Packet Capture, part 2 - Page 6
In this segment from the O'Reilly book, Network Troubleshooting Tools, you will learn all abut how to use the tcpdump in relation to packet capturing.
Table 1-1. Packet analysis summary
|
Raw data in hex |
Interpretation |
|---|---|
|
IP header |
|
|
|
IP version -- 4 |
|
Last 4 bits of 45 |
Length of header multiplier -- 5 (times 4 or 20 bytes) |
|
00 |
Type of service |
|
00 3f |
Packet length in hex -- 63 bytes |
|
a1 89 |
ID |
|
First 3 bits of 00 |
000 -- flags, none set |
|
Last 13 bits of 00 00 |
Fragmentation offset |
|
40 |
TTL -- 64 hops |
|
11 |
Protocol number in hex -- UDP |
|
c4 3a |
Header checksum |
|
cd 99 3d b2 |
Source IP -- 205.153.61.178 |
|
cd 99 3c 05 |
Destination IP -- 205.153.60.5 |
|
UDP header |
|
|
06 79 |
Source port |
|
00 35 |
Destination port -- DNS |
|
00 2b |
UDP packet length -- 43 bytes |
|
06 d9 |
Header checksum |
|
DNS message |
|
|
2d 43 |
ID |
|
01 00 |
Flags -- query with recursion desired |
|
00 01 |
Number of queries |
|
00 00 |
Number of answers |
|
00 00 |
Number of authority RRs |
|
00 00 |
Number of additional RRs |
|
Query |
|
|
03 |
Length -- 3 |
|
77 77 77 |
String -- "www" |
|
09 |
Length -- 9 |
|
6d 69 63 72 6f 73 6f 66 74 |
String -- "microsoft" |
|
03 |
Length -- 3 |
|
63 6f 6d |
String -- "com" |
|
00 |
Length -- 0 |
|
00 01 |
Query type -- IP address |
|
00 01 |
Query class -- Internet |
This analysis was included here primarily to give a better idea of how packet analysis works. Several programs that analyze packet data from a tcpdump trace file are described later in this chapter. Unix utilities like strings, od, and hexdump can also make the process easier. For example, in the following example, this makes it easier to pick out www.microsoft.com in the data:
bsd1# hexdump -C tracefile
00000000 d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 |................|
00000010 c8 00 00 00 01 00 00 00 78 19 06 38 66 fb 0a 00 |........x..8f...|
00000020 4d 00 00 00 4d 00 00 00 00 00 a2 c6 0e 43 00 60 |M...M........C.`|
00000030 97 92 4a 7b 08 00 45 00 00 3f a1 89 00 00 40 11 |..J{..E..?....@.|
00000040 c4 3a cd 99 3d b2 cd 99 3c 05 06 79 00 35 00 2b |.:..=...<..y.5.+|
00000050 06 d9 2d 43 01 00 00 01 00 00 00 00 00 00 03 77 |..-C...........w|
00000060 77 77 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d |ww.microsoft.com|
00000070 00 00 01 00 01 |.....|
00000075
The -vv option could also be used to get as much information as possible.
Hopefully, you will have little need for the -x option. But occasionally you may encounter a packet that is unknown to tcpdump, and you have no choice. For example, some of the switches on my local network use a proprietary implementation of a spanning tree protocol to implement virtual local area networks (VLANs). Most packet analyzers, including tcpdump, won't recognize these. Fortunately, once you have decoded one unusual packet, you can usually easily identify similar packets.
