Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: How to decipher tcpdump file
Special Forums Cybersecurity How to decipher tcpdump file Post 61238 by diganta on Tuesday 1st of February 2005 03:43:33 AM
Old 02-01-2005
How to decipher tcpdump file
Hi,

I am stuck with a tricky situation in which one of my applications is flooding the network with UDP messages. The architecture of the application is not supposed to do so. Neither is there any place where the application will go into an infinite loop sending UDP messages over the network. To find out what message is being sent out, I captured the output of tcpdump to get the contents of the UDP packets sent by the application over the network. Following is a portion of the tcpdump output:

13:37:33.568065 udm > activeip: ip-proto-153 13 (DF)
4500 0021 0512 4000 fe99 01d4 2f87 2b01
0a46 1118 2547 2547 000d 735b 7000 2e04
2e00 0000 0000 0000 0000 0000 0000
13:37:33.568091 udm > activeip: ip-proto-153 13 (DF)
4500 0021 0513 4000 fe99 01d3 2f87 2b01
0a46 1118 2547 2547 000d 735b 7000 2e04
2e00 0000 0000 0000 0000 0000 0000
13:37:33.568116 udm > activeip: ip-proto-153 13 (DF)
4500 0021 0514 4000 fe99 01d2 2f87 2b01
0a46 1118 2547 2547 000d 735b 7000 2e04
2e00 0000 0000 0000 0000 0000 0000

Can anyone help me in deciphering the contents of the packets? This will help me in finding out in the code where these messages are being sent out. Do keep in mind that I am pretty new to tcpdump.

Regards,
Diganta
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

TCPDump Binary File......

I have a file on a linux box with the extension .gz thats supposed to be a gzip file. when i use gzip -d filename it gives me squares and triangles and you know garbarge. Its a 900 meg file. Is there someway to decode the file and where could I store a 900 meg file for free???? I am going to... (8 Replies)
Discussion started by: pydyer
8 Replies

2. UNIX for Dummies Questions & Answers

Please help me decipher this header - I'm desperate!

I've got a really weird situation here.... the same IP address keeps popping up in porn spam that I have rec'd in 2 different email accts. It looks to me like it's coming from UC Davis, and I suspect someone there, so I am hoping you all can verify the same thing before I call the person on this... (0 Replies)
Discussion started by: christinef
0 Replies

3. Shell Programming and Scripting

Help with script, trying to get tcpdump and rotate the file every 300 seconds

Greetings, I just started using scripting languages, im trying to get a tcpdump in a file, change the file name every 5mins ... this is what i have but its not working ... any suggestions? #!/bin/bash # timeout.sh #timestamp format TIMESTAMP=`date -u "+%Y%m%dT%H%M%S"` #tdump =`tcpdump... (3 Replies)
Discussion started by: livewire
3 Replies

4. HP-UX

help me decipher how much memory on my box

hi, if I do top, I get Memory: 19277012K (5868296K) real, 33860312K (11294208K) virtual, 795392K free If I do swapinfo -tm I get: % swapinfo -tm Mb Mb Mb PCT TYPE AVAIL USED FREE USED dev 16384 0 16383 0% dev ... (3 Replies)
Discussion started by: JamesByars
3 Replies

5. IP Networking

tcpdump -w file is not capturing all the packets

I am trying to capture tcpdump for traffic to a port in a file but this does not seem to capture all the packets. Command I use is : tcpdump -w tdump.dat port 22 Why is it not capturing all the packets ? Here is my experiment: root@pmode-client6 adc-demo]# tcpdump port 22 tcpdump:... (5 Replies)
Discussion started by: radiatejava
5 Replies

6. Shell Programming and Scripting

Decipher Script

Hi Guys, I am running solaris and I need help in deciphering the following commands: dir_t1=`echo $0|nawk -F'/' '{print NF}'` dir_t2=`expr $dir_t1- 1` dir_t3=`echo $0|cut -d'/' -f1-$dir_t2` export dir_t2 What will be the value for dir_t3? Please help !!!!!!!!!!!!!!! (5 Replies)
Discussion started by: Phuti
5 Replies

7. Shell Programming and Scripting

Sed - Unable to decipher this.

