Re: unreadable(?) capture file

[Hannes Gredler <hannes () juniper net>]

alex,

the problem with your capture file is that altough it claims
to be a token ring capture file it is no token ring capture;

looking at your packetcontents with an hexeditor:

00000000  A1 B2 C3 D4 00 02 00 02 FF FF B9 B0 00 00 00 03 00 00 01 F4 00 00 00 06 3F 57 83 05 
........................?W..
0000001C  33 95 C1 EC 00 00 00 3C 00 00 00 3C 00 0C 30 0C A0 00 00 02 55 AF 20 C2 08 00 45 00 3......<...<..0.....U. 
...E.
                      ^^^length^^ ^^^caplen^^ ^^^^^^^DMAC^^^^^^ ^^^^^^SMAC^^^^^^^ ^^IP^
00000038  00 2C 2F 68 00 00 3C 06 39 58 0A 01 01 0A 0A 01 01 01 86 54 0C BC 31 DB B5 AB 00 00 
.,/h..<.9X.........T..1.....
00000054  00 00 60 02 FF FF 07 83 00 00 02 04 05 B4 00 00 3F 57 83 05 33 97 84 85 00 00 00 3C 
..`.............?W..3......<

you see you have got a ethernet alike frame:

what the tokenring printer in tcpdump is expecting is something like:

struct token_header {
        u_int8_t  token_ac;
        u_int8_t  token_fc;
        u_int8_t  token_dhost[TOKEN_RING_MAC_LEN];
        u_int8_t  token_shost[TOKEN_RING_MAC_LEN];
        u_int16_t token_rcf;
        u_int16_t token_rseg[ROUTING_SEGMENT_MAX];
};

so your capture seems to miss the access control and frame control bytes [unsure why]
instead it appears to me as if this is a plain ethernet frame that is saved using
the wrong DLT_;

maybe somebody more familiar with AIX could comment here;

/hannes

On Sun, Sep 14, 2003 at 06:33:37PM -0500, alex medvedev wrote:
| hallo,
| 
| i can't seem to read a capture file with tcpdump (cvs or 3.7.1).
| 
| the capture file was created with AIX's version of tcpdump (old).
| it recorded some iscsi packets (see attached dump file).
| 
| $ file /tmp/rawdump.read
| /tmp/rawdump.read: tcpdump capture file (big-endian) - version 2.2 (Token Ring, capture length 500)
| 
| when i read it with tethereal i get expected results:
| 
|   1   0.000000    10.1.1.10 -> 10.1.1.1     TCP 34388 > 3260 [SYN]
| Seq=836482475 Ack=0 Win=65535 Len=0
|   2   0.000115     10.1.1.1 -> 10.1.1.10    TCP 3260 > 34388 [SYN, ACK]
| Seq=3762875400 Ack=836482476 Win=65535 Len=0
|   3   0.000211    10.1.1.10 -> 10.1.1.1     TCP 34388 > 3260 [ACK]
| Seq=836482476 Ack=3762875401 Win=65535 Len=0
| 
| however, when i read it with tcpdump -r i get smth like this:
| 
| reading from file /tmp/rawdump.read, link-type 6 (IEEE802)
| 13:23:01.865452524 55:af:20:c2:08:00 30:0c:a0:00:00:02 60:
|                          4500 002c 2f68 0000 3c06 3958 0a01 010a
|                          0a01 0101 8654 0cbc 31db b5ab 0000 0000
|                          6002 ffff 0783 0000 0204 05b4 0000
| 13:23:01.865567877 30:0c:a0:00:08:00 55:af:20:c2:00:0c 60:
|                          4500 002c 225e 0000 4006 4262 0a01 0101
|                          0a01 010a 0cbc 8654 e048 ec08 31db b5ac
|                          6012 ffff 3b20 0000 0204 05b4 0000
| 13:23:01.865663360 55:af:20:c2:08:00 30:0c:a0:00:00:02 60:
|                          4500 0028 2f69 0000 3c06 395b 0a01 010a
|                          0a01 0101 8654 0cbc 31db b5ac e048 ec09
|                          5010 ffff 52dd 0000 0000 0000 0000
| 
| i know that current tcpdump can not decode iscsi yet, but shouldn't it
| display tcp packets?
| or is the file way too old for current tcpdump?
| 
| AIX's tcpdump gives the timestamps in nanoseconds vs. microseconds that
| tcpdump from tcpdump.org does.
| could that be the problem?
| 
| i'd appreciate any input,
| 
| -alexm
| 17:21 14/09/2003
| 
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe