Message descriptions from tcpdump output

Message descriptions from tcpdump output

Post by lonelyplanet.. » Mon, 29 Jan 2001 23:15:28



Hi all,

I'm a newbie to tcpdump and need to use tcpdump to monitor tcp traffic
in my network soon. I got many tcpdump (different variations for
different OS platforms) from internet but found none could give me a
detailed descriptions on how to interpret those 'close to mysterous'
messages like below :

arizona.ftp-data > rtsg.1170:


   rtsg.1170 > arizona.ftp-data: . ack 1536 win 2560

jssmag.209.165 > helios.132: atp-req  12266<0-7> 0xae030001
   helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000
   helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000
   helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae040000
   helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
   helios.132 > jssmag.209.165: atp-resp 12266:4 (512) 0xae040000
   helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
   helios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae040000
   helios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae040000
   jssmag.209.165 > helios.132: atp-req  12266<3,5> 0xae030001
   helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
   helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
   jssmag.209.165 > helios.132: atp-rel  12266<0-7> 0xae030001
   jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002

   rtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss 1024>
   csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss
1024>
   rtsg.1023 > csam.login: . ack 1 win 4096
   rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096
   csam.login > rtsg.1023: . ack 2 win 4096
   rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096
   csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077
   csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1
   csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1

I know that differnet command options cause different messages to be
displayed. However, those manpages just show a few examples. How they
can assure users can decode the message content correctly if different
command options being used that come with no example illustrations ? I
have read the book 'Stevens, W. Richard. TCP/IP Illustrated, Volume 1:
The Protocols. Reading, Mass. : Addison-Wesley, 1996. ISBN 0-201-63346-
9'. The message dumps are similar to above but there is still no 'clear
cut' description at least for me to know how to decode those messages
under different situations --- whenever I encounter messages with
fields I am not really sure, I have to search through the book to find
an example with exact match to the message format.

I would like to know is there any document (online or on books)
describing message formats under all circumstanes ? Or such reference
didn't exist at all due to message output are different for different
implementations of tcpdump(s) ?

Tks & Rgds,

lonelyplanet999.

Sent via Deja.com
http://www.deja.com/