LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 04-26-2004, 11:37 PM   #1
unixbrain
Member
 
Registered: Sep 2003
Posts: 33

Rep: Reputation: 15
Question tcpdump interpretation


Hi! I am exploring networking with Linux. i found that tcpdump is an interesting tool.

arp who-has 139.86.155.52 tell 139.86.155.50
arp reply 139.86.155.52 is-at 0:8:74:2f:a5:ac

the output above is extracted. I did not call the command arp, does it mean that someone else is using a computer in the network and using arp? Or does the system also uses the arp to look for a host?

----------------------------------

802.1d config 809b.00:05:dc:cc:98:c0.800f root 8000.00:02:7d:35:bd:28 pathcost 52 age 3 max 20 hello 2 fdelay 15

The output above is also extracted. what is 802.1d? Is the output above a tcp packet? How can u tell? Also, why is there a 'hello'? Sometimes I also see 'reply ok', 'write', etc. What are they?

--------------------------------

219.95.226.81.1025 > 139.86.155.51.telnet: . ack 2780 win 56800 <nop,nop,timestamp 59317 377037602>

In the output above, I wanna know what is ...<nop,nop,timestamp 59317 377037602>....means

---------------------------------

139.86.155.50.999 > 139.86.155.52.32872: R 0:0(0) ack 1979298613 win 0 (DF) [tos 0x10]
0:5:dc:cc:98:cf 0:5:dc:cc:98:cf loopback 60:
0000 0100 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000
For the output above, can u explain why are there such an output and what does it mean?

------------------------------------

I am also curious whether if anyone logs in, probably using telnet or ftp, tcpdump can also sniff the packet? How do we identify the packet? If anyone has logged in using telnet, and types a few characters. Can we see the charaters typed? How to identify that a user has typed or is typing and pressed return key?

------------------------------------

139.86.155.51.1858029306 > 139.86.155.50.2049: 116 getattr [|nfs] (DF)

what does the output mean? isn't the figure 139.86.155.51.1858029306 at the last part too big?

Many questions...I m hoping I can be enlightened by u experts out there. Thanx!
 
Old 04-27-2004, 12:14 AM   #2
ToeShot
Member
 
Registered: Nov 2001
Location: Near Chicago
Distribution: FC5, Solaris 10, WinXP
Posts: 152

Rep: Reputation: 30
Looks Like your a little new to networking tool. To explain everything to you would take up way to much space, mainly because I would get into to much detail. there is a very good book that analyzes packets with tcpdump it's called 'Network Intrusion Detection' it is a very good book, but I would also recomend a networking book that goes over the basics like ARP (Address Resolution Protocol) well have fun and happy sniffing.
 
Old 04-27-2004, 05:13 AM   #3
chris78
LQ Newbie
 
Registered: Mar 2004
Location: germany
Distribution: Slackware & RedHat
Posts: 28

Rep: Reputation: 15
Especially if you are new to networking and linux you should not use tcpdump.
It generally just screws up the info into unreadabl (except its author maybe) output.
Why dont you try ethereal for first.

http://www.ethereal.com/

I think it is much more easy to understand its output.
And you maybe then even dont need to buy a book. You can find tons of resources and documentations online. For example copy the shortcut of the protocoll name you are curious about into google and i am sure you will find something usefull almost.
For example like this


Chris

Last edited by chris78; 04-27-2004 at 05:22 AM.
 
Old 04-27-2004, 05:20 AM   #4
chris78
LQ Newbie
 
Registered: Mar 2004
Location: germany
Distribution: Slackware & RedHat
Posts: 28

Rep: Reputation: 15
Quote:
arp who-has 139.86.155.52 tell 139.86.155.50
arp reply 139.86.155.52 is-at 0:8:74:2f:a5:ac

the output above is extracted. I did not call the command arp, does it mean that someone else is using a computer in the network and using arp? Or does the system also uses the arp to look for a host?
To bring at least a little bit light into the dark.
ARP is like yellowpages for a network. Networks based on (nowadays very common) ethernet use MAC-addresses. An example is in your output here "0:8:74:2f:a5:ac".
They are the address of exactly one network card. So if your computer decides to talk to another one on the network he cant use IP addresses. He has to find out the MAC-address of the target. So he asks:

arp who-has 139.86.155.52 tell 139.86.155.50

Who has the ip address "139.86.155.52", and if someone know please tell me "139.86.155.50".
So the reply is like:
The IP address "139.86.155.52" is reachable under the MAC-address "0:8:74:2f:a5:ac".

Chris

Last edited by chris78; 04-27-2004 at 05:23 AM.
 
Old 04-27-2004, 10:43 PM   #5
unixbrain
Member
 
Registered: Sep 2003
Posts: 33

Original Poster
Rep: Reputation: 15
simple answers

Hi! all!

I just need simple answers. If I have any q's I will ask again. I have read some of the manuals, and books, but cant seem to find the answers. Mayve I can see from ur perspective.

Thanx!
 
Old 04-27-2004, 11:54 PM   #6
ToeShot
Member
 
Registered: Nov 2001
Location: Near Chicago
Distribution: FC5, Solaris 10, WinXP
Posts: 152

Rep: Reputation: 30
You need simple answers but the answers we would give you would mean absolutely nothing if you don't have an understanding of how networking works. The book I suggested has all the answers you are looking for but it is over 300 pages and there is know way I could type it on this forum. But the book also walks you through each part of the packet and the tcpdump so you will have a clear understanding of what is going on. To expect an answer like that on any forum mostlikely would not happen. That why we try and point in the you in the right direction to get the clear answer your looking for.
 
Old 04-28-2004, 04:02 AM   #7
chris78
LQ Newbie
 
Registered: Mar 2004
Location: germany
Distribution: Slackware & RedHat
Posts: 28

Rep: Reputation: 15
Re: simple answers

Quote:
Originally posted by unixbrain
I just need simple answers. If I have any q's I will ask again. I have read some of the manuals, and books, but cant seem to find the answers. Mayve I can see from ur perspective.

Thanx!
Even if we would take the time and try to explain all of your questions they could never be "simple answers". Networking is just not simple.
It is complicated enough to take months to study them well.
 
Old 04-28-2004, 04:37 AM   #8
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
There's not substitute for fundamental knowledge. Using a tool like Ethereal with a pretty GUI doesn't help much if you just don't understand fundamental networking.

You need TCP/IP Illustrated, Volume 1. After that you'll not only know to to interpret ARP, but you'll also know tcpdump, TCP options, ICMP types/codes, etc... i.e. everything you need to know about the common network protocols.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Error message need interpretation Scallawag Linux - Software 3 02-03-2005 05:27 PM
how to have no interpretation of special characters (ctrl, tab ...) in a script xround Linux - General 1 11-29-2004 07:21 AM
sendmail logwatch interpretation jimi_j Red Hat 2 03-07-2004 07:19 PM
tcpdump gbell72 Linux - Security 5 09-18-2003 02:08 PM
2.4.18 Crash interpretation: Known problem? svar Linux - General 2 09-17-2003 12:42 AM


All times are GMT -5. The time now is 01:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration