tcpdump output - what is 0x0020? - Networking

This is a discussion on tcpdump output - what is 0x0020? - Networking ; I read the damn man page twice and still have no clue. tcpdump -nn -i eth1 -X | grep "0000 4009 0700 0000" shows this, 0x0020: 5010 f923 aa07 0000 0000 4009 0700 0000 P..#......@..... 0x0020: 5010 f923 ee21 0000 ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: tcpdump output - what is 0x0020?

  1. tcpdump output - what is 0x0020?

    I read the damn man page twice and still have no clue.

    tcpdump -nn -i eth1 -X | grep "0000 4009 0700 0000" shows this,
    0x0020: 5010 f923 aa07 0000 0000 4009 0700 0000
    P..#......@.....
    0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
    P..#.!....@.....
    0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
    P..#.!....@.....
    0x0020: 5010 fc00 9eba 0000 0000 4009 0700 0000
    P.........@.....
    0x0020: 5018 f94d f1dd 0000 0000 4009 0700 0000
    P..M......@.....

    1. what is 0x0020?
    2. it seems that pattern 0000 4009 0700 0000 seems to corrospond to
    "..@.....", what is the math b/h this?


  2. Re: tcpdump output - what is 0x0020?

    schrieb
    > I read the damn man page twice and still have no clue.
    >
    > tcpdump -nn -i eth1 -X | grep "0000 4009 0700 0000" shows this,
    > 0x0020: 5010 f923 aa07 0000 0000 4009 0700 0000
    > P..#......@.....
    > 0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
    > P..#.!....@.....
    > 0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
    > P..#.!....@.....
    > 0x0020: 5010 fc00 9eba 0000 0000 4009 0700 0000
    > P.........@.....
    > 0x0020: 5018 f94d f1dd 0000 0000 4009 0700 0000
    > P..M......@.....
    >
    > 1. what is 0x0020?
    > 2. it seems that pattern 0000 4009 0700 0000 seems to
    > corrospond to
    > "..@.....", what is the math b/h this?
    >


    I have actually no idea, but I would guess that:
    - 0x0020 is the offset into the packet data displayed
    - the packet is displayed as you asked for (with -X) in
    hex and ascii, so 80(hex)==P(ascii), 40(hex)==@(ascii),
    stuff that is non-printable is shown with .

    BTW: My tcpdump man page hasn't -nn.

    HTH
    Martin



  3. Re: tcpdump output - what is 0x0020?


    that -nn flag (redhat FC6) turns off service resolutions so you'll see
    80 instead of http. Thanks for that info. I coocked up a signature but
    it doen't work on my commercial IDS (works fine on snort).

    On Jan 29, 3:10 pm, "Martin Blume" wrote:
    > schrieb
    >
    >
    >
    > > I read the damn man page twice and still have no clue.

    >
    > >tcpdump-nn -i eth1 -X | grep "0000 4009 0700 0000" shows this,
    > > 0x0020: 5010 f923 aa07 0000 0000 4009 0700 0000
    > > P..#......@.....
    > > 0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
    > > P..#.!....@.....
    > > 0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
    > > P..#.!....@.....
    > > 0x0020: 5010 fc00 9eba 0000 0000 4009 0700 0000
    > > P.........@.....
    > > 0x0020: 5018 f94d f1dd 0000 0000 4009 0700 0000
    > > P..M......@.....

    >
    > > 1. what is 0x0020?
    > > 2. it seems that pattern 0000 4009 0700 0000 seems to
    > > corrospond to
    > > "..@.....", what is the math b/h this?I have actually no idea, but I would guess that:

    > - 0x0020 is the offset into the packet data displayed
    > - the packet is displayed as you asked for (with -X) in
    > hex and ascii, so 80(hex)==P(ascii), 40(hex)==@(ascii),
    > stuff that is non-printable is shown with .
    >
    > BTW: Mytcpdumpman page hasn't -nn.
    >
    > HTH
    > Martin



  4. Re: tcpdump output - what is 0x0020?

    In comp.os.linux.networking Martin Blume wrote:
    > schrieb
    >> I read the damn man page twice and still have no clue.
    >>
    >> tcpdump -nn -i eth1 -X | grep "0000 4009 0700 0000" shows this,
    >> 0x0020: 5010 f923 aa07 0000 0000 4009 0700 0000
    >> P..#......@.....
    >> ...
    >> 1. what is 0x0020?
    >> 2. it seems that pattern 0000 4009 0700 0000 seems to
    >> corrospond to
    >> "..@.....", what is the math b/h this?
    >>


    > I have actually no idea, but I would guess that:
    > - 0x0020 is the offset into the packet data displayed


    Indeed, and the OP can confirm that by looking at the output in its
    full context - without the pipe to grep - the increment of that number
    will show that it is indeed an offset into the packet.

    > - the packet is displayed as you asked for (with -X) in
    > hex and ascii, so 80(hex)==P(ascii), 40(hex)==@(ascii),
    > stuff that is non-printable is shown with .


    Yep. The manpage for "ascii" is often helpful in those situations.

    rick jones
    --
    firebug n, the idiot who tosses a lit cigarette out his car window
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  5. Re: tcpdump output - what is 0x0020?

    In article <45be54b9$0$18824$5402220f@news.sunrise.ch>,
    Martin Blume wrote:
    > schrieb
    >> I read the damn man page twice and still have no clue.
    >>
    >> tcpdump -nn -i eth1 -X | grep "0000 4009 0700 0000" shows this,
    >> 0x0020: 5010 f923 aa07 0000 0000 4009 0700 0000
    >> P..#......@.....
    >> 0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
    >> P..#.!....@.....
    >> 0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
    >> P..#.!....@.....
    >> 0x0020: 5010 fc00 9eba 0000 0000 4009 0700 0000
    >> P.........@.....
    >> 0x0020: 5018 f94d f1dd 0000 0000 4009 0700 0000
    >> P..M......@.....
    >>
    >> 1. what is 0x0020?
    >> 2. it seems that pattern 0000 4009 0700 0000 seems to
    >> corrospond to
    >> "..@.....", what is the math b/h this?
    >>

    >
    >I have actually no idea, but I would guess that:
    >- 0x0020 is the offset into the packet data displayed


    Exactly.

    >- the packet is displayed as you asked for (with -X) in
    > hex and ascii, so 80(hex)==P(ascii), 40(hex)==@(ascii),
    > stuff that is non-printable is shown with .


    Actually, 80(hex) is NOT 'P', but 50(hex) is. And 4d(hex) is 'M'.

    Patrick

+ Reply to Thread