Re: [tcpdump-workers] How can use tcpdump for limited time

Tue, 06 Feb 2001 12:03:56 -0800 

In Sun Snoop trace, it has a format below:

Snoop File Header (1 per file) 16 bytes

00-07  "snoop___"
08-11  0x02  (version of encoding)
12-15  0x08  (means FDDI captured)

Snoop Record Header (24 bytes, 1 per record)

00-03 Packet length (includes FDDI header, subtract 21 for IP length)
04-07 Captured packet bytes (60 at present, 63 for Snoop to do TCP)
08-11 Record length (84, includes this 24 + FDDI & IP & TCP/UDP headers)
12-15 Cum Drops (always 0)
16-19 Time Stamp - whole seconds
20-23 Time Stamp - microseconds
FDDI Header (21 bytes)
IP Header (20 bytes) Note: byte numbers below from start of FDDI Header
TCP Header (22 bytes)

What about TCPdump?
For this, I've tried following commands on one of my machines:
#tcpdump tcp src port telnet -c 10 -s 60 -x -w  testdump60_2
#tcpdump tcp src port ssh -c 20 -s 40 -x -w  testdump40_2
I changed count value and port, so I can figure out the actual size of each
packet. But, I found it varies, change from time to time in my testing.
So, I wonder how could that be?

thanks for help!
-jian

> > Is there any tool that will explain the detail description of the
packets
> > that are captured with -x or -X option.
>
> "-x" and "-X" aren't capture options, they're display options.  For a
> description of at least some of the details of packet contents as dumped
> by those options, see
>
> http://www.rfc-editor.org/
>
> I.e., all "-x" and "-X" do is give you a hex and, with "-X", ASCII dump
> of the raw contents of the packet:
>
>        -x     Print each packet (minus its link level header)  in
>               hex.   The  smaller of the entire packet or snaplen
>               bytes will be printed.
>
>        -X     When printing hex, print ascii too.  Thus if -x  is
>               also set, the packet is printed in hex/ascii.  This
>               is very handy for analysing new protocols.  Even if
>               -x  is not also set, some parts of some packets may
>               be printed in hex/ascii.
>
> A description of the raw hex data is just a description of the protocols
> in question, so you'd have to read the RFCs (see the URL above) or other
> specifications (see, for example
>
> http://www.ietf.org/ID.html
>
> for Internet-Drafts) for the protocols.
> -
> This is the TCPDUMP workers list. It is archived at
> http://www.tcpdump.org/lists/workers/index.html
> To unsubscribe use
mailto:[EMAIL PROTECTED]?body=unsubscribe

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe

Reply via email to