tcpdump output. Friday Oct 18, 2002. -e . quotes `` '' usually mean numbers are represented in hexadecimal. ---- 14:53:27.951218 8:0:20:73:35:9 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.235.251.10 (ff:ff:ff:ff:ff:ff) tell 128.235.35.200 The above arp packet is discussed in detail in the -x output. 60 is the length of the ethernet packet, incl data, ethernet addresses, and ethertype. Excl Preamble, CRC. ---- 14:53:28.415630 0:c0:4f:1:9b:99 ff:ff:ff:ff:ff:ff 0800 92: 128.235.34.141.137 > 128.235.35.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x92D1 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=R4400 NameType=0x00 (Workstation) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 13185, len 78) The above IP (UDP) packet is discussed in detail in the ``-x'' output file. ---- 14:53:28.439033 0:8:e2:b7:47:a2 1:80:c2:0:0:0 0026 52: 802.1d config 8000.00:08:e2:b7:44:0b.8045 root 0063.00:d0:03:70:5c:0b pathcost 4 age 1 max 20 hello 2 fdelay 15 This packet has ethertype ``0026'' = 38 < 1501 (decimal). That means it describes the length of the data field in the ethernet frame. Note that 38 + 14 = 52. ---- 14:53:28.452917 0:d0:3:70:5f:fd 1:0:5e:0:0:2 0800 62: 128.235.32.6.1985 > 224.0.0.2.1985: [udp sum ok] udp 20 [tos 0xc0] (ttl 2, id 0, len 48) ---- 14:53:28.637498 0:6:5b:4a:6:9b ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.235.32.248 tell 128.235.34.156 The above arp packet is discussed in detail in the -x output. ---- 14:53:29.165938 0:c0:4f:1:9b:99 ff:ff:ff:ff:ff:ff 0800 92: 128.235.34.141.137 > 128.235.35.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x92D1 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=R4400 NameType=0x00 (Workstation) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 13186, len 78) 14:53:29.315762 0:0:c:7:ac:1 1:0:5e:0:0:2 0800 62: 128.235.32.5.1985 > 224.0.0.2.1985: [udp sum ok] udp 20 [tos 0xc0] (ttl 2, id 0, len 48) 14:53:29.624611 0:d0:3:70:5f:fd ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.235.33.176 tell 128.235.32.6 14:53:29.916351 0:c0:4f:1:9b:99 ff:ff:ff:ff:ff:ff 0800 92: 128.235.34.141.137 > 128.235.35.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x92D1 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=R4400 NameType=0x00 (Workstation) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 13187, len 78) 14:53:30.441454 0:8:e2:b7:47:a2 1:80:c2:0:0:0 0026 52: 802.1d config 8000.00:08:e2:b7:44:0b.8045 root 0063.00:d0:03:70:5c:0b pathcost 4 age 1 max 20 hello 2 fdelay 15 14:53:30.686800 0:c0:4f:1:9b:99 ff:ff:ff:ff:ff:ff 0800 92: 128.235.34.141.137 > 128.235.35.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x92D3 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=R4400 NameType=0x00 (Workstation) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 13190, len 78) 14:53:31.032146 0:b0:d0:82:66:61 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.235.33.137 tell 128.235.34.220 14:53:31.052760 0:d0:3:70:5f:fd 1:0:5e:0:0:2 0800 62: 128.235.32.6.1985 > 224.0.0.2.1985: [udp sum ok] udp 20 [tos 0xc0] (ttl 2, id 0, len 48) 14:53:31.126037 0:d0:3:70:5f:fd ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.235.32.173 tell 128.235.32.6 14:53:31.437120 0:c0:4f:1:9b:99 ff:ff:ff:ff:ff:ff 0800 92: 128.235.34.141.137 > 128.235.35.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x92D3 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=R4400 NameType=0x00 (Workstation) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 13191, len 78) ---- 14:53:31.758175 8:0:20:ae:b2:49 ff:ff:ff:ff:ff:ff 0800 146: 128.235.35.106.61931 > 128.235.35.255.111: udp 104 (DF) [ttl 1] (id 8363, len 132) The packet above is discussed in detail in the ``-x'' output. ---- 14:53:31.798242 0:d0:3:70:5b:fd ff:ff:ff:ff:ff:ff 0800 286: 128.235.32.8.520 > 255.255.255.255.520: RIPv1-resp [items 12]: {0.0.0.0}(1) {10.0.0.0}(1)[|rip] (ttl 2, id 0, len 272) 14:53:32.167609 0:0:c:7:ac:1 1:0:5e:0:0:2 0800 62: 128.235.32.5.1985 > 224.0.0.2.1985: [udp sum ok] udp 20 [tos 0xc0] (ttl 2, id 0, len 48) 14:53:32.187587 0:c0:4f:1:9b:99 ff:ff:ff:ff:ff:ff 0800 92: 128.235.34.141.137 > 128.235.35.