tcpdump output. Friday Oct 18, 2002. -x . quotes `` '' usually mean numbers are represented in hexadecimal. 14:53:27.951218 arp who-has dns1.njit.edu (Broadcast) tell paris.njit.edu 0001 0800 0604 0001 0800 2073 3509 80eb 23c8 ffff ffff ffff 80eb fb0a 0000 0000 0000 0000 0000 0008 0000 0008 0000 From the ``-e'' output we saw that the ethertype was ``0806'', i.e. an ARP packet. (And the text above tells us again). Hence: Hardware Type = ``0001'' = 1 = Ethernet. Protocol Type = ``0800'' = IPv4. Hardware Length = ``06'' = 6 bytes. (We knew that!) Protocol Length = ``04'' = 4 bytes. (We knew that!) Operation = ``0001'' = 1 (ARP Request). Sender Hardware address = ``08.00.20.73.35.09'' = 8:0:20:73:35:9 Sender Protocol address = ``80.eb.23.c8'' = 128.235.35.200 Target Hardware address = ``ff.ff.ff.ff.ff.ff'' = ff:ff:ff:ff:ff:ff Target Protocol address = ``08.eb.fb.0a'' = 128.235.251.10 Padding: ``0000 0000 0000 0000 0000 0008 0000 0008 0000'' (Total of 46 bytes: the minimum). Note: The Target Hardware address is given as ff:ff:ff:ff:ff:ff Homework (Do not hand in) compare with the same packet in the -e output. maan-583 tcpoutput3>: nslookup 128.235.35.200 Server: dns1.njit.edu Address: 128.235.251.10 Name: paris.njit.edu Address: 128.235.35.200 maan-584 tcpoutput3>: nslookup 128.235.251.10 Server: dns1.njit.edu Address: 128.235.251.10 Name: dns1.njit.edu Address: 128.235.251.10 ``paris'' knows the IP address of the dns server, but does not know the physical address of the dns server. ---- 14:53:28.415630 dhcp34-141.njit.edu.netbios-ns > 128.235.35.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 4500 004e 3381 0000 8011 bebb 80eb 228d 80eb 23ff 0089 0089 003a e3c8 92d1 0110 0001 0000 0000 0000 2046 4344 4544 4544 4144 4143 4143 4143 4143 4143 4143 4143 4143 4143 4143 4141 4100 0020 0001 For the packet above: IP header: VERS = 4, HLEN = 5, ToS = 0, IP TL = 14 + 4*16 + 0 *16^2 + 0*16*3 = 78, Ident = 1 + 8*16 + 3*16^2 + 3*16^3, DF = M = 0, Fr.Offset = 0, TTL = 8*16 = 128, Prot = 1 + 1*16 = 17 (UDP) IP H.Checksum = ``bebb'' = ... Source address = ``80.eb.22.8d'' = 128.235.34.141 Dest address = ``80.eb.23.ff'' = 128.235.35.255 UDP header: Source Port Number = ``0089'' = 9 + 8*16 = 137 (see -e output: right!) Dest Port Number = ``0089'' = . . . = 137 UDP TL = ``003a'' = 10 + 3*16 = 58 ( = 78 - 20 , right!) UDP Checksum = ``e3c8'' = ... UDP Data = ``92d1 0110 0001 ... '' , There must be 78 - 20 - 8 = 50 bytes of UDP Data: Right! Please note: That dhcp34-141 is 128.235.34.141 can be seen from nslookup. From other sources I know it is in the subnet 128.235.32.0/22 , which has mask ff:ff:fc:0 or 255.255.252.0 (in binary: 11111111.11111111.11111100.00000000). The IP broadcast address on this subnet is 128.235.35.255 (in binary: 10000000.11100111.00100011.11111111). Right! This packet is indeed a direct broadcast packet. By combining this -x output with the similar -e output we see that the physical address of dhcp34-141 is 0:6:5b:4a:6:9b and that the ethernet destination address is ff:ff:ff:ff:ff:ff . The www.iana.org database says that udp port 137 is the ``NETBIOS'' service. Checks with what tcpdump (above) says! If you want to be able to read the rest of the packet, go to the IETF web page and find the RFCs on NETBIOS. tcpdump knows how to read the rest of the packet: see the -e output. -- maan-636 tcpoutput3>: nslookup 128.235.34.141 Server: dns1.njit.edu Address: 128.235.251.10 Name: dhcp34-141.njit.edu Address: 128.235.34.141 maan-637 tcpoutput3>: nslookup 128.235.35.255 Server: dns1.njit.edu Address: 128.235.251.10 *** dns1.njit.edu can't find 128.235.35.255: Non-existent host/domain Since 128.235.35.255 is a Direct Broadcvast address (to the network 128.235.32.0/22) it is not surprising there is no computer with that address! ---- 14:53:28.439033 802.1d config 8000.00:08:e2:b7:44:0b.8045 root 0063.00:d0:03:70:5c:0b pathcost 4 age 1 max 20 hello 2 fdelay 15 4242 0300 0000 0000 0063 00d0 0370 5c0b 0000 0004 8000 0008 e2b7 440b 8045 0100 1400 0200 0f00 Note there are only 38 bytes in the ethernet data field. 38 < 46. Either there is no padding, because the length is explicitly given, or there is padding but the tcpdump software does not bother to give the padding bytes. I do not know which. The second explanation is more plausible. ---- 14:53:28.452917 cisnet-gw6.njit.edu.1985 > ALL-ROUTERS.MCAST.NET.1985: udp 20 [tos 0xc0] 45c0 0030 0000 0000 0211 370a 80eb 2006 e000 0002 07c1 07c1 001c 7986 0000 0803 0a82 0100 6e6a 6974 3138 3831 80eb 2001 ---- 14:53:28.637498 arp who-has ps-hp1200n-cs-1.njit.edu tell dhcp34-156.njit.edu 0001 0800 0604 0001 0006 5b4a 069b 80eb 229c 0000 0000 0000 80eb 20f8 0000 0000 0000 0000 0000 0000 0000 0000 0000 The same packet in the -e output has ethertype ``0806'', so it is an ARP packet. (And the text says so again). Hardware Type = 1 = ethernet. Protocol Type = ``0800'' = IPv4. Hardware Length = 6 (we knew that). Protocol Length = 4 (we knew that). Operation = 1 (ARP Request). Sender Hardware Address = ``00.06.5b.4a.06.9b'' = 0:6:90:74:6:155. Sender Protocol Address = ``80.eb.22.9c'' = 128.235.34.156 Target Hardware Address = ``00.00.00.00.00.00'' = 0:0:0:0:0:0 Target Protocol Address = ``80.eb.20.f8'' = 128.235.32.248 Padding: ``0000 0000 0000 0000 0000 0000 0000 0000 0000''. It seems that for ARP packets the tcpdump software bothers to give the padding bytes. Note that this time the Target Hardware Address is 0:0:0:0:0:0 I do not know why for the arp packet at time 14:53:27.951218 the Target Hardware Address was ff:ff:ff:ff:ff:ff, while here it is 0:0:0:0:0:0. Does anyone know? ---- 14:53:29.165938 dhcp34-141.njit.edu.netbios-ns > 128.235.35.