yes, that is exactly where the problem was :)
thank you,
-alexm
22:59 14/09/2003
On Mon, 15 Sep 2003, Hannes Gredler wrote:
> alex,
>
> the problem with your capture file is that altough it claims
> to be a token ring capture file it is no token ring capture;
>
> looking at your packetcontents with an hexeditor:
>
> 00000000 A1 B2 C3 D4 00 02 00 02 FF FF B9 B0 00 00 00 03 00 00 01 F4 00 00 00 06 3F
> 57 83 05 ........................?W..
> 0000001C 33 95 C1 EC 00 00 00 3C 00 00 00 3C 00 0C 30 0C A0 00 00 02 55 AF 20 C2 08
> 00 45 00 3......<...<..0.....U. ...E.
> ^^^length^^ ^^^caplen^^ ^^^^^^^DMAC^^^^^^ ^^^^^^SMAC^^^^^^^
> ^^IP^
> 00000038 00 2C 2F 68 00 00 3C 06 39 58 0A 01 01 0A 0A 01 01 01 86 54 0C BC 31 DB B5
> AB 00 00 .,/h..<.9X.........T..1.....
> 00000054 00 00 60 02 FF FF 07 83 00 00 02 04 05 B4 00 00 3F 57 83 05 33 97 84 85 00
> 00 00 3C ..`.............?W..3......<
>
> you see you have got a ethernet alike frame:
>
> what the tokenring printer in tcpdump is expecting is something like:
>
> struct token_header {
> u_int8_t token_ac;
> u_int8_t token_fc;
> u_int8_t token_dhost[TOKEN_RING_MAC_LEN];
> u_int8_t token_shost[TOKEN_RING_MAC_LEN];
> u_int16_t token_rcf;
> u_int16_t token_rseg[ROUTING_SEGMENT_MAX];
> };
>
> so your capture seems to miss the access control and frame control bytes [unsure why]
> instead it appears to me as if this is a plain ethernet frame that is saved using
> the wrong DLT_;
>
> maybe somebody more familiar with AIX could comment here;
>
> /hannes
>
> On Sun, Sep 14, 2003 at 06:33:37PM -0500, alex medvedev wrote:
> | hallo,
> |
> | i can't seem to read a capture file with tcpdump (cvs or 3.7.1).
> |
> | the capture file was created with AIX's version of tcpdump (old).
> | it recorded some iscsi packets (see attached dump file).
> |
> | $ file /tmp/rawdump.read
> | /tmp/rawdump.read: tcpdump capture file (big-endian) - version 2.2 (Token Ring,
> capture length 500)
> |
> | when i read it with tethereal i get expected results:
> |
> | 1 0.000000 10.1.1.10 -> 10.1.1.1 TCP 34388 > 3260 [SYN]
> | Seq=836482475 Ack=0 Win=65535 Len=0
> | 2 0.000115 10.1.1.1 -> 10.1.1.10 TCP 3260 > 34388 [SYN, ACK]
> | Seq=3762875400 Ack=836482476 Win=65535 Len=0
> | 3 0.000211 10.1.1.10 -> 10.1.1.1 TCP 34388 > 3260 [ACK]
> | Seq=836482476 Ack=3762875401 Win=65535 Len=0
> |
> | however, when i read it with tcpdump -r i get smth like this:
> |
> | reading from file /tmp/rawdump.read, link-type 6 (IEEE802)
> | 13:23:01.865452524 55:af:20:c2:08:00 30:0c:a0:00:00:02 60:
> | 4500 002c 2f68 0000 3c06 3958 0a01 010a
> | 0a01 0101 8654 0cbc 31db b5ab 0000 0000
> | 6002 ffff 0783 0000 0204 05b4 0000
> | 13:23:01.865567877 30:0c:a0:00:08:00 55:af:20:c2:00:0c 60:
> | 4500 002c 225e 0000 4006 4262 0a01 0101
> | 0a01 010a 0cbc 8654 e048 ec08 31db b5ac
> | 6012 ffff 3b20 0000 0204 05b4 0000
> | 13:23:01.865663360 55:af:20:c2:08:00 30:0c:a0:00:00:02 60:
> | 4500 0028 2f69 0000 3c06 395b 0a01 010a
> | 0a01 0101 8654 0cbc 31db b5ac e048 ec09
> | 5010 ffff 52dd 0000 0000 0000 0000
> |
> | i know that current tcpdump can not decode iscsi yet, but shouldn't it
> | display tcp packets?
> | or is the file way too old for current tcpdump?
> |
> | AIX's tcpdump gives the timestamps in nanoseconds vs. microseconds that
> | tcpdump from tcpdump.org does.
> | could that be the problem?
> |
> | i'd appreciate any input,
> |
> | -alexm
> | 17:21 14/09/2003
> |
> -
> This is the TCPDUMP workers list. It is archived at
> http://www.tcpdump.org/lists/workers/index.html
> To unsubscribe use mailto:[EMAIL PROTECTED]
>
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]
