Note that things look much healthier when I switch to wired ethernet
(e1000g0):
$ pfexec tshark -i e1000g0
Capturing on e1000g0
0.000000 Riverdel_cc:c6:50 -> Broadcast ARP Who has
94.208.30.205? Tell 94.208.24.1
0.000352 Riverdel_cc:c6:50 -> Broadcast ARP Who has
94.208.30.205? Tell 94.208.24.1
0.002498 Riverdel_cc:c6:50 -> Broadcast ARP Who has
94.208.30.205? Tell 94.208.24.1
0.003038 Riverdel_cc:c6:50 -> Broadcast ARP Who has
94.208.30.205? Tell 94.208.24.1
0.003039 Riverdel_cc:c6:50 -> Broadcast ARP Who has
94.208.30.205? Tell 94.208.24.1
0.003404 Riverdel_cc:c6:50 -> Broadcast ARP Who has
94.208.30.205? Tell 94.208.24.1
0.004236 Riverdel_cc:c6:50 -> Broadcast ARP Who has
94.208.30.205? Tell 94.208.24.1
0.004647 Riverdel_cc:c6:50 -> Broadcast ARP Who has
94.208.30.205? Tell 94.208.24.1
^C8 packets captured
Or something like this (from tshark this time)
18.193832 212.54.40.25 -> 83.81.185.108 DNS Standard query response
CNAME wildcard.addthiscdn.com.edgekey.net CNAME e1303.c.akamaiedge.net A
88.221.49.115
18.194094 83.81.185.108 -> 88.221.49.115 TCP 37488 > http [SYN] Seq=0
Win=64240 Len=0 MSS=1460 TSV=1190171 TSER=0 WS=1
18.218650 88.221.49.115 -> 83.81.185.108 TCP http > 37488 [SYN, ACK]
Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=1310561237 TSER=1190171 WS=1
18.218702 83.81.185.108 -> 88.221.49.115 TCP 37488 > http [ACK] Seq=1
Ack=1 Win=128872 Len=0 TSV=1190173 TSER=1310561237
18.218757 83.81.185.108 -> 88.221.49.115 HTTP GET
/live/t00/250lo.gif?uid=4a34dffb4c559833&7oa0a7&CXNID=2000001.5215456080540439072NXC&pub=sfnet&dr=sourceforge.net%2Ftracker%2F&rev=73511&jsl=1
HTTP/1.1
18.230822 83.81.185.108 -> 88.221.187.172 TCP 40399 > http [ACK]
Seq=1632 Ack=753 Win=128872 Len=0 TSV=1190175 TSER=1291061457
18.243594 88.221.49.115 -> 83.81.185.108 TCP http > 37488 [ACK] Seq=1
Ack=718 Win=7170 Len=0 TSV=1310561261 TSER=1190173
18.243651 88.221.49.115 -> 83.81.185.108 HTTP HTTP/1.1 200 OK (GIF89a)
18.243672 83.81.185.108 -> 88.221.49.115 TCP 37488 > http [ACK]
Seq=718 Ack=390 Win=128872 Len=0 TSV=1190176 TSER=1310561261
$ pfexec tcpdump -v -X -s 1536 -c 3 -i e1000g0
tcpdump: listening on e1000g0, link-type EN10MB (Ethernet), capture size
1536 bytes
12:02:01.238284 IP (tos 0x60, ttl 239, id 1901, offset 0, flags [none],
proto TCP (6), length 40)
66.179.5.20.80 > 5351B737.cable.casema.nl.34265: Flags [F.], cksum
0x20d4 (correct), seq 2454868347, ack 3020619439, win 8190, length 0
0x0000: 4560 0028 076d 0000 ef06 71b3 42b3 0514 E`.(.m....q.B...
0x0010: 5351 b737 0050 85d9 9252 517b b40a feaf SQ.7.P...RQ{....
0x0020: 5011 1ffe 20d4 0000 0000 7ef0 2fb5 P.........~./.
12:02:01.691807 IP (tos 0x0, ttl 255, id 3912, offset 0, flags [none],
proto UDP (17), length 70)
5351B96C.cable.casema.nl.48181 > dns.tb.iss.as9143.net.domain:
5100+ PTR? 20.5.179.66.in-addr.arpa. (42)
0x0000: 4500 0046 0f48 0000 ff11 a351 5351 b96c E..F.H.....QSQ.l
0x0010: d436 2819 bc35 0035 0032 0a33 13ec 0100 .6(..5.5.2.3....
0x0020: 0001 0000 0000 0000 0232 3001 3503 3137 .........20.5.17
0x0030: 3902 3636 0769 6e2d 6164 6472 0461 7270 9.66.in-addr.arp
0x0040: 6100 000c 0001 a.....
12:02:01.902419 IP (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto
UDP (17), length 161)
dns.tb.iss.as9143.net.domain > 5351B96C.cable.casema.nl.48181: 5100
NXDomain 1/1/0 20.5.179.66.in-addr.arpa. CNAME
20.0-25.5.179.66.in-addr.arpa. (133)
0x0000: 4500 00a1 0000 4000 3b11 363f d436 2819 e.....@.;.6?.6(.
0x0010: 5351 b96c 0035 bc35 008d e487 13ec 8183 SQ.l.5.5........
0x0020: 0001 0001 0001 0000 0232 3001 3503 3137 .........20.5.17
0x0030: 3902 3636 0769 6e2d 6164 6472 0461 7270 9.66.in-addr.arp
0x0040: 6100 000c 0001 c00c 0005 0001 0000 3840 a.............8@
0x0050: 000a 0232 3004 302d 3235 c00f c039 0006 ...20.0-25...9..
0x0060: 0001 0000 0e10 0039 036e 7331 0669 6e66 .......9.ns1.inf
0x0070: 6c6f 7703 6e65 7400 0364 6e73 0b63 6f72 low.net..dns.cor
0x0080: 656d 6574 7269 6373 0363 6f6d 0077 ce5c emetrics.com.w.\
0x0090: 8200 0004 b000 0000 b400 1275 0000 000e ...........u....
0x00a0: 10 .
3 packets captured
17 packets received by filter
0 packets dropped by kernel
On 02/ 3/10 11:23 AM, Darren Reed wrote:
Rather than the usual 14 bytes, you've got 18 bytes prepended to your
IP packets.
The confusing part is the 2 bytes in front of the MAC addresses and
the 2 bytes between the MAC addresses and the ethernet type.
These all appear to be broadcast packets of one type or another.
Antoon Huiskens wrote:
$ pfexec tcpdump -v -X -s 1536 -c 3 -i iwk0 tcpdump: listening on
iwk0, link-type EN10MB (Ethernet), capture size 1536 bytes
13:00:08.382924 ff:ff:ff:ff:00:0b (oui Unknown) > 08:22:00:00:ff:ff
(oui Unknown), ethertype Unknown (0x0e9e), length 110: 0x0000:
4340 001d e019 ead1 7054 aaaa 0300 0000 [email protected]......
0x0010: 0800 4500 004e 7c19 0000 8011 c689 0a00 ..E..N|.........
0x0020: e3fc 0a00 ffff 0089 0089 003a f94c 87a1 ...........:.L..
0x0030: 0110 0001 0000 0000 0000 2046 4446 4645 ...........FDFFE
0x0040: 4f43 4e45 4244 4644 4a44 4145 4444 4845 OCNEBDFDJDAEDDHE
0x0050: 4345 4344 4945 4745 4341 4100 0020 0001 CECDIEGECAA.....
13:00:08.383053 ff:ff:ff:ff:00:0b (oui Unknown) > 08:02:00:00:ff:ff
(oui Unknown), ethertype Unknown (0x0e9e), length 110: 0x0000:
4340 001f 3bc0 37bd 8054 aaaa 0300 0000 c...@..;.7..T......
0x0010: 0800 4500 004e 0071 0000 8011 3266 0a00 ..E..N.q....2f..
0x0020: f3c8 0a00 ffff 0089 0089 003a 2f19 8013 ...........:/...
0x0030: 0110 0001 0000 0000 0000 2045 4a46 4445 ...........EJFDE
0x0040: 4246 4545 4246 4143 4143 4143 4143 4143 BFEEBFACACACACAC
0x0050: 4143 4143 4143 4143 4141 4100 0020 0001 ACACACACAAA.....
13:00:08.485307 00:00:00:02:00:0b (oui Ethernet) > 08:02:00:00:33:33
(oui Unknown), ethertype Unknown (0x0e9e), length 88: 0x0000:
4340 001f 5bbe 892b a054 aaaa 0300 0000 c...@..[..+.t......
0x0010: 86dd 6000 0000 0010 3aff fe80 0000 0000 ..`.....:.......
0x0020: 0000 021f 5bff febe 892b ff02 0000 0000 ....[....+......
0x0030: 0000 0000 0000 0000 0002 8500 b11c 0000 ................
0x0040: 0000 0101 001f 5bbe 892b ......[..+
_______________________________________________
networking-discuss mailing list
[email protected]
