[olug] tcpdump output question

Brian Roberson roberson at olug.org
Tue Oct 1 14:25:06 UTC 2002 

These are fragmented frames, e.g. the actual packet data spans multiple
frames. while you are correct in the assumption that every packet has a
src/dst info, including port, tcpdump see's that packet, realizes it is part
of a previously sent packet and does not display this data in interactive
mode. If you where to capture this traffic with a different sniffer ( such
as ethereal or sniffer pro ) or even do a raw tcpdump capturing entire
frames into a file, it would actually show the data you are questioning. My
guess is to speed up the display since you are interactively looking at it,
the tcpdump developers may have left out this decdoding.





----- Original Message -----
From: "Dave H" <dave_cog at hotmail.com>
To: <olug at olug.org>
Sent: Tuesday, October 01, 2002 9:14 AM
Subject: [olug] tcpdump output question


> Running redhat 7.3, when I do this:
>
> [root at isengard dave]# /usr/sbin/tcpdump -x -X -vv -n udp
>
> Every three packet-headers looks just like this:
> 17:16:09.711666 src-ip.4874 > dest-ip.31091:  udp 3873 (frag
56101:1456 at 0+)
> (ttl 4, len 1476)
> -snip ASCII and HEX garbage-
> 17:16:09.712874 src-ip > dest-ip: (frag 56101:1456 at 1456+) (ttl 4, len
1476)
> -snip ASCII and HEX garbage-
> 17:16:09.713686 src-ip > dest-ip: (frag 56101:969 at 2912) (ttl 4, len 989)
> -snip ASCII and HEX garbage-
>
> and then the headers repeat themselves.  But my question is how come only
> the first header has source/destination port numbers?  All of these should
> be UDP packets since those are the only type of packets i told tcpdump to
> look at, so all headers should include source/destination ip addresses...
> right?
> All these udp packets are from the same application, so they should all
have
> the same src/dst port address.  in fact when the pattern repeats every 3
> packets the src/dst port numbers are the same as the previous bunch.
>
> Does anyone know?
>
> ps, if you are interested, these are packets from streaming media.
>
> _________________________________________________________________
> Join the world's largest e-mail service with MSN Hotmail.
> http://www.hotmail.com
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>

More information about the OLUG mailing list