Forum Discussion
Lay_Hin_53714
Nimbostratus
Nimbostratustcpdump output interpret guide
Hi All,
Is there a document that can explain the output from tcpdump?
For example, I would like to know what S, P and DF means.
15:23:27.351280 202.6.123.44.9632 > 203.116.162.168.ldap: S 2450604975:2450604975(0) win 49640 (DF)
15:23:27.361003 203.116.162.168.ldap > 202.6.123.44.9632: S 3804777917:3804777917(0) ack 2450604976 win 1460 (DF)
15:23:27.361984 202.6.123.44.9632 > 203.116.162.168.ldap: . ack 1 win 49640 (DF)
15:23:27.423022 202.6.123.44.9632 > 203.116.162.168.ldap: P 1:149(148) ack 1 win 49640 (DF)
15:23:29.034865 203.116.162.168.ldap > 202.6.123.44.9632: . ack 149 win 8760 (DF)
15:23:29.133984 203.116.162.168.ldap > 202.6.123.44.9632: P 1:1461(1460) ack 149 win 8760 (DF)
Lay_Hin_53714Ah... I find following link is quite good in explaining the detail.
http://www.taosecurity.com/intv2-8.html
HamishCirrocumulus
Hi Layhin.
Also be aware that a good decoder like wireshark is worth its weight in gold when trying to diagnose what's happening at the content level. It'll decode HTTP, CDP, all those little protocols you need to inspect so often. And it'll give you quick stats on of connections, endpoints etc for quickly finding what you're looking for too.- JRahm
Admin
If you are adventurous, you can download the F5 wireshark plugin (Click here) This requires you to compile wireshark yourself, but the payoff is extra details in the capture files if taken from the bigip. 
hoolioCirrostratus
Hey Citizen,
Out of curiosity, what additional info do you get with the F5 modifications?
Thanks,
Aaron- JRahmmost useful item I remember is the connection id so you can match clientside and serverside flows. It's been a few months since I lost the workstation I had it compiled on.
ukstinI´ve compiled wireshark with this plugin and dump a box with bigip 9.4.5 but I compared the data with a default wireshark (without this plugin) and the information is the same.
I need to run tcpdump with some different attributes?? - I collect through the gui (system -> support)- JRahmwhen you specify the interface, you need to append :000 or :nnn, I can't remember.
- hoolioI think it's :nnn
tcpdump -ni 0.0:000 -s0 -w/var/tmp/test.dmp
tcpdump: unrecognized interface name: 0.0:000
tcpdump -ni 0.0:nnn -s0 -w/var/tmp/test.dmp
tcpdump: listening on 0.0:nnn
Using tcpdump to read the file you can see extra fields at the end of the normal info. I'm assuming the Wireshark patch parses this info.
tail-type 1 len 33 f5-low ver[0] fty[0] fid[00000000] pid[00000000] cfl[00000000] flg[0001] pgr[0] pun[0] lis= tail-type 2 len 6 f5-med ver[0] ins[0] inp[0] ha[0] tail-type 3 len 40 f5-hi ver[0] pra[00000000:00000000:00000000:00000000] pla[00000000:00000000:00000000:00000000] prp[0] plp[0] pip[0] pvl[0]
Can someone send me a compiled version of the modified wireshark version (hooleylists at gmail dot com)? I can't easily compile it without reworking my existing cygwin installation.
Thanks,
Aaron - ukstinworks with this:
tcpdump -ni 0.0:nnn -s0 -w/var/tmp/test.dmp
thanks people, I don´t know if someday I´ll have to use these informations, but it´s interesting :D
