LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 04-28-2005, 05:59 AM   #1
shivaligupta
Member
 
Registered: Oct 2004
Posts: 45

Rep: Reputation: 15
tcpdump- link level header pcap


When i read the man page of tcpdump it says that if we use -e option with it it will print link-level headers.
-e Print the link-level header on each dump line.

What do we exactly mean by link level header?

When i used it, it printed something like:


13:48:48.993388 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.145918 0:d:28:73:bd:85 0:d:28:73:bd:85 loopback 60:
0000 0100 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000
13:48:49.211845 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.211874 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.211879 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.211884 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.211895 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.211910 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.233395 0:d:60:6a:71:91 Broadcast arp 60: arp who-has 10.20.81.230 tell 10.20.81.70
13:48:49.254576 0:10:b5:aa:29:ee Broadcast ip 92: 10.20.81.187.netbios-ns > 10.20.81.255.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:48:49.272867 0:d:28:73:bd:85 1:80:c2:0:0:0 0026 60: 802.1d ui/C
>>> IPX transport Data: (107 bytes)
[000] 00 00 00 00 00 80 00 00 02 B9 C9 96 C0 00 00 0C ........ ........
[010] 39 C0 01 00 0D 28 73 BD 80 80 05 03 00 14 00 02 9....(s. ........
[020] 00 0F 00 00 00 00 00 00 00 00 00 49 45 50 45 4E ........ ...IEPEN
[030] 45 46 43 41 43 41 43 41 43 41 43 41 43 41 43 41 EFCACACA CACACACA
[040] 43 41 43 41 42 4C 00 00 20 00 01 C0 0C 00 20 00 CACABL.. ..... .
[050] 01 00 04 93 E0 00 06 80 00 0A 14 51 D1 41 43 41 ........ ...Q.ACA
[060] 43 41 43 41 43 41 43 41 42 4E 00 CACACACA BN.

SMB PACKET: SMBtrans (REQUEST)

len=43
13:48:49.303764 0:7:95:16:59:16 Broadcast 0026 60: sap e0 ui/C
>>> IPX transport Data: (107 bytes)
[000] FF FF 00 22 00 00 00 00 00 00 FF FF FF FF FF FF ...".... ........
[010] 04 52 00 00 00 00 00 07 95 16 59 16 40 00 00 03 .R...... ..Y.@...
[020] 00 04 00 20 20 20 20 20 20 20 20 49 45 50 45 4E ... IEPEN
[030] 45 46 43 41 43 41 43 41 43 41 43 41 43 41 43 41 EFCACACA CACACACA
[040] 43 41 43 41 42 4C 00 00 20 00 01 C0 0C 00 20 00 CACABL.. ..... .
[050] 01 00 04 93 E0 00 06 80 00 0A 14 51 D1 41 43 41 ........ ...Q.ACA
[060] 43 41 43 41 43 41 43 41 42 4E 00 CACACACA BN.

SMB PACKET: SMBtrans (REQUEST)

len=43
13:48:49.321207 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.321236 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.321241 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.321246 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34


Plz tell can we print this directly by using any function from pcap library?

plz help

Thanks in advance.

Last edited by shivaligupta; 04-28-2005 at 06:18 AM.
 
Old 04-28-2005, 07:28 AM   #2
scowles
Member
 
Registered: Sep 2004
Location: Texas, USA
Distribution: Fedora
Posts: 620

Rep: Reputation: 31
What do we exactly mean by link level header?

Include OSI layer 2 info (like MAC addresses) in tcpdump output.

Plz tell can we print this directly by using any function from pcap library?

I don't really know about the pcap library functions, but I do print interesting packets from packet captures on a daily basis using ethereal; which uses the same pcap library as tcpdump.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
finding out TCP header details at socket level hari121 Linux - Networking 0 10-25-2005 02:54 AM
Pcap Files OriDagan Linux - Networking 0 07-15-2005 05:20 AM
tethereal and tcpdump: -y invalid data link type 1 murugesan Linux - Wireless Networking 0 05-31-2004 12:28 AM
How to compile a C program in Glade which is included the <pcap.h> header file. swaviswa Programming 0 03-21-2004 08:47 AM
Questions on pcap.h Traveler_Q Programming 2 02-25-2004 04:03 PM


All times are GMT -5. The time now is 08:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration