LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   tcpdump interpretation (http://www.linuxquestions.org/questions/linux-networking-3/tcpdump-interpretation-174959/)

unixbrain 04-26-2004 11:37 PM

tcpdump interpretation
 
Hi! I am exploring networking with Linux. i found that tcpdump is an interesting tool.

arp who-has 139.86.155.52 tell 139.86.155.50
arp reply 139.86.155.52 is-at 0:8:74:2f:a5:ac

the output above is extracted. I did not call the command arp, does it mean that someone else is using a computer in the network and using arp? Or does the system also uses the arp to look for a host?

----------------------------------

802.1d config 809b.00:05:dc:cc:98:c0.800f root 8000.00:02:7d:35:bd:28 pathcost 52 age 3 max 20 hello 2 fdelay 15

The output above is also extracted. what is 802.1d? Is the output above a tcp packet? How can u tell? Also, why is there a 'hello'? Sometimes I also see 'reply ok', 'write', etc. What are they?

--------------------------------

219.95.226.81.1025 > 139.86.155.51.telnet: . ack 2780 win 56800 <nop,nop,timestamp 59317 377037602>

In the output above, I wanna know what is ...<nop,nop,timestamp 59317 377037602>....means

---------------------------------

139.86.155.50.999 > 139.86.155.52.32872: R 0:0(0) ack 1979298613 win 0 (DF) [tos 0x10]
0:5:dc:cc:98:cf 0:5:dc:cc:98:cf loopback 60:
0000 0100 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000
For the output above, can u explain why are there such an output and what does it mean?

------------------------------------

I am also curious whether if anyone logs in, probably using telnet or ftp, tcpdump can also sniff the packet? How do we identify the packet? If anyone has logged in using telnet, and types a few characters. Can we see the charaters typed? How to identify that a user has typed or is typing and pressed return key?

------------------------------------

139.86.155.51.1858029306 > 139.86.155.50.2049: 116 getattr [|nfs] (DF)

what does the output mean? isn't the figure 139.86.155.51.1858029306 at the last part too big?

Many questions...I m hoping I can be enlightened by u experts out there. Thanx! :D

ToeShot 04-27-2004 12:14 AM

Looks Like your a little new to networking tool. To explain everything to you would take up way to much space, mainly because I would get into to much detail. there is a very good book that analyzes packets with tcpdump it's called 'Network Intrusion Detection' it is a very good book, but I would also recomend a networking book that goes over the basics like ARP (Address Resolution Protocol) well have fun and happy sniffing.

chris78 04-27-2004 05:13 AM

Especially if you are new to networking and linux you should not use tcpdump.
It generally just screws up the info into unreadabl (except its author maybe) output.
Why dont you try ethereal for first.

http://www.ethereal.com/

I think it is much more easy to understand its output.
And you maybe then even dont need to buy a book. You can find tons of resources and documentations online. For example copy the shortcut of the protocoll name you are curious about into google and i am sure you will find something usefull almost.
For example like this


Chris

chris78 04-27-2004 05:20 AM

Quote:

arp who-has 139.86.155.52 tell 139.86.155.50
arp reply 139.86.155.52 is-at 0:8:74:2f:a5:ac

the output above is extracted. I did not call the command arp, does it mean that someone else is using a computer in the network and using arp? Or does the system also uses the arp to look for a host?
To bring at least a little bit light into the dark.
ARP is like yellowpages for a network. Networks based on (nowadays very common) ethernet use MAC-addresses. An example is in your output here "0:8:74:2f:a5:ac".
They are the address of exactly one network card. So if your computer decides to talk to another one on the network he cant use IP addresses. He has to find out the MAC-address of the target. So he asks:

arp who-has 139.86.155.52 tell 139.86.155.50

Who has the ip address "139.86.155.52", and if someone know please tell me "139.86.155.50".
So the reply is like:
The IP address "139.86.155.52" is reachable under the MAC-address "0:8:74:2f:a5:ac".

Chris

unixbrain 04-27-2004 10:43 PM

simple answers
 
Hi! all!

I just need simple answers. If I have any q's I will ask again. I have read some of the manuals, and books, but cant seem to find the answers. Mayve I can see from ur perspective.

Thanx! :D

ToeShot 04-27-2004 11:54 PM

You need simple answers but the answers we would give you would mean absolutely nothing if you don't have an understanding of how networking works. The book I suggested has all the answers you are looking for but it is over 300 pages and there is know way I could type it on this forum. But the book also walks you through each part of the packet and the tcpdump so you will have a clear understanding of what is going on. To expect an answer like that on any forum mostlikely would not happen. That why we try and point in the you in the right direction to get the clear answer your looking for.

chris78 04-28-2004 04:02 AM

Re: simple answers
 
Quote:

Originally posted by unixbrain
I just need simple answers. If I have any q's I will ask again. I have read some of the manuals, and books, but cant seem to find the answers. Mayve I can see from ur perspective.

Thanx! :D
Even if we would take the time and try to explain all of your questions they could never be "simple answers". Networking is just not simple.
It is complicated enough to take months to study them well.

chort 04-28-2004 04:37 AM

There's not substitute for fundamental knowledge. Using a tool like Ethereal with a pretty GUI doesn't help much if you just don't understand fundamental networking.

You need TCP/IP Illustrated, Volume 1. After that you'll not only know to to interpret ARP, but you'll also know tcpdump, TCP options, ICMP types/codes, etc... i.e. everything you need to know about the common network protocols.


All times are GMT -5. The time now is 11:05 AM.