How to decipher tcpdump file

[vtntl]

Hi,



I am stuck with a tricky situation in which one of my applications is flooding the network with UDP messages. The architecture of the application is not supposed to do so. Neither is there any place where the application will go into an infinite loop sending UDP messages over the network. To find out what message is being sent out, I captured the output of tcpdump to get the contents of the UDP packets sent by the application over the network. Following is a portion of the tcpdump output:



13:37:33.568065 udm > activeip: ip-proto-153 13 (DF)

4500 0021 0512 4000 fe99 01d4 2f87 2b01

0a46 1118 2547 2547 000d 735b 7000 2e04

2e00 0000 0000 0000 0000 0000 0000

13:37:33.568091 udm > activeip: ip-proto-153 13 (DF)

4500 0021 0513 4000 fe99 01d3 2f87 2b01

0a46 1118 2547 2547 000d 735b 7000 2e04

2e00 0000 0000 0000 0000 0000 0000

13:37:33.568116 udm > activeip: ip-proto-153 13 (DF)

4500 0021 0514 4000 fe99 01d2 2f87 2b01

0a46 1118 2547 2547 000d 735b 7000 2e04

2e00 0000 0000 0000 0000 0000 0000



Can anyone help me in deciphering the contents of the packets? This will help me in finding out in the code where these messages are being sent out. Do keep in mind that I am pretty new to tcpdump.



Regards,

Diganta

More Information:

1. I am aware that the "tcpdump" file is the most widely used, but on what basis is the decision made as to which file to use? Also, I am using the TCPDUMP file of the DARPA dataset
2. I'm going to go learn how to decipher the tcpdump report correctly now (rather than assuming), but if anyone has any insights in the meantime
3. How to concatenate two tcpdump files (pcap files) · IPv6 decoder for pcapy/impacket · Why ruby's(ver 1
4. TRACE Telcordia Software Visualization and Analysis Toolsuite (testing software) ECXpert Debugging File WebSTAR Mail Server Error File Zope 3 Strace Log TcpDump Output File
5. Initially started to use python, but only find a tcpdump parser and could not get more than one file translated in tcpdump to hexadecimal
6. sport == 80 but couldn't decipher how to get at the payload of the upper layers given an

More:

• Unknown Open Port
• Join the LinuxQuestions distributed.net team
• AES winner selected - RIJNDAEL
• Slashdot has been hacked
• Open ports
• Netscape Communicator URL Read Vulnerability
• WuFTPD: Providing *remote* root since at least 1994
• I need to test my firewall...
• Do you use a firewall?
• Linux Kernel Vulnerability

[trong_dat1402]

A reference on IPv4 headers would greatly help you decipher the packet information:

Code:

An IPv4 header 



<------------------------------------ 32 bits ---------------------------------->



|-------------------------------------------------------------------------------|

| Version |   IHL   |  Type of Service  |            Total Length               |

|-------------------------------------------------------------------------------|

|             Identification            | Flags |          Fragment Offset      |

|-------------------------------------------------------------------------------|

|   Time to Live    |     Protocol      |             Header Checksum           |

|-------------------------------------------------------------------------------|

|                                  Source Address                               |

|-------------------------------------------------------------------------------|

|                               Destination Address                             |

|-------------------------------------------------------------------------------|

|                     Options                               |      Padding      |

|-------------------------------------------------------------------------------|





|-------------------------------------------------------------------------------|

|                                     Payload                                   |

|-------------------------------------------------------------------------------|

Reference:

An IPv4 header

More Information:

1. Using the above information we should now be able to decipher a packet dump that shows a telnet option negotiation
2. So now we're doing some real-time monitoring and TCPDumps, which they're trying to decipher… good choice of words, as this is all SSL traffic, so
3. You will learn how to decipher log messages and to build confidence in damage assessment situations
4. Web browser: Technical articles 2003-02-10; Making sense of tcpdump with add-on enhancements: Tcpdump is a useful tool for tracking down network performance issues, but the output can be difficult to decipher
5. It will append the packets at the end of the pcap file if you specify the same output prefix, keeping the IVs you already have (a feature that tcpdump doesn't have btw ;))
6. I got the dump, thanks (tcpdump? damn! I gotta read that manpage one day) still trying to decipher that

[kent_jay]

Excellent CMU lecture on IPv4

More Information:

1. I need to learn how to read TCPdumps they are difficult for me to decipher
2. capture with tcpdump you need to use '-s 0' to prevent the payload from being stipped and direct the ouput to a file like the following:
3. Other times it's the octal notation, or maybe how to decipher the setuid and sticky bit trickery
4. TCPDump contains options to decipher RTP traffic, this presents the output in a manner that is easily manipulated using tools such as awk or perl scripts
5. It is quite common to use TCPDump to write to file a range of packets to file and then read the packets required from this file, this
6. Rich VoIP analysis * Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco
7. Although I do not have any clue how to decipher these
8. If you are looking for deciphering of the actual letters: rtfm for tcpdump

[duong nhat than]

Following is a very good link to understand tcpdump for beginners.



http://www.aei.ca/~pmatulis/pub/tcpdump.html

More Information:

1. I do not think Squid knows how to either decipher the GRE packet and or when it tries to send the information back out its not going back to the client
2. 1 -w output-file > >> $ sudo wireshark output-file I think we have already been down this path before, I told Hadi to use wireshark to looking to the packet and if it was a known protocol it would decipher it
3. I'm not sure how to decipher that OK, now I know at least that much
4. Pcapsipdump is a "tcpdump" style tool for saving SIP and RTP traffic to disk, one file per SIP session
5. I am working on writing a program to decipher a tcpdump file into plain, readable text
6. The authors run through files and directories relative to /proc and describe how to view information about the kernel and currently running processes
7. You may specify to tcpdump the keys used by the security association to view deciphered packets