Scribd
Upload
257 views13 pages

Network Troubleshooting Using Packet Capture Utilities

The document discusses various packet capture utilities that can be used for network troubleshooting on UNIX systems. It describes how utilities like tcpdump, ethereal, dsniff and snort work using the libpcap library and the information they can provide. It also covers the solaris specific snoop utility.

Uploaded by

Andrej
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
257 views13 pages

Network Troubleshooting Using Packet Capture Utilities

The document discusses various packet capture utilities that can be used for network troubleshooting on UNIX systems. It describes how utilities like tcpdump, ethereal, dsniff and snort work using the libpcap library and the information they can provide. It also covers the solaris specific snoop utility.

Uploaded by

Andrej
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Network Troubleshooting Using Packet Capture Utilities UUASC 6/2/2005

1.0 Introduction
Purpose
Thepurposeofthispaperisdemonstratehowtomonitorandtroubleshootcommonnetworkbasedapplications
[Link]/IPstackandEthernet
hardwareisassumed.
PacketCapture/SniffingtheWire
Promiscuousmodeisgenerallyusedtorefertothepracticeofputtinganetworkcardintoasettingsothatit
[Link]
[Link]
onlymonitortraffictoandfromothernodeswithinthesamecollisiondomain(forEthernetandWirelessLAN)
orring(forTokenRingorFDDI),whichiswhynetworkswitchesareusedtocombatmalicioususeof
[Link]
[Link],tcpdump,andAirSnort(forwirelessLANs)
[Link]
FTPandTelnettransferdataandpasswordsincleartext,withoutencryption,andnetworkscannerscanseethis
[Link],computerusersareencouragedtostayawayfromprogramsliketelnetandusemoresecure
onessuchasSSH.
2.0 libpcap Based Tools
[Link]
[Link],allutilities
[Link]
tcpdumpandethereal.
2.1ThetcpdumpUtility
[Link]
[Link]:
box:~#tcpdump
tcpdump:WARNING:eth0:noIPv4addressassigned
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth0,linktypeEN10MB(Ethernet),capturesize96bytes

[Link],theispecifiesanotherEthernet
interfacebesidesthedefault(eth0).Alsoincludedisthenoptionwhichturnsofhostandportresolution.
ThetcpdumputilitywillattempttoresolveIPaddress,whichcanleadtosignificantdelaysinoutputduetothe
[Link]

2005 Darren Hoch - webmaster [at] [Link]

Network Troubleshooting Using Packet Capture Utilities UUASC 6/2/2005


traffic.
box:~#tcpdumpnieth1
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth1,linktypeEN10MB(Ethernet),capturesize96bytes
[Link].935554IP192.168.1.105.32783>[Link].993:P3432387228:3432387265(37)
ack2742259796win63712<nop,nop,timestamp2396751064682926>
[Link].967508IP67.[Link]>[Link].32783:P1:54(53)ack37win1984
<nop,nop,timestamp1064879093239675>

Hereisabreakdownofasinglepacket:
RealTime:
SourceIPAddress:
DirectionofPacketFