Packet Capture, part 2 - Page 5

In this segment from the O'Reilly book, Network Troubleshooting Tools, you will learn all abut how to use the tcpdump in relation to packet capturing.

 By O'Reilly Press
Page 5 of 10   |  Back to Page 1
Print Article Controlling what's displayed

The verbose modes provided by -v and -vv options can be used to print some additional information. For example, the -v option will print TTL fields. For less information, use the -q, or quiet, option. Here is the output for the same packet presented with the -q option, without options, with the -v option, and with the -vv option, respectively:

12:36:54.772066 sloan.lander.edu.1174 > tcp 0 (DF)

12:36:54.772066 sloan.lander.edu.1174 > . ack 3259091394 
win 8647 (DF)

12:36:54.772066 sloan.lander.edu.1174 > . ack 3259091394 
win 8647 (DF) (ttl 128, id 45836)

12:36:54.772066 sloan.lander.edu.1174 > . ack 3259091394 
win 8647 (DF) (ttl 128, id 45836)

This additional information might be useful in a few limited contexts, while the quiet mode provides shorter output lines. In this instance, there was no difference between the results with -v and -vv, but this isn't always the case.

The -e option is used to display link-level header information. For the packet from the previous example, with the -e option, the output is:

12:36:54.772066 0:10:5a:a1:e9:8 0:10:5a:e3:37:c ip 60: 
sloan.lander.edu.1174 > . ack 3259091394 win 8647 (DF)

0:10:5a:a1:e9:8 is the Ethernet address of the 3Com card in sloan.lander.edu, while 0:10:5a:e3:37:c is the Ethernet address of the 3Com card in (We can discover the types of adapters used by looking up the OUI portion of these addresses, as described in .)

For the masochist who wants to decode packets manually, the -x option provides a hexadecimal dump of packets, excluding link-level headers. A packet displayed with the -x and -vv options looks like this:

13:57:12.719718 bsd1.lander.edu.1657 > 11587+ A? www.
microsoft.com. (35) (ttl 64, id 41353)
                         4500 003f a189 0000 4011 c43a cd99 3db2
                         cd99 3c05 0679 0035 002b 06d9 2d43 0100
                         0001 0000 0000 0000 0377 7777 096d 6963
                         726f 736f 6674 0363 6f6d 0000 0100 01

Please note that the amount of information displayed will depend on how many bytes are collected, as determined by the -s option. Such hex listings are typical of what might be seen with many capture programs.

Describing how to do such an analysis in detail is beyond the scope of this book, as it requires a detailed understanding of the structure of packets for a variety of protocols. Interpreting this data is a matter of taking packets apart byte by byte or even bit by bit, realizing that the interpretation of the results at one step may determine how the next steps will be done. For header formats, you can look to the appropriate RFC or in any number of books. Table 1-1 (next page) summarizes the analysis for this particular packet, but every packet is different. This particular packet was a DNS lookup for www.microsoft.com. (For more information on decoding packets, see Eric A. Hall's Internet Core Protocols: The Definitive Guide.)

This article was originally published on Nov 13, 2001
Get the Latest Scoop with Networking Update Newsletter