[PLUG] Deciphering ethereal capture

Russell Senior seniorr at aracnet.com
Wed Jun 26 03:56:27 UTC 2002 

>>>>> "Rich" == Rich Shepard <rshepard at appl-ecosys.com> writes:

Rich> On 25 Jun 2002, Russell Senior wrote:
>> >> tcpdump host ftp.sscgis.state.or.us -s 1500 -w /tmp/dump.log

Rich> Russell,

Rich>   Done. The file, dump.log, is at
Rich> http://www.appl-ecosys.com/publications/dump.log

Rich> It's a binary file.

The one I downloaded with wget from that URL wasn't a binary.  It
looked like this:

  18:34:31.811111 eth0 < alpha.aracnet.com.domain > salmo.appl-ecosys.com.3123: 60883 1/2/3 MX xmxpita.excite.com. 10 (146)

                            E^@ ^@.. ^N 5 ^@^@  =^Q .... .. c ..^B
                           ....  7^A ^@ 5 ^L 3 ^@.. .... .... ....
                           ^@^A ^@^A ^@^B ^@^C ^F e  x c  i t  e^C
                            c o  m^@ ^@^O ^@^A ..^L ^@^O ^@^A ^@^@
                           ^@ 0 ^@^L ^@^J ^G x  m x  p i  t a ..^L
                           ..^L ^@^B ^@^A ^@^A ^A^K ^@^O ^D D  N S
                            4^G  I M  G F  A R  M.. ^S.. ^L^@ ^B^@
                           ^A^@ ^A^A ^K^@ ^G^D  D N  S 5 .. E .. *
                           ^@^A ^@^A ^@^@ ^@.. ^@^D .. - .. k .. @


When I do: 

  tcpdump host ftp.sscgis.state.or.us -s 1500 -w /tmp/dump.log

/tmp/dump looks different.  Like a binary.

Rich>   Where do I start reading to get more familiar with tracing
Rich> packets and interpreting the ethereal output? The TCP/IP book?

Uh, by running ethereal and poking around?  It helps to have a basic
understanding of TCP/IP.  There is a man page.  There is a website
(ethereal.com)


-- 
Russell Senior         ``The two chiefs turned to each other.        
seniorr at aracnet.com      Bellison uncorked a flood of horrible       
                         profanity, which, translated meant, `This is
                         extremely unusual.' ''

More information about the PLUG mailing list