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 4500 004e 3382 0000 8011 beba 80eb 228d 80eb 23ff 0089 0089 003a e3c8 92d1 0110 0001 0000 0000 0000 2046 4344 4544 4544 4144 4143 4143 4143 4143 4143 4143 4143 4143 4143 4143 4141 4100 0020 0001 14:53:29.315762 cisnet-gw5.njit.edu.1985 > ALL-ROUTERS.MCAST.NET.1985: udp 20 [tos 0xc0] 45c0 0030 0000 0000 0211 370b 80eb 2005 e000 0002 07c1 07c1 001c 717d 0000 1003 0a8c 0100 6e6a 6974 3138 3831 80eb 2001 14:53:29.624611 arp who-has straw.njit.edu tell cisnet-gw6.njit.edu 0001 0800 0604 0001 00d0 0370 5ffd 80eb 2006 0000 0000 0000 80eb 21b0 0000 0000 0000 0000 0000 0000 0000 0000 0000 14:53:29.916351 dhcp34-141.njit.edu.netbios-ns > 128.235.35.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 4500 004e 3383 0000 8011 beb9 80eb 228d 80eb 23ff 0089 0089 003a e3c8 92d1 0110 0001 0000 0000 0000 2046 4344 4544 4544 4144 4143 4143 4143 4143 4143 4143 4143 4143 4143 4143 4141 4100 0020 0001 14:53:30.441454 802.1d config 8000.00:08:e2:b7:44:0b.8045 root 0063.00:d0:03:70:5c:0b pathcost 4 age 1 max 20 hello 2 fdelay 15 4242 0300 0000 0000 0063 00d0 0370 5c0b 0000 0004 8000 0008 e2b7 440b 8045 0100 1400 0200 0f00 14:53:30.686800 dhcp34-141.njit.edu.netbios-ns > 128.235.35.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 4500 004e 3386 0000 8011 beb6 80eb 228d 80eb 23ff 0089 0089 003a e3c6 92d3 0110 0001 0000 0000 0000 2046 4344 4544 4544 4144 4143 4143 4143 4143 4143 4143 4143 4143 4143 4143 4141 4100 0020 0001 14:53:31.032146 arp who-has fire.njit.edu tell dhcp34-220.njit.edu 0001 0800 0604 0001 00b0 d082 6661 80eb 22dc 0000 0000 0000 80eb 2189 0000 0000 0000 0000 0000 0000 0000 0000 0000 14:53:31.052760 cisnet-gw6.njit.edu.1985 > ALL-ROUTERS.MCAST.NET.1985: udp 20 [tos 0xc0] 45c0 0030 0000 0000 0211 370a 80eb 2006 e000 0002 07c1 07c1 001c 7986 0000 0803 0a82 0100 6e6a 6974 3138 3831 80eb 2001 14:53:31.126037 arp who-has cable.njit.edu tell cisnet-gw6.njit.edu 0001 0800 0604 0001 00d0 0370 5ffd 80eb 2006 0000 0000 0000 80eb 20ad 0000 0000 0000 0000 0000 0000 0000 0000 0000 14:53:31.437120 dhcp34-141.njit.edu.netbios-ns > 128.235.35.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 4500 004e 3387 0000 8011 beb5 80eb 228d 80eb 23ff 0089 0089 003a e3c6 92d3 0110 0001 0000 0000 0000 2046 4344 4544 4544 4144 4143 4143 4143 4143 4143 4143 4143 4143 4143 4143 4141 4100 0020 0001 ---- 14:53:31.758175 sandra.njit.edu.61931 > 128.235.35.255.sunrpc: udp 104 (DF) [ttl 1] 4500 0084 20ab 4000 0111 0f7f 80eb 236a 80eb 23ff f1eb 006f 0070 c2a6 3dbe 15e6 0000 0000 0000 0002 0001 86a0 0000 0002 0000 0005 0000 0001 0000 001c 3db0 5afb 0000 0006 7361 6e64 7261 0000 0000 0000 Vers = 4, HLEN = 5, ToS = 0, TL = 8*16 + 4 = 132 , ID = ``20ab'', (FR field = 4*16^3) DF = 1, M = 0, Fr.Offset = 0, TTL = 1, Prot = 17 (UDP), H.Checksum = ``0F7F'' = ... Source Address = ``80.eb.23.6a'' = 128.235.35.106 Dest Address = ``80.eb.23.ff'' = 128.235.35.255 -- maan-638 tcpoutput3>: nslookup 128.235.35.106 Server: dns1.njit.edu Address: 128.235.251.10 Name: sandra.njit.edu Address: 128.235.35.106 -- Again, a Direct Broadcast, this time (probably) to 128.235.35.0/24 . This is a UDP packet. Hence: Source Port Number = ``f1eb'' = 61931 Dest Port Number = 6*16 + 15 = 111 (SUN RPC) TL = 7*16 = 112 (Indeed, 112 + 20 = 132) Checksum = ``c2a6'' = ... . UDP data = 3dbe 15e6 etc. Only the first (at most) 80 bytes of the IP packet are given. ---- 14:53:31.798242 cisnet-gw8.njit.edu.route > 255.255.255.255.route: RIPv1-resp [items 12]: {0.0.0.0}(1) {10.0.0.0}(1)[|rip] 4500 0110 0000 0000 0211 16eb 80eb 2008 ffff ffff 0208 0208 00fc 7b94 0201 0000 0002 0000 0000 0000 0000 0000 0000 0000 0000 0001 0002 0000 0a00 0000 0000 0000 0000 0000 0000 0001 0002 0000 80eb 5000 14:53:32.167609 cisnet-gw5.njit.edu.1985 > ALL-ROUTERS.MCAST.NET.1985: udp 20 [tos 0xc0] 45c0 0030 0000 0000 0211 370b 80eb 2005 e000 0002 07c1 07c1 001c 717d 0000 1003 0a8c 0100 6e6a 6974 3138 3831 80eb 2001 14:53:32.187587 dhcp34-141.njit.edu.netbios-ns > 128.235.35.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 4500 004e 3388 0000 8011 beb4 80eb 228d 80eb 23ff 0089 0089 003a e3c6 92d3 0110 0001 0000 0000 0000 2046 4344 4544 4544 4144 4143 4143 4143 4143 4143 4143 4143 4143 4143 4143 4141 4100 0020 0001 14:53:32.439824 802.1d config 8000.00:08:e2:b7:44:0b.8045 root 0063.00:d0:03:70:5c:0b pathcost 4 age 1 max 20 hello 2 fdelay 15 4242 0300 0000 0000 0063 00d0 0370 5c0b 0000 0004 8000 0008 e2b7 440b 8045 0100 1400 0200 0f00 14:53:32.957999 dhcp34-141.njit.edu.netbios-ns > 128.235.35.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 4500 004e 338b 0000 8011 beb1 80eb 228d 80eb 23ff 0089 0089 003a e3c4 92d5 0110 0001 0000 0000 0000 2046 4344 4544 4544 4144 4143 4143 4143 4143 4143 4143 4143 4143 4143 4143 4141 4100 0020 0001 14:53:33.391686 arp who-has ps-hp4000-ccs-1.njit.edu (Broadcast) tell clusterm.njit.edu 0001 0800 0604 0001 0800 2073 032c 80eb 2361 ffff ffff ffff 80eb 20f5 80eb 2361 02d1 0203 0900 2393 6703 91a1 5010 14:53:33.708353 dhcp34-141.njit.edu.netbios-ns > 128.235.35.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 4500 004e 338c 0000 8011 beb0 80eb 228d 80eb 23ff 0089 0089 003a e3c4 92d5 0110 0001 0000 0000 0000 2046 4344 4544 4544 4144 4143 4143 4143 4143 4143 4143 4143 4143 4143 4143 4141 4100 0020 0001 14:53:33.964837 cis-download.njit.edu.netbios-ns > 128.235.35.