How to decipher tcpdump file

[vtntl]

Hi,



I am stuck with a tricky situation in which one of my applications is flooding the network with UDP messages. The architecture of the application is not supposed to do so. Neither is there any place where the application will go into an infinite loop sending UDP messages over the network. To find out what message is being sent out, I captured the output of tcpdump to get the contents of the UDP packets sent by the application over the network. Following is a portion of the tcpdump output:



13:37:33.568065 udm > activeip: ip-proto-153 13 (DF)

4500 0021 0512 4000 fe99 01d4 2f87 2b01

0a46 1118 2547 2547 000d 735b 7000 2e04

2e00 0000 0000 0000 0000 0000 0000

13:37:33.568091 udm > activeip: ip-proto-153 13 (DF)

4500 0021 0513 4000 fe99 01d3 2f87 2b01

0a46 1118 2547 2547 000d 735b 7000 2e04

2e00 0000 0000 0000 0000 0000 0000

13:37:33.568116 udm > activeip: ip-proto-153 13 (DF)

4500 0021 0514 4000 fe99 01d2 2f87 2b01

0a46 1118 2547 2547 000d 735b 7000 2e04

2e00 0000 0000 0000 0000 0000 0000



Can anyone help me in deciphering the contents of the packets? This will help me in finding out in the code where these messages are being sent out. Do keep in mind that I am pretty new to tcpdump.



Regards,

Diganta

More Information:

1. I tried having a look at pflog0 with tcpdump, but it doesnt seem to show any traffic at all nevermind just the blocked traffic (I would like to know if there
2. dump) files (also my choice of how to grab data out of the air)
3. TCPdump can be used in real-time mode to display network traffic, or it can log network packets into a file for later analysis
4. Other times it's the octal notation, or maybe how to decipher the setuid and sticky bit trickery
5. If there is, and you can't decipher what is going on, then try tcpdump again, but this time capture the packets, so we can look at them with

[trong_dat1402]

A reference on IPv4 headers would greatly help you decipher the packet information:

Code:

An IPv4 header 



<------------------------------------ 32 bits ---------------------------------->



|-------------------------------------------------------------------------------|

| Version |   IHL   |  Type of Service  |            Total Length               |

|-------------------------------------------------------------------------------|

|             Identification            | Flags |          Fragment Offset      |

|-------------------------------------------------------------------------------|

|   Time to Live    |     Protocol      |             Header Checksum           |

|-------------------------------------------------------------------------------|

|                                  Source Address                               |

|-------------------------------------------------------------------------------|

|                               Destination Address                             |

|-------------------------------------------------------------------------------|

|                     Options                               |      Padding      |

|-------------------------------------------------------------------------------|





|-------------------------------------------------------------------------------|

|                                     Payload                                   |

|-------------------------------------------------------------------------------|

Reference:

An IPv4 header

More Information:

1. Read data from TCPDUMP trace/capture file and write to dragon
2. I am doing a project on Computer Immune System, and I am not able to decipher the importance of all the different files in the DARPA dataset
3. For a non-clear text protocol like SMB, analysts can launch Ethereal from within Sguil to help decipher the traffic, as shown in Figure 5
4. However, note that if the file's data is compressed, the SiLK tools on the second machine must have been compiled with support for that compression
5. I find tshark, a great tool to dissect and analyze data inside tcpdump files
6. 20 posts - 5 authors - Last post: Dec 7, 2008However, I get approx 40-second delays on each new page request in Opera, and tcpdump shows this delay to be 'AAAA+' DNS requests (which I understand
7. I am working on writing a program to decipher a tcpdump file into plain, readable text
8. debugging regular expressions deciding which files to include deciphering output deciphering tcpdump output decompressing decompressing files default ACLs, setting default boot menu default configuration files default files for users default shell for default shell for FreeBSD deleted files
9. I use command line tcpdump packet captures on a daily basis, and 98% of the time I dump the output to a file, only to then load it up in
10. It is quite common to use TCPDump to write to file a range of packets to file and then read the packets required from this file, this

[kent_jay]

Excellent CMU lecture on IPv4

More Information:

1. HWL files that you saved from the client your web browser is running on; TCPDump files –
2. Redirecting tcpdump's output to a file can be extremely useful for later review
3. You can write template files that describe exactly how output should be formatted
4. Pcapsipdump is a "tcpdump" style tool for saving SIP and RTP traffic to disk, one file per SIP session
5. The authors don't attempt to walk the reader through basic kernel source compiling but rather they concentrate on how to decipher errors that arise from compiling source