current-users: Re: ascii dump for tcpdump (was Re: truss-like command for netbsd)

Subject: Re: ascii dump for tcpdump (was Re: truss-like command for netbsd)
To: Robert Elz <kre@munnari.OZ.AU>
From: Dustin Sallings <dustin@spy.net>
List: current-users
Date: 10/13/1998 11:13:50

On Tue, 13 Oct 1998, Robert Elz wrote:

# Once you get past the protocol headers and into the data, you're
# generally going to be much better off with something designed for
# debugging the particular protocol of concern, than just looking at ascii
# flying past. 

	Have you ever used snoop for Solaris?  This is an example of me
telnetting to a machine (snoop -v port telnet):

ETHER:  ----- Ether Header -----
ETHER:  
ETHER:  Packet 21 arrived at 10:55:34.55
ETHER:  Packet size = 61 bytes
ETHER:  Destination = 8:0:69:7:91:b2, Silicon Graphics
ETHER:  Source      = 8:0:20:71:85:27, Sun
ETHER:  Ethertype = 0800 (IP)
ETHER:  
IP:   ----- IP Header -----
IP:   
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:   Total length = 47 bytes
IP:   Identification = 15172
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 255 seconds/hops
IP:   Protocol = 6 (TCP)
IP:   Header checksum = fe2c
IP:   Source address = a.x.y.z, server.domain.com
IP:   Destination address = w.x.y.z, host.domain.com
IP:   No options
IP:   
TCP:  ----- TCP Header -----
TCP:  
TCP:  Source port = 23
TCP:  Destination port = 7523 
TCP:  Sequence number = 3151110952
TCP:  Acknowledgement number = 1630222130
TCP:  Data offset = 20 bytes
TCP:  Flags = 0x18
TCP:        ..0. .... = No urgent pointer
TCP:        ...1 .... = Acknowledgement
TCP:        .... 1... = Push
TCP:        .... .0.. = No reset
TCP:        .... ..0. = No Syn
TCP:        .... ...0 = No Fin
TCP:  Window = 8760
TCP:  Checksum = 0x548f
TCP:  Urgent pointer = 0
TCP:  No options
TCP:  
TELNET:  ----- TELNET:   -----
TELNET:  
TELNET:  "login: "
TELNET:  

	That's the most verbose way to run it, there are many variations.
This tool has been essential in tracking down many server and network
problems in the past.

--
SA, beyond.com           My girlfriend asked me which one I like better.
pub  1024/3CAE01D5 1994/11/03 Dustin Sallings <dustin@spy.net>
|    Key fingerprint =  87 02 57 08 02 D0 DA D6  C8 0F 3E 65 51 98 D8 BE 
L_______________________ I hope the answer won't upset her. ____________