All,
I have a need to analyze UDP Data packets sent over ethernet(thinnet).
I have three isolated networks. Each network has two systems on it.
Each of the three networks two systems are unique and VME based Systems.
All systems are senders and receivers of UDP data.
I configured a Laptop with Linux RH9 and Ethereal Version 0.9.8, libpcap
0.7,
and spliced it between the two systems on each of the thinet networks.
On two of the three networks I succesfully captured UDP data Packets
and analyzed specific bits of the UDP data Packets.
Ethereal worked great!
However I am having problems analyzing the data I captured on the third
network.
When I started a capture Ethereal's popup screen said it was capturing
UDP
Packets, as it did before. But when I went to look at the Protocol
Field in the
Ethereal GUI it said the protocol was RX. I've done a tone of research
on RX now,
but I'm still confused as how to go about finding the start of the
actual Data Packet
In the Hex Dump. When I expand the RX Tab in the second window it says
it's
Type is ACK Packet. Iv'e read the RX protocol doc online and see there
is an RX
Data Packet and an RX ACK Packet. Can the ACK Packet contain the actual
Data?
Am I somehow capturing only ACK Packets and not Capturing the RX data
Packets that
contain the data?
So I investigated the VME system that is sending the UDP data and have
learned that it is
using the following protocols to send UDP data. Network Layer:
IP/IGMP/ICMP and
transport Layer: UDP. It did not mention RX. I also think the data is
being sent
via IP Multicast. When I started the data capture I just let Ethereal
capture everything.
But all I captured was UDP->RX ACK Packets. Where is the Data? Am I
somehow capturing
only ACK Packets and not capturing the RX data Packets that contain the
data?
Could this be a libpcap bug? Do I have to configure Ethereal to capture
data
on a specific Multicast port which translates to the actual data I want
to see?
Is this a permiscous problem as the Ethereal FAQ mentions?
To confuse things for me alittle further, I went and took the captured
data and opened
it in a more recent Version of Ethereal on Win2000 (Ethereal Version
0.10.6
with the correct Winpcap Version for it as specified on ethereal.com).
Welp, the Protocol field in the Ethereal GUI now listed all the packets
as either
MTP3MG and in some data sets I captured Ethereal listed them as SCCP.
This definitley
is not correct. Maybe this is due to the fact that I captured the data
on Linux with
Libpcap and the Winpcap version is incompatible?
Anyways. Any thoughts or comments or suggestion are appreciated. My
main goal is to locate
the start of the actual data packet and analyze it's contents. I don't
care about the
header stuff other then to verify it is the right protocol and the src
and and dst Ip's
look correct.
Thanks,
Phil
Phil Crescioli
Software Engineer
GENERAL DYNAMICS
Advanced Information Systems
Phil.Crescioli@xxxxxxxxxx