Guys, I am going through an existing code in production and found the following lines. I have used "sed" before but am unable to decipher the following statement. :( echo ${F_NAME} | sed 's/\(.*\)............/\1/' Any help is greatly appreciated. Cheers, Sid (6 Replies)
Discussion started by: sid1982
6 Replies

8. UNIX for Advanced & Expert Users

ssh decipher a tunnel

Two question here, but it's only one on the protocol point of view. If two persons use the same key to connect to a SSH server is there a risk they can decipher the other tunnel. In other terms is that less safe than if they have two separate keys. Same question if two persons use the same user... (2 Replies)
Discussion started by: moi
2 Replies

9. Shell Programming and Scripting

Can you decipher this script ?

ssh-add -t 30 >/dev/null 2>&1 LOGNAME=`whoami` cp $HOME/.ssh/known_hosts $HOME/.ssh/known_hosts.org grep -v localhost $HOME/.ssh/known_hosts.org > $HOME/.ssh/known_hosts ssh -1 -f -l $LOGNAME -o "ForwardX11 yes" -o "StrictHostKeyChecking no" -L 6003:1.1.1.1:2222 ext-proxy-2 sleep 5... (1 Reply)
Discussion started by: llcooljatt
1 Replies

10. SuSE

can you decipher this script ?

ssh-add -t 30 >/dev/null 2>&1 LOGNAME=`whoami` cp $HOME/.ssh/known_hosts $HOME/.ssh/known_hosts.org grep -v localhost $HOME/.ssh/known_hosts.org > $HOME/.ssh/known_hosts ssh -1 -f -l $LOGNAME -o "ForwardX11 yes" -o "StrictHostKeyChecking no" -L 6003:195.244.210.107:2222 ext-proxy-2 sleep 5... (7 Replies)
Discussion started by: llcooljatt
7 Replies

LEARN ABOUT CENTOS

tracepath6

TRACEPATH(8)						 System Manager's Manual: iputils					      TRACEPATH(8)

NAME

       tracepath, tracepath6 - traces path to a network host discovering MTU along this path

SYNOPSIS

       tracepath [-n] [-b] [-l pktlen] [-p port] destination

DESCRIPTION

       It  traces  path  to destination discovering MTU along this path.  It uses UDP port port or some random port.  It is similar to traceroute,
       only does not require superuser privileges and has no fancy options.

       tracepath6 is good replacement for traceroute6 and classic example of application of Linux error queues.  The situation with IPv4 is worse,
       because	commercial  IP	routers  do  not  return  enough  information in ICMP error messages.  Probably, it will change, when they will be
       updated.  For now it uses Van Jacobson's trick, sweeping a range of UDP ports to maintain trace history.

OPTIONS

       -n     Print primarily IP addresses numerically.

       -b     Print both of host names and IP addresses.

       -l     Sets the initial packet length to pktlen instead of 65535 for tracepath or 128000 for tracepath6.

       -p     Sets the initial destination port to use.

OUTPUT

       root@mops:~ # tracepath6 3ffe:2400:0:109::2
	1?: [LOCALHOST] 			     pmtu 1500
	1:  dust.inr.ac.ru		     0.411ms
	2:  dust.inr.ac.ru	  asymm  1   0.390ms pmtu 1480
	2:  3ffe:2400:0:109::2		     463.514ms reached
	    Resume: pmtu 1480 hops 2 back 2

       The first column shows TTL of the probe, followed by colon.  Usually value of TTL is obtained from reply from network, but sometimes  reply
       does not contain necessary information and we have to guess it. In this case the number is followed by ?.

       The  second column shows the network hop, which replied to the probe.  It is either address of router or word [LOCALHOST], if the probe was
       not sent to the network.

       The rest of line shows miscellaneous information about path to the correspinding network hop. As rule it contains value of RTT.	 Addition-
       ally,  it  can  show Path MTU, when it changes.	If the path is asymmetric or the probe finishes before it reach prescribed hop, difference
       between number of hops in forward and backward direction is shown following keyword async. This information  is	not  reliable.	 F.e.  the
       third line shows asymmetry of 1, it is because the first probe with TTL of 2 was rejected at the first hop due to Path MTU Discovery.

       The  last  line summarizes information about all the path to the destination, it shows detected Path MTU, amount of hops to the destination
       and our guess about amount of hops from the destination to us, which can be different when the path is asymmetric.

SEE ALSO

       traceroute(8), traceroute6(8), ping(8).

AUTHOR

       tracepath was written by Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>.

SECURITY

       No security issues.

       This lapidary deserves to be elaborated.  tracepath is not a privileged program, unlike traceroute, ping and other  beasts  of  this  kind.
       tracepath  may be executed by everyone who has some access to network, enough to send UDP datagrams to investigated destination using given
       port.

AVAILABILITY

       tracepath is part of iputils package and the latest versions are  available in source  form  at	http://www.skbuff.net/iputils/iputils-cur-
       rent.tar.bz2.

iputils-121221							   10 June 2014 						      TRACEPATH(8)
All times are GMT -4. The time now is 06:07 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy