Forum Discussion

Lay_Hin_53714's avatar
Lay_Hin_53714
Icon for Nimbostratus rankNimbostratus
Dec 19, 2008

tcpdump output interpret guide

Hi All,

 

 

Is there a document that can explain the output from tcpdump?

 

 

For example, I would like to know what S, P and DF means.

 

15:23:27.351280 202.6.123.44.9632 > 203.116.162.168.ldap: S 2450604975:2450604975(0) win 49640 (DF)

 

 

15:23:27.361003 203.116.162.168.ldap > 202.6.123.44.9632: S 3804777917:3804777917(0) ack 2450604976 win 1460 (DF)

 

 

15:23:27.361984 202.6.123.44.9632 > 203.116.162.168.ldap: . ack 1 win 49640 (DF)

 

 

15:23:27.423022 202.6.123.44.9632 > 203.116.162.168.ldap: P 1:149(148) ack 1 win 49640 (DF)

 

 

15:23:29.034865 203.116.162.168.ldap > 202.6.123.44.9632: . ack 149 win 8760 (DF)

 

 

15:23:29.133984 203.116.162.168.ldap > 202.6.123.44.9632: P 1:1461(1460) ack 149 win 8760 (DF)

 

9 Replies

  • Ah... I find following link is quite good in explaining the detail.

     

     

    http://www.taosecurity.com/intv2-8.html

     

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Hi Layhin.

     

     

    Also be aware that a good decoder like wireshark is worth its weight in gold when trying to diagnose what's happening at the content level. It'll decode HTTP, CDP, all those little protocols you need to inspect so often. And it'll give you quick stats on of connections, endpoints etc for quickly finding what you're looking for too.

     

  • If you are adventurous, you can download the F5 wireshark plugin (Click here) This requires you to compile wireshark yourself, but the payoff is extra details in the capture files if taken from the bigip.
  • Hey Citizen,

     

     

    Out of curiosity, what additional info do you get with the F5 modifications?

     

     

    Thanks,

     

    Aaron
  • most useful item I remember is the connection id so you can match clientside and serverside flows. It's been a few months since I lost the workstation I had it compiled on.
  • ukstin's avatar
    ukstin
    Icon for Nimbostratus rankNimbostratus
    I´ve compiled wireshark with this plugin and dump a box with bigip 9.4.5 but I compared the data with a default wireshark (without this plugin) and the information is the same.

     

     

    I need to run tcpdump with some different attributes?? - I collect through the gui (system -> support)
  • when you specify the interface, you need to append :000 or :nnn, I can't remember.
  • I think it's :nnn

     

     

    tcpdump -ni 0.0:000 -s0 -w/var/tmp/test.dmp

     

    tcpdump: unrecognized interface name: 0.0:000

     

     

    tcpdump -ni 0.0:nnn -s0 -w/var/tmp/test.dmp

     

    tcpdump: listening on 0.0:nnn

     

     

    Using tcpdump to read the file you can see extra fields at the end of the normal info. I'm assuming the Wireshark patch parses this info.

     

     

    tail-type 1 len 33 f5-low ver[0] fty[0] fid[00000000] pid[00000000] cfl[00000000] flg[0001] pgr[0] pun[0] lis= tail-type 2 len 6 f5-med ver[0] ins[0] inp[0] ha[0] tail-type 3 len 40 f5-hi ver[0] pra[00000000:00000000:00000000:00000000] pla[00000000:00000000:00000000:00000000] prp[0] plp[0] pip[0] pvl[0]

     

     

    Can someone send me a compiled version of the modified wireshark version (hooleylists at gmail dot com)? I can't easily compile it without reworking my existing cygwin installation.

     

     

    Thanks,

     

    Aaron
  • ukstin's avatar
    ukstin
    Icon for Nimbostratus rankNimbostratus
    works with this:

     

    tcpdump -ni 0.0:nnn -s0 -w/var/tmp/test.dmp

     

     

    thanks people, I don´t know if someday I´ll have to use these informations, but it´s interesting :D