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 4500 004e 7856 0000 8011 7b86 80eb 20ed 80eb 23ff 0089 0089 003a 3a81 fca7 0110 0001 0000 0000 0000 2046 4845 5046 4345 4c45 4846 4345 5046 4646 4143 4143 4143 4143 4143 4143 4142 4c00 0020 0001 14:53:33.968612 cisnet-gw6.njit.edu.1985 > ALL-ROUTERS.MCAST.NET.1985: udp 20 [tos 0xc0] 45c0 0030 0000 0000 0211 370a 80eb 2006 e000 0002 07c1 07c1 001c 7986 0000 0803 0a82 0100 6e6a 6974 3138 3831 80eb 2001 14:53:34.069763 0:0:81:65:4e:f6 > 1:0:81:0:1:0 sap aa ui/C >>> Unknown IPX Data: (8 bytes) [000] 1A 00 01 0C 2C 01 02 00 ....,... len=8 aaaa 0300 0081 01a2 80eb 201a 0001 0c2c 0102 00 14:53:34.071554 0:0:81:65:4e:f6 > 1:0:81:0:1:1 sap aa ui/C >>> Unknown IPX Data: (8 bytes) [000] 1A 00 01 0C 2C 01 02 00 ....,... len=8 aaaa 0300 0081 01a1 80eb 201a 0001 0c2c 0102 00 14:53:34.191028 cisnet-gw5.njit.edu.route > 255.255.255.255.route: RIPv1-resp [items 12]: {0.0.0.0}(1) {10.0.0.0}(1)[|rip] [tos 0xc0] 45c0 0110 0000 0000 0211 162e 80eb 2005 ffff ffff 0208 0208 00fc 7b97 0201 0000 0002 0000 0000 0000 0000 0000 0000 0000 0000 0001 0002 0000 0a00 0000 0000 0000 0000 0000 0000 0001 0002 0000 80eb 5000 14:53:34.391606 arp who-has ps-hp4000-ccs-1.njit.edu (Broadcast) tell clusterm.njit.edu 0001 0800 0604 0001 0800 2073 032c 80eb 2361 ffff ffff ffff 80eb 20f5 ffff ffff 0208 0208 00fc 7b97 0201 0000 0002 14:53:34.444426 802.1d config 8000.00:08:e2:b7:44:0b.8045 root 0063.00:d0:03:70:5c:0b pathcost 4 age 1 max 20 hello 2 fdelay 15 4242 0300 0000 0000 0063 00d0 0370 5c0b 0000 0004 8000 0008 e2b7 440b 8045 0100 1400 0200 0f00 14:53:34.458657 dhcp34-141.njit.edu.netbios-ns > 128.235.35.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 4500 004e 338d 0000 8011 beaf 80eb 228d 80eb 23ff 0089 0089 003a e3c4 92d5 0110 0001 0000 0000 0000 2046 4344 4544 4544 4144 4143 4143 4143 4143 4143 4143 4143 4143 4143 4143 4141 4100 0020 0001 14:53:34.645829 arp who-has ps-hp1200n-cs-1.njit.edu tell dhcp34-156.njit.edu 0001 0800 0604 0001 0006 5b4a 069b 80eb 229c 0000 0000 0000 80eb 20f8 0000 0000 0000 0000 0000 0000 0000 0000 0000 14:53:34.712525 cis-download.njit.edu.netbios-ns > 128.235.35.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 4500 004e 7857 0000 8011 7b85 80eb 20ed 80eb 23ff 0089 0089 003a 3a81 fca7 0110 0001 0000 0000 0000 2046 4845 5046 4345 4c45 4846 4345 5046 4646 4143 4143 4143 4143 4143 4143 4142 4c00 0020 0001 14:53:34.750846 arp who-has cisnet-gw.njit.edu (Broadcast) tell alg.njit.edu 0001 0800 0604 0001 0800 20ff bb50 80eb 2366 ffff ffff ffff 80eb 2001 5555 5555 5555 5555 5555 5555 5555 5555 5555 14:53:34.939444 cisnet-gw5.njit.edu.1985 > ALL-ROUTERS.MCAST.NET.1985: udp 20 [tos 0xc0] 45c0 0030 0000 0000 0211 370b 80eb 2005 e000 0002 07c1 07c1 001c 717d 0000 1003 0a8c 0100 6e6a 6974 3138 3831 80eb 2001 14:53:35.229105 dhcp34-141.njit.edu.netbios-ns > 128.235.35.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 4500 004e 3390 0000 8011 beac 80eb 228d 80eb 23ff 0089 0089 003a e3c2 92d7 0110 0001 0000 0000 0000 2046 4344 4544 4544 4144 4143 4143 4143 4143 4143 4143 4143 4143 4143 4143 4141 4100 0020 0001 14:53:35.388595 dhcp34-207.njit.edu.netbios-dgm > 128.235.35.255.netbios-dgm: >>> NBT UDP PACKET(138) Res=0x110E ID=0x83B5 IP=128 (0x80).235 (0xeb).34 (0x22).207 (0xcf) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0 SourceName=EARTHLAB7 NameType=0x20 (Server) DestName= WARNING: Short packet. Try increasing the snap length 4500 00e5 4ac1 0000 8011 a6a2 80eb 22cf 80eb 23ff 008a 008a 00d1 3ba4 110e 83b5 80eb 22cf 008a 00bb 0000 2045 4645 4246 4346 4545 4945 4d45 4245 4344 4843 4143 4143 4143 4143 4143 4143 4100 2046 4845 14:53:35.391651 arp who-has ps-hp4000-ccs-1.njit.edu (Broadcast) tell clusterm.njit.edu 0001 0800 0604 0001 0800 2073 032c 80eb 2361 ffff ffff ffff 80eb 20f5 80eb 23ff 008a 008a 00d1 3ba4 110e 83b5 80eb 14:53:35.463587 cis-download.njit.edu.netbios-ns > 128.235.35.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 4500 004e 7858 0000 8011 7b84 80eb 20ed 80eb 23ff 0089 0089 003a 3a81 fca7 0110 0001 0000 0000 0000 2046 4845 5046 4345 4c45 4846 4345 5046 4646 4143 4143 4143 4143 4143 4143 4142 4c00 0020 0001 14:53:35.501805 arp who-has dhcp34-205.njit.edu (Broadcast) tell clusterm.njit.edu 0001 0800 0604 0001 0800 2073 032c 80eb 2361 ffff ffff ffff 80eb 22cd 80eb 23ff 0089 0089 003a 3a81 fca7 0110 0001 14:53:35.751410 sandra.njit.edu.61931 > 128.235.35.255.sunrpc: udp 104 (DF) [ttl 1] 4500 0084 20ac 4000 0111 0f7e 80eb 236a 80eb 23ff f1eb 006f 0070 c2a6 3dbe 15e6 0000 0000 0000 0002 0001 86a0 0000 0002 0000 0005 0000 0001 0000 001c 3db0 5afb 0000 0006 7361 6e64 7261 0000 0000 0000 14:53:35.979507 dhcp34-141.njit.edu.netbios-ns > 128.235.35.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 4500 004e 3391 0000 8011 beab 80eb 228d 80eb 23ff 0089 0089 003a e3c2 92d7 0110 0001 0000 0000 0000 2046 4344 4544 4544 4144 4143 4143 4143 4143 4143 4143 4143 4143 4143 4143 4141 4100 0020 0001 14:53:36.183432 arp who-has cold.njit.edu tell cisnet-gw6.njit.edu 0001 0800 0604 0001 00d0 0370 5ffd 80eb 2006 0000 0000 0000 80eb 2185 0000 0000 0000 0000 0000 0000 0000 0000 0000 ---- 14:53:36.190417 maan.njit.edu.403494031 > oak.njit.edu.nfs: 128 getattr [|nfs] (DF) 4500 00a8 3576 4000 4006 15dd 80eb 20f3 80eb cc33 03ff 0801 313f fce5 b832 fdae 5018 60f4 6c13 0000 8000 007c 180c d48f 0000 0000 0000 0002 0001 86a3 0000 0003 0000 0001 0000 0001 0000 0030 3db0 58b0 Neither this run (-x option) nor the other run (-e option) reports this is a TCP packet. Probably because not enough of the packet is available. [|nfs] means the packet was recognized as an nfs packet, but not enough of the packet was available for a complete recognition. I kept only the first 94 (14 + 80) bytes of every packet. VERS = 4, HLEN = 5, ToS = 0, TL = 10*16 + 8 = 168, Ident = ``3576'', DF = 1, M = 0, Fr.Offset = 0, TTL = 4*16 = 64, Prot = 6 (TCP), Header Checksum = ``15dd'' = ... Source Address = ``80.eb.20.f3'' = 128.235.32.243 (maan, see nslookup), Dest Address = ``80.eb.cc.33'' = 128.235.204.51 (oak), see nslookup), Since this is a TCP packet: Source Port = ``03ff'' = 1023 (Reserved, see iana) Dest Port = ``0801'' = 2049 (Sun Network File System, see iana). Seq Numm = ``313f fce5'' = ... Ack Numm = ``b832 fdae'' = ... HLEN = 5 (Res, Flags) = ``018'' = (0000 0001 1000) Res = 0, ACK = 1, PSH = 1, (URG = RST = SYN = FIN = 0) WIN = ``60f4'' = 6*4096 + 15*16 + 4 = 24820 Checksum = ``6c13'' = ... UrgPtr = ``0000'' = 0, Data = ``8000 007c 180c ... ''. ---- 14:53:36.191275 oak.njit.edu.nfs > maan.njit.edu.403494031: reply ok 116 getattr [|nfs] (DF) 4500 009c 52c4 4000 3f06 f99a 80eb cc33 80eb 20f3 0801 03ff b832 fdae 313f fd65 5018 60f4 8787 0000 8000 0070 180c d48f 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0002 0000 03ff 14:53:36.211826 maan.njit.edu.403494032 > oak.njit.edu.nfs: 132 access [|nfs] (DF) 4500 00ac 3577 4000 4006 15d8 80eb 20f3 80eb cc33 03ff 0801 313f fd65 b832 fe22 5018 60f4 6b11 0000 8000 0080 180c d490 0000 0000 0000 0002 0001 86a3 0000 0003 0000 0004 0000 0001 0000 0030 3db0 58b0 14:53:36.212762 oak.njit.edu.nfs > maan.njit.edu.403494032: reply ok 124 access c 0009 (DF) 4500 00a4 52c5 4000 3f06 f991 80eb cc33 80eb 20f3 0801 03ff b832 fe22 313f fde9 5018 60f4 867b 0000 8000 0078 180c d490 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0001 0000 0002 14:53:36.212885 maan.njit.edu.403494033 > oak.njit.edu.nfs: 136 lookup [|nfs] (DF) 4500 00b0 3578 4000 4006 15d3 80eb 20f3 80eb cc33 03ff 0801 313f fde9 b832 fe9e 5018 60f4 8693 0000 8000 0084 180c d491 0000 0000 0000 0002 0001 86a3 0000 0003 0000 0003 0000 0001 0000 0030 3db0 58b0 14:53:36.213895 oak.njit.edu.nfs > maan.njit.edu.403494033: reply ok 244 lookup [|nfs] (DF) 4500 011c 52c6 4000 3f06 f918 80eb cc33 80eb 20f3 0801 03ff b832 fe9e 313f fe71 5018 60f4 61fc 0000 8000 00f0 180c d491 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0020 0154 0050 14:53:36.214045 maan.njit.edu.403494034 > oak.njit.edu.nfs: 128 getattr [|nfs] (DF) 4500 00a8 3579 4000 4006 15da 80eb 20f3 80eb cc33 03ff 0801 313f fe71 b832 ff92 5018 60f4 3adc 0000 8000 007c 180c d492 0000 0000 0000 0002 0001 86a3 0000 0003 0000 0001 0000 0001 0000 0030 3db0 58b0 14:53:36.214984 oak.njit.edu.nfs > maan.njit.edu.403494034: reply ok 116 getattr [|nfs] (DF) 4500 009c 52c7 4000 3f06 f997 80eb cc33 80eb 20f3 0801 03ff b832 ff92 313f fef1 5018 60f4 3397 0000 8000 0070 180c d492 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0001 0000 0180 ---- 14:53:36.310145 maan.njit.edu.1023 > oak.njit.edu.nfsd: . ack 3090350086 win 24820 (DF) 4500 0028 357a 4000 4006 1659 80eb 20f3 80eb cc33 03ff 0801 313f fef1 b833 0006 5010 60f4 6b78 0000 VERS = 4, HLEN = 5, ToS = 0, TL = 2*16+8 = 40, Ident = ``357a'', DF = 1, M=0, Fr.Offset = 0, TTL = 4*16 = 64, Prot = 6 (TCP), H.Checksum = ``1659'' = ... , Source Address = ``80.eb.20.f3'' = 128.235.32.243 Dest Address = ``80.eb.cc.33'' = 128.235.204.51 -- maan-639 tcpoutput3>: nslookup 128.235.32.243 Server: dns1.njit.edu Address: 128.235.251.10 Name: maan.njit.edu Address: 128.235.32.243 maan-640 tcpoutput3>: nslookup 128.235.204.51 Server: dns1.njit.edu Address: 128.235.251.10 Name: oak.njit.edu Address: 128.235.204.51 This is an IP (TCP) packet from maan to oak. -- This is a TCP Packet. Hence: Source Port = ``03ff'' = 1023 (Reserved, see iana), Dest Port = ``0801'' = 2049 (Sun Network File System, see iana), Seq Numm = ``313f fef1'' = ... , Ack Numm = ``b833 0006'' = ... , HLEN = 5, ((Res, Fl) = ``010'' = 0000 0001 0000), Res = 0 , Flags = 010000 : Ack field is valid. Win = ``60f4'' = 24804 Bytes TCP.Checksum = ``6b78'', Urgent Pointer = ``0000''. This is an acknowledgement packet. It contains no data. Please note: Padding to 46 bytes is not indicated. I assume it is there but in case of TCP packets the tcpdump software does not bother to say so. ??? But I am not sure. ---- 14:53:36.396077 arp who-has ps-hp4000-ccs-1.njit.edu (Broadcast) tell clusterm.njit.edu 0001 0800 0604 0001 0800 2073 032c 80eb 2361 ffff ffff ffff 80eb 20f5 2006 0000 0000 0000 80eb 2185 0000 0000 0000 14:53:36.440804 802.1d config 8000.00:08:e2:b7:44:0b.8045 root 0063.00:d0:03:70:5c:0b pathcost 4 age 1 max 20 hello 2 fdelay 15 4242 0300 0000 0000 0063 00d0 0370 5c0b 0000 0004 8000 0008 e2b7 440b 8045 0100 1400 0200 0f00 14:53:36.501570 arp who-has dhcp34-205.njit.edu (Broadcast) tell clusterm.njit.edu 0001 0800 0604 0001 0800 2073 032c 80eb 2361 ffff ffff ffff 80eb 22cd 0000 0000 f654 f558 f654 f5a0 0100 0000 f591 14:53:36.729965 dhcp34-141.njit.edu.netbios-ns > 128.235.35.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 4500 004e 3392 0000 8011 beaa 80eb 228d 80eb 23ff 0089 0089 003a e3c2 92d7 0110 0001 0000 0000 0000 2046 4344 4544 4544 4144 4143 4143 4143 4143 4143 4143 4143 4143 4143 4143 4141 4100 0020 0001 14:53:36.836486 cisnet-gw6.njit.edu.1985 > ALL-ROUTERS.MCAST.NET.1985: udp 20 [tos 0xc0] 45c0 0030 0000 0000 0211 370a 80eb 2006 e000 0002 07c1 07c1 001c 7986 0000 0803 0a82 0100 6e6a 6974 3138 3831 80eb 2001