[plug] TCPdump interpretation

Anthony J. Breeds-Taurima tony at cantech.net.au
Thu Jan 4 12:04:44 WST 2001


On Thu, 4 Jan 2001, Earnshaw, Mike wrote:

> Pluggers,
>
> Can anyone help give pointers to what this excerpt from a tcpdump file
> means?
>
> 09:45:54.760614 0:0:81:59:e9:eb > 1:0:81:0:1:0 sap aa ui/C len=39
> 			 0a09 47ff 1901 0200 0000 0000 0000 0000
> 			 0000 0000 0000 0000 0000 0000 0000 0000
> 			 0000 0000 0000 00
> 09:45:54.761516 0:0:81:59:e9:eb > 1:0:81:0:1:1 sap aa ui/C len=39
> 			 0a09 47ff 1901 0200 0000 0000 0000 0000
> 			 0000 0000 0000 0000 0000 0000 0000 0000
> 			 0000 0000 0000 00
>
> Examining it appears:
>
> date.time mac address from > to mac address .... but the rest means?

The "sap" I'm pretty sure is an IPX thing I don't know about the "aa" or the
"ui/C"  again I think they will be IPX specific.  Obviously the "len=39" is
the length od the packet (in octets) and the indented rest is the data.

As to the machines involved

The machine that has MAC of "0:0:81:59:e9:eb" is a Nortel/Baynetworks
device.  To the best of my searches the second mac address isn't valid,
perhaps an arp may help locate the devices.

Basiclly tcpdump is for tcp traffic and that isn't an IP packet.  If you
opperate in a mixed protocol environment then you may need to look at another
tool to do the job.  I've heard that etherreal is good but no nothing about it
(other than www.ethereal.com).

HTH

Yours Tony.

/*
 * "The significant problems we face cannot be solved at the
 * same level of thinking we were at when we created them."
 * --Albert Einstein
 */




More information about the plug mailing list