SUMMARY:snoop output

From: Alan Miller (alan@bintec.de)
Date: Wed Jun 23 1999 - 08:02:40 CDT


Dear Sun Managers,

Again, thank you to the respondent who,
in order of appearance were:

Casper Dik <casper@holland.sun.com>

As Casper pointed out:
 ...."snoop just looks at the content of the packet and doesn't
 check whether it's a continuation packet."
 
Indeed, I could have avoided the continuation packets altogether
via the nofrag option (or the expr option) which evaluates true:

 1. if the packet is unfragmented, or
 2. is the first in a series of IP fragments
 
 e.g., snoop "ip[6:2] & 0x1fff = 0" and udp port 67 or \
             "ip[6:2] & 0x1fff = 0" and udp port 68

For those interested I've attached the conversation sequence
in: udp-continued.sn

Original Question:
>Hi
>
>While testing out the DHCP server (in.dhcpd) on my E450
>running 2.6 I've come across some unusual traffic on my network.
>
>While tracing the DHCP Client-Server traffic I ran the command:
> snoop -o /tmp/dhcp udp port 67 or udp port 68
>
>Along with the usual DHCP traffic sent/recvd by cliient/server
> Packet: From:
> DHCPDISCOVER Client
> DHCPOFFER Server
> DHCPREQUEST Client
> DHCPACK Server=20
>=20
>I noticed that every once in a while packets would show up via
>snoop that appear to be sent from my DHCP Server to the Linux
>client. Because the data portion of these packets contain text
>that looks like a listing of URL references I continued snooping
>the client with netscape running on the client. It seems every
>time I click the "Back" button in Netscape, snoop reports a packet
>was transmitted from server to client. (see packet below)
>

Alan

+--------------------------------------------------------------------+
| Alan Miller BinTec Commmunications AG |
| System/Network Administrator Südwestpark 94 |
| Voice: +49 911 96 73 14 55 D-90449, Nürnberg |
| Fax: +49 911 96 73 14 99 Germany |
| mailto:alan@bintec.de http://www.BinTec.de |
+--------------------------------------------------------------------+

ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 1 arrived at 16:56:58.20
ETHER: Packet size = 1514 bytes
ETHER: Destination = 0:80:c8:xx:xx:xx,
ETHER: Source = 8:0:20:yy:yy:yy, Sun
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 1500 bytes
IP: Identification = 40444
IP: Flags = 0x6
IP: .1.. .... = do not fragment
IP: ..1. .... = more fragments
IP: Fragment offset = 0 bytes
IP: Time to live = 255 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = 9f35
IP: Source address = 172.YY.YY.YY, server.dev.bintec.de
IP: Destination address = 172.XX.XX.XX, linux.dev.bintec.de
IP: No options
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 2049
UDP: Destination port = 697 (Sun RPC)
UDP: Length = 4204 (Not all data contained in this fragment)
UDP: Checksum = 1A69
UDP:
RPC: ----- SUN RPC Header -----
RPC:
RPC: Transaction id = 1444677619
RPC: Type = 1 (Reply)
RPC: Status = 0 (Accepted)
RPC: Verifier : Flavor = 0 (None), len = 0 bytes
RPC: Accept status = 0 (Success)

ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 2 arrived at 16:56:58.20
ETHER: Packet size = 1514 bytes
ETHER: Destination = 0:80:c8:xx:xx:xx,
ETHER: Source = 8:0:20:yy:yy:yy, Sun
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 1500 bytes
IP: Identification = 40444
IP: Flags = 0x6
IP: .1.. .... = do not fragment
IP: ..1. .... = more fragments
IP: Fragment offset = 1480 bytes
IP: Time to live = 255 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = 9e7c
IP: Source address = 172.YY.YY.YY, server.dev.bintec.de
IP: Destination address = 172.XX.XX.XX, linux.dev.bintec.de
IP: No options
IP:
UDP: [1480 byte(s) of data, continuation of IP ident=40444]

ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 3 arrived at 16:56:58.20
ETHER: Packet size = 1278 bytes
ETHER: Destination = 0:80:c8:xx:xx:xx,
ETHER: Source = 8:0:20:yy:yy:yy, Sun
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 1264 bytes
IP: Identification = 40444
IP: Flags = 0x4
IP: .1.. .... = do not fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 2960 bytes
IP: Time to live = 255 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = beaf
IP: Source address = 172.YY.YY.YY, server.dev.bintec.de
IP: Destination address = 172.XX.XX.XX, linux.dev.bintec.de
IP: No options
IP:
UDP: [1244 byte(s) of data, continuation of IP ident=40444]



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:22 CDT