Login or Register to Ask a Question and Join Our Community


Cybersecurity

How to decipher tcpdump file

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity How to decipher tcpdump file
# 1  
Old 02-01-2005
How to decipher tcpdump file
Hi,

I am stuck with a tricky situation in which one of my applications is flooding the network with UDP messages. The architecture of the application is not supposed to do so. Neither is there any place where the application will go into an infinite loop sending UDP messages over the network. To find out what message is being sent out, I captured the output of tcpdump to get the contents of the UDP packets sent by the application over the network. Following is a portion of the tcpdump output:

13:37:33.568065 udm > activeip: ip-proto-153 13 (DF)
4500 0021 0512 4000 fe99 01d4 2f87 2b01
0a46 1118 2547 2547 000d 735b 7000 2e04
2e00 0000 0000 0000 0000 0000 0000
13:37:33.568091 udm > activeip: ip-proto-153 13 (DF)
4500 0021 0513 4000 fe99 01d3 2f87 2b01
0a46 1118 2547 2547 000d 735b 7000 2e04
2e00 0000 0000 0000 0000 0000 0000
13:37:33.568116 udm > activeip: ip-proto-153 13 (DF)
4500 0021 0514 4000 fe99 01d2 2f87 2b01
0a46 1118 2547 2547 000d 735b 7000 2e04
2e00 0000 0000 0000 0000 0000 0000

Can anyone help me in deciphering the contents of the packets? This will help me in finding out in the code where these messages are being sent out. Do keep in mind that I am pretty new to tcpdump.

Regards,
Diganta
# 2  
Old 02-09-2005
A reference on IPv4 headers would greatly help you decipher the packet information:

Code:
An IPv4 header 

<------------------------------------ 32 bits ---------------------------------->

|-------------------------------------------------------------------------------|
| Version |   IHL   |  Type of Service  |            Total Length               |
|-------------------------------------------------------------------------------|
|             Identification            | Flags |          Fragment Offset      |
|-------------------------------------------------------------------------------|
|   Time to Live    |     Protocol      |             Header Checksum           |
|-------------------------------------------------------------------------------|
|                                  Source Address                               |
|-------------------------------------------------------------------------------|
|                               Destination Address                             |
|-------------------------------------------------------------------------------|
|                     Options                               |      Padding      |
|-------------------------------------------------------------------------------|


|-------------------------------------------------------------------------------|
|                                     Payload                                   |
|-------------------------------------------------------------------------------|

Reference:
An IPv4 header
# 3  
Old 02-09-2005
Excellent CMU lecture on IPv4
CMU_IPv4_lecture08.pdf (235.7 KB) 
Last edited by Neo; 02-09-2005 at 01:42 AM.. Reason: Good Reference on IPv4 (and v6) from CMU
# 4  
Old 02-24-2005
tcpdump tut for beginners
Following is a very good link to understand tcpdump for beginners.

http://www.aei.ca/~pmatulis/pub/tcpdump.html
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. SuSE

can you decipher this script ?

ssh-add -t 30 >/dev/null 2>&1 LOGNAME=`whoami` cp $HOME/.ssh/known_hosts $HOME/.ssh/known_hosts.org grep -v localhost $HOME/.ssh/known_hosts.org > $HOME/.ssh/known_hosts ssh -1 -f -l $LOGNAME -o "ForwardX11 yes" -o "StrictHostKeyChecking no" -L 6003:195.244.210.107:2222 ext-proxy-2 sleep 5... (7 Replies)
Discussion started by: llcooljatt
7 Replies

2. Shell Programming and Scripting

Can you decipher this script ?

ssh-add -t 30 >/dev/null 2>&1 LOGNAME=`whoami` cp $HOME/.ssh/known_hosts $HOME/.ssh/known_hosts.org grep -v localhost $HOME/.ssh/known_hosts.org > $HOME/.ssh/known_hosts ssh -1 -f -l $LOGNAME -o "ForwardX11 yes" -o "StrictHostKeyChecking no" -L 6003:1.1.1.1:2222 ext-proxy-2 sleep 5... (1 Reply)
Discussion started by: llcooljatt
1 Replies

3. UNIX for Advanced & Expert Users

ssh decipher a tunnel

Two question here, but it's only one on the protocol point of view. If two persons use the same key to connect to a SSH server is there a risk they can decipher the other tunnel. In other terms is that less safe than if they have two separate keys. Same question if two persons use the same user... (2 Replies)
Discussion started by: moi
2 Replies

4. Shell Programming and Scripting

Sed - Unable to decipher this.

Guys, I am going through an existing code in production and found the following lines. I have used "sed" before but am unable to decipher the following statement. :( echo ${F_NAME} | sed 's/\(.*\)............/\1/' Any help is greatly appreciated. Cheers, Sid (6 Replies)
Discussion started by: sid1982
6 Replies

5. Shell Programming and Scripting

Decipher Script

Hi Guys, I am running solaris and I need help in deciphering the following commands: dir_t1=`echo $0|nawk -F'/' '{print NF}'` dir_t2=`expr $dir_t1- 1` dir_t3=`echo $0|cut -d'/' -f1-$dir_t2` export dir_t2 What will be the value for dir_t3? Please help !!!!!!!!!!!!!!! (5 Replies)
Discussion started by: Phuti
5 Replies

6. IP Networking

tcpdump -w file is not capturing all the packets

I am trying to capture tcpdump for traffic to a port in a file but this does not seem to capture all the packets. Command I use is : tcpdump -w tdump.dat port 22 Why is it not capturing all the packets ? Here is my experiment: root@pmode-client6 adc-demo]# tcpdump port 22 tcpdump:... (5 Replies)
Discussion started by: radiatejava
5 Replies

7. HP-UX

help me decipher how much memory on my box

hi, if I do top, I get Memory: 19277012K (5868296K) real, 33860312K (11294208K) virtual, 795392K free If I do swapinfo -tm I get: % swapinfo -tm Mb Mb Mb PCT TYPE AVAIL USED FREE USED dev 16384 0 16383 0% dev ... (3 Replies)
Discussion started by: JamesByars
3 Replies

8. Shell Programming and Scripting

Help with script, trying to get tcpdump and rotate the file every 300 seconds

Greetings, I just started using scripting languages, im trying to get a tcpdump in a file, change the file name every 5mins ... this is what i have but its not working ... any suggestions? #!/bin/bash # timeout.sh #timestamp format TIMESTAMP=`date -u "+%Y%m%dT%H%M%S"` #tdump =`tcpdump... (3 Replies)
Discussion started by: livewire
3 Replies

9. UNIX for Dummies Questions & Answers

Please help me decipher this header - I'm desperate!

I've got a really weird situation here.... the same IP address keeps popping up in porn spam that I have rec'd in 2 different email accts. It looks to me like it's coming from UC Davis, and I suspect someone there, so I am hoping you all can verify the same thing before I call the person on this... (0 Replies)
Discussion started by: christinef
0 Replies

10. UNIX for Dummies Questions & Answers

TCPDump Binary File......

I have a file on a linux box with the extension .gz thats supposed to be a gzip file. when i use gzip -d filename it gives me squares and triangles and you know garbarge. Its a 900 meg file. Is there someway to decode the file and where could I store a 900 meg file for free???? I am going to... (8 Replies)
Discussion started by: pydyer
8 Replies
Login or Register to Ask a Question