tcpdump- link level header pcap
When i read the man page of tcpdump it says that if we use -e option with it it will print link-level headers.
-e Print the link-level header on each dump line. What do we exactly mean by link level header? When i used it, it printed something like: 13:48:48.993388 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34 13:48:49.145918 0:d:28:73:bd:85 0:d:28:73:bd:85 loopback 60: 0000 0100 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 13:48:49.211845 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34 13:48:49.211874 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34 13:48:49.211879 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34 13:48:49.211884 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34 13:48:49.211895 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34 13:48:49.211910 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34 13:48:49.233395 0:d:60:6a:71:91 Broadcast arp 60: arp who-has 10.20.81.230 tell 10.20.81.70 13:48:49.254576 0:10:b5:aa:29:ee Broadcast ip 92: 10.20.81.187.netbios-ns > 10.20.81.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 13:48:49.272867 0:d:28:73:bd:85 1:80:c2:0:0:0 0026 60: 802.1d ui/C >>> IPX transport Data: (107 bytes) [000] 00 00 00 00 00 80 00 00 02 B9 C9 96 C0 00 00 0C ........ ........ [010] 39 C0 01 00 0D 28 73 BD 80 80 05 03 00 14 00 02 9....(s. ........ [020] 00 0F 00 00 00 00 00 00 00 00 00 49 45 50 45 4E ........ ...IEPEN [030] 45 46 43 41 43 41 43 41 43 41 43 41 43 41 43 41 EFCACACA CACACACA [040] 43 41 43 41 42 4C 00 00 20 00 01 C0 0C 00 20 00 CACABL.. ..... . [050] 01 00 04 93 E0 00 06 80 00 0A 14 51 D1 41 43 41 ........ ...Q.ACA [060] 43 41 43 41 43 41 43 41 42 4E 00 CACACACA BN. SMB PACKET: SMBtrans (REQUEST) len=43 13:48:49.303764 0:7:95:16:59:16 Broadcast 0026 60: sap e0 ui/C >>> IPX transport Data: (107 bytes) [000] FF FF 00 22 00 00 00 00 00 00 FF FF FF FF FF FF ...".... ........ [010] 04 52 00 00 00 00 00 07 95 16 59 16 40 00 00 03 .R...... ..Y.@... [020] 00 04 00 20 20 20 20 20 20 20 20 49 45 50 45 4E ... IEPEN [030] 45 46 43 41 43 41 43 41 43 41 43 41 43 41 43 41 EFCACACA CACACACA [040] 43 41 43 41 42 4C 00 00 20 00 01 C0 0C 00 20 00 CACABL.. ..... . [050] 01 00 04 93 E0 00 06 80 00 0A 14 51 D1 41 43 41 ........ ...Q.ACA [060] 43 41 43 41 43 41 43 41 42 4E 00 CACACACA BN. SMB PACKET: SMBtrans (REQUEST) len=43 13:48:49.321207 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34 13:48:49.321236 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34 13:48:49.321241 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34 13:48:49.321246 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34 Plz tell can we print this directly by using any function from pcap library? plz help Thanks in advance. |
What do we exactly mean by link level header?
Include OSI layer 2 info (like MAC addresses) in tcpdump output. Plz tell can we print this directly by using any function from pcap library? I don't really know about the pcap library functions, but I do print interesting packets from packet captures on a daily basis using ethereal; which uses the same pcap library as tcpdump. |
All times are GMT -5. The time now is 09:32 AM. |