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x92D3 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=R4400 NameType=0x00 (Workstation) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 13192, len 78) 14:53:32.439824 0:8:e2:b7:47:a2 1:80:c2:0:0:0 0026 52: 802.1d config 8000.00:08:e2:b7:44:0b.8045 root 0063.00:d0:03:70:5c:0b pathcost 4 age 1 max 20 hello 2 fdelay 15 14:53:32.957999 0:c0:4f:1:9b:99 ff:ff:ff:ff:ff:ff 0800 92: 128.235.34.141.137 > 128.235.35.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x92D5 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=R4400 NameType=0x00 (Workstation) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 13195, len 78) 14:53:33.391686 8:0:20:73:3:2c ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.235.32.245 (ff:ff:ff:ff:ff:ff) tell 128.235.35.97 14:53:33.708353 0:c0:4f:1:9b:99 ff:ff:ff:ff:ff:ff 0800 92: 128.235.34.141.137 > 128.235.35.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x92D5 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=R4400 NameType=0x00 (Workstation) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 13196, len 78) 14:53:33.964837 0:b0:d0:98:e2:90 ff:ff:ff:ff:ff:ff 0800 92: 128.235.32.237.137 > 128.235.35.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0xFCA7 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=WORKGROUP NameType=0x1B (Domain Controller) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 30806, len 78) 14:53:33.968612 0:d0:3:70:5f:fd 1:0:5e:0:0:2 0800 62: 128.235.32.6.1985 > 224.0.0.2.1985: [udp sum ok] udp 20 [tos 0xc0] (ttl 2, id 0, len 48) 14:53:34.069763 0:0:81:65:4e:f6 1:0:81:0:1:0 0013 33: snap 0:0:81:1:a2 sap aa ui/C >>> Unknown IPX Data: (8 bytes) [000] 1A 00 01 0C 2C 01 02 00 ....,... len=8 14:53:34.071554 0:0:81:65:4e:f6 1:0:81:0:1:1 0013 33: snap 0:0:81:1:a1 sap aa ui/C >>> Unknown IPX Data: (8 bytes) [000] 1A 00 01 0C 2C 01 02 00 ....,... len=8 14:53:34.191028 0:d0:3:70:5f:fc ff:ff:ff:ff:ff:ff 0800 286: 128.235.32.5.520 > 255.255.255.255.520: RIPv1-resp [items 12]: {0.0.0.0}(1) {10.0.0.0}(1)[|rip] [tos 0xc0] (ttl 2, id 0, len 272) 14:53:34.391606 8:0:20:73:3:2c ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.235.32.245 (ff:ff:ff:ff:ff:ff) tell 128.235.35.97 14:53:34.444426 0:8:e2:b7:47:a2 1:80:c2:0:0:0 0026 52: 802.1d config 8000.00:08:e2:b7:44:0b.8045 root 0063.00:d0:03:70:5c:0b pathcost 4 age 1 max 20 hello 2 fdelay 15 14:53:34.458657 0:c0:4f:1:9b:99 ff:ff:ff:ff:ff:ff 0800 92: 128.235.34.141.137 > 128.235.35.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x92D5 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=R4400 NameType=0x00 (Workstation) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 13197, len 78) 14:53:34.645829 0:6:5b:4a:6:9b ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.235.32.248 tell 128.235.34.156 14:53:34.712525 0:b0:d0:98:e2:90 ff:ff:ff:ff:ff:ff 0800 92: 128.235.32.237.137 > 128.235.35.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0xFCA7 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=WORKGROUP NameType=0x1B (Domain Controller) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 30807, len 78) 14:53:34.750846 8:0:20:ff:bb:50 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.235.32.1 (ff:ff:ff:ff:ff:ff) tell 128.235.35.102 14:53:34.939444 0:0:c:7:ac:1 1:0:5e:0:0:2 0800 62: 128.235.32.5.1985 > 224.0.0.2.1985: [udp sum ok] udp 20 [tos 0xc0] (ttl 2, id 0, len 48) 14:53:35.229105 0:c0:4f:1:9b:99 ff:ff:ff:ff:ff:ff 0800 92: 128.235.34.141.137 > 128.235.35.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x92D7 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=R4400 NameType=0x00 (Workstation) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 13200, len 78) 14:53:35.388595 0:6:5b:1:29:85 ff:ff:ff:ff:ff:ff 0800 243: 128.235.34.207.138 > 128.235.35.255.138: >>> NBT UDP PACKET(138) Res=0x110E ID=0x83B5 IP=128 (0x80).235 (0xeb).34 (0x22).207 (0xcf) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0 SourceName=EARTHLAB7 NameType=0x20 (Server) DestName= WARNING: Short packet. Try increasing the snap length (ttl 128, id 19137, len 229) 14:53:35.391651 8:0:20:73:3:2c ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.235.32.245 (ff:ff:ff:ff:ff:ff) tell 128.235.35.97 14:53:35.463587 0:b0:d0:98:e2:90 ff:ff:ff:ff:ff:ff 0800 92: 128.235.32.237.137 > 128.235.35.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0xFCA7 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=WORKGROUP NameType=0x1B (Domain Controller) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 30808, len 78) 14:53:35.501805 8:0:20:73:3:2c ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.235.34.205 (ff:ff:ff:ff:ff:ff) tell 128.235.35.97 14:53:35.751410 8:0:20:ae:b2:49 ff:ff:ff:ff:ff:ff 0800 146: 128.235.35.106.61931 > 128.235.35.255.111: udp 104 (DF) [ttl 1] (id 8364, len 132) 14:53:35.979507 0:c0:4f:1:9b:99 ff:ff:ff:ff:ff:ff 0800 92: 128.235.34.141.137 > 128.235.35.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x92D7 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=R4400 NameType=0x00 (Workstation) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 13201, len 78) 14:53:36.183432 0:d0:3:70:5f:fd ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.235.33.133 tell 128.235.32.6 ---- 14:53:36.190417 8:0:20:ff:bb:21 0:0:c:7:ac:1 0800 182: 128.235.32.243.403494031 > 128.235.204.51.2049: 128 getattr [|nfs] (DF) (ttl 64, id 13686, len 168) Neither this output nor the corresponding -x output recognizes this packet as a TCP packet. See the -x output for an analysis. ---- 14:53:36.191275 0:d0:3:70:5f:fd 8:0:20:ff:bb:21 0800 170: 128.235.204.51.2049 > 128.235.32.243.403494031: reply ok 116 getattr [|nfs] (DF) (ttl 63, id 21188, len 156) 14:53:36.211826 8:0:20:ff:bb:21 0:0:c:7:ac:1 0800 186: 128.235.32.243.403494032 > 128.235.204.51.2049: 132 access [|nfs] (DF) (ttl 64, id 13687, len 172) 14:53:36.212762 0:d0:3:70:5f:fd 8:0:20:ff:bb:21 0800 178: 128.235.204.51.2049 > 128.235.32.243.403494032: reply ok 124 access attr: [|nfs] (DF) (ttl 63, id 21189, len 164) 14:53:36.212885 8:0:20:ff:bb:21 0:0:c:7:ac:1 0800 190: 128.235.32.243.403494033 > 128.235.204.51.2049: 136 lookup [|nfs] (DF) (ttl 64, id 13688, len 176) 14:53:36.213895 0:d0:3:70:5f:fd 8:0:20:ff:bb:21 0800 298: 128.235.204.51.2049 > 128.235.32.243.403494033: reply ok 244 lookup [|nfs] (DF) (ttl 63, id 21190, len 284) 14:53:36.214045 8:0:20:ff:bb:21 0:0:c:7:ac:1 0800 182: 128.235.32.243.403494034 > 128.235.204.51.2049: 128 getattr [|nfs] (DF) (ttl 64, id 13689, len 168) 14:53:36.214984 0:d0:3:70:5f:fd 8:0:20:ff:bb:21 0800 170: 128.235.204.51.2049 > 128.235.32.243.403494034: reply ok 116 getattr [|nfs] (DF) (ttl 63, id 21191, len 156) ---- 14:53:36.310145 8:0:20:ff:bb:21 0:0:c:7:ac:1 0800 54: 128.235.32.243.1023 > 128.235.204.51.2049: . [tcp sum ok] ack 3090350086 win 24820 (DF) (ttl 64, id 13690, len 40) The above IP (TCP) packet is discussed in detail in the ``-x'' output file. ---- 14:53:36.396077 8:0:20:73:3:2c ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.235.32.245 (ff:ff:ff:ff:ff:ff) tell 128.235.35.97 14:53:36.440804 0:8:e2:b7:47:a2 1:80:c2:0:0:0 0026 52: 802.1d config 8000.00:08:e2:b7:44:0b.8045 root 0063.00:d0:03:70:5c:0b pathcost 4 age 1 max 20 hello 2 fdelay 15 14:53:36.501570 8:0:20:73:3:2c ff:ff:ff:ff:ff:ff 0806 60: arp who-has 128.235.34.205 (ff:ff:ff:ff:ff:ff) tell 128.235.35.97 14:53:36.729965 0:c0:4f:1:9b:99 ff:ff:ff:ff:ff:ff 0800 92: 128.235.34.141.137 > 128.235.35.255.137: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x92D7 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=R4400 NameType=0x00 (Workstation) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 13202, len 78) 14:53:36.836486 0:d0:3:70:5f:fd 1:0:5e:0:0:2 0800 62: 128.235.32.6.1985 > 224.0.0.2.1985: [udp sum ok] udp 20 [tos 0xc0] (ttl 2, id 0, len 48)