| mar2003.tar |
Interpreting the Output from tcpdumpIn all my examples, I used the -eSv arguments to control what tcpdump displayed. The -e argument prints the Ethernet header (i.e., the MAC source and destination addresses). The -S argument displays TCP sequence numbers in an absolute format instead of relative format. You need this when trying to match a tcpdump trace to a trace taken on another network with an analyzer that only displays sequence numbers in absolute format. I find it easier to just always use -S, because I never know when I will need to compare traces. The -v displays header information, such as the IP ID value and the TCP TTL value. There are many other arguments, and I'll refer you to the man page for the rest of them. Note that tcpdump does not display the fields in the packet in the order that they appear in the actual packet structure. For example, tcpdump displays the source MAC address first, while in reality the destination MAC address is first. Also, the IP address and TCP port values are displayed together and some of the IP fields are also displayed at the end of the line.
TCP Packet
16:54:34.954674 0:e0:1e:60:8e:c7 0:50:bf:16:ba:ae
ip 70: Top.1064 > RoadRunner.2080: P [tcp sum ok]
2346664938:2346664942(4) ack 384981432 win 5840
<nop,nop,timestamp 16589474 2052886> (DF) [tos
0x10] (ttl 63, id 20442, len 56)
16:54:34.954674 absolute timestamp
0:e0:1e:60:8e:c7 source MAC address
0:50:bf:16:ba:ae destination MAC address
ip 70 IP packet length
Top IP address/name of source
1064 TCP port number of source
> direction indicator
RoadRunner IP address/name of destination
2080 TCP destination port number
P TCP flag (P for push just indicates that
data should be sent up the stack
R indicates that the connection should be reset
[tcp sum ok] indication that TCP checksum is OK
2346664938:2346664942(4) TCP starting:ending sequence numbers
ack 384981432 TCP acknowledgement sequence number
win 5840 TCP window size
<nop,nop,timestamp 16589474 2052886> TCP options
(DF) IP don't fragment flag is set
[tos 0x10] IP type of service value
ttl 63 IP time to live value
id 20442 IP identification value
len 56 TCP packet length
ARP Request
16:56:53.804674 0:50:bf:16:ba:ae Broadcast arp 60: arp who-has 192.168.1.99 tell RoadRunner 16:56:53.804674 Absolute timestamp 0:50:bf:16:ba:ae source MAC address Broadcast destination MAC address arp 60: ARP protocol, length 60 arp who-has 192.168.1.99 ARP request looking for IP address tell RoadRunner IP address/name to send reply toARP Reply
16:56:53.804674 0:50:bf:2e:1e:56 0:50:bf:16:ba:ae arp 42: arp reply 192.168.1.99 is-at 0:50:bf:2e:1e:56 16:56:53.804674 Absolute timestamp 0:50:bf:2e:1e:56 source MAC address 0:50:bf:16:ba:ae destination MAC address arp 42: ARP protocol, length 42 arp reply ARP reply 192.168.1.99 is-at 0:50:bf:2e:1e:56 MAC address of who has requested IP address/nameICMP Echo
17:33:00.574674 0:50:ba:a1:19:21 0:50:bf:16:ba:ae ip 98: Daffy > RoadRunner: icmp: echo request (DF) (ttl 64, id 0, len 84) 17:33:00.574674 Absolute timestamp 0:50:ba:a1:19:21 source MAC address 0:50:bf:16:ba:ae destination MAC address ip 98 IP packet length Daffy IP address/name of source > direction indicator RoadRunner IP address/name of destination icmp: echo request ICMP echo request (ping) packet (DF) IP don't fragment flag is set ttl 64 IP time to live value id 0 IP ID value len 84 icmp packet lengthICMP Echo Reply
17:33:00.574674 0:50:bf:16:ba:ae 0:50:ba:a1:19:21 ip 98: RoadRunner > Daffy: icmp: echo reply (DF) (ttl 128, id 3529, len 84) 17:33:00.574674 Absolute timestamp 0:50:bf:16:ba:ae source MAC address 0:50:ba:a1:19:21 destination MAC address ip 98 IP packet length RoadRunner IP address/name of source > direction indicator Daffy IP address/name of destination icmp: echo reply ICMP echo reply (ping reply) packet (DF) IP don't fragment flag is set ttl 128 IP time to live value id 3529 IP ID value len 84 icmp packet length |