation to packet capturing.

By O'Reilly Press | Posted Nov 13, 2001
Page 6 of 10   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Table 1-1. Packet analysis summary

Raw data in hex

Interpretation

IP header

First 4 bits of 45

IP version -- 4

Last 4 bits of 45

Length of header multiplier -- 5 (times 4 or 20 bytes)

00

Type of service

00 3f

Packet length in hex -- 63 bytes

a1 89

ID

First 3 bits of 00

000 -- flags, none set

Last 13 bits of 00 00

Fragmentation offset

40

TTL -- 64 hops

11

Protocol number in hex -- UDP

c4 3a

Header checksum

cd 99 3d b2

Source IP -- 205.153.61.178

cd 99 3c 05

Destination IP -- 205.153.60.5

UDP header

06 79

Source port

00 35

Destination port -- DNS

00 2b

UDP packet length -- 43 bytes

06 d9

Header checksum

DNS message

2d 43

ID

01 00

Flags -- query with recursion desired

00 01

Number of queries

00 00

Number of answers

00 00

Number of authority RRs

00 00

Number of additional RRs

Query

03

Length -- 3

77 77 77

String -- "www"

09

Length -- 9

6d 69 63 72 6f 73 6f 66 74

String -- "microsoft"

03

Length -- 3

63 6f 6d

String -- "com"

00

Length -- 0

00 01

Query type -- IP address

00 01

Query class -- Internet

This analysis was included here primarily to give a better idea of how packet analysis works. Several programs that analyze packet data from a tcpdump trace file are described later in this chapter. Unix utilities like strings, od, and hexdump can also make the process easier. For example, in the following example, this makes it easier to pick out www.microsoft.com in the data:

bsd1# hexdump -C tracefile
00000000  d4 c3 b2 a1 02 00 04 00  00 00 00 00 00 00 00 00  |................|
00000010  c8 00 00 00 01 00 00 00  78 19 06 38 66 fb 0a 00  |........x..8f...|
00000020  4d 00 00 00 4d 00 00 00  00 00 a2 c6 0e 43 00 60  |M...M........C.`|
00000030  97 92 4a 7b 08 00 45 00  00 3f a1 89 00 00 40 11  |..J{..E..?....@.|
00000040  c4 3a cd 99 3d b2 cd 99  3c 05 06 79 00 35 00 2b  |.:..=...<..y.5.+|
00000050  06 d9 2d 43 01 00 00 01  00 00 00 00 00 00 03 77  |..-C...........w|
00000060  77 77 09 6d 69 63 72 6f  73 6f 66 74 03 63 6f 6d  |ww.microsoft.com|
00000070  00 00 01 00 01                                    |.....|
00000075

The -vv option could also be used to get as much information as possible.

Hopefully, you will have little need for the -x option. But occasionally you may encounter a packet that is unknown to tcpdump, and you have no choice. For example, some of the switches on my local network use a proprietary implementation of a spanning tree protocol to implement virtual local area networks (VLANs). Most packet analyzers, including tcpdump, won't recognize these. Fortunately, once you have decoded one unusual packet, you can usually easily identify similar packets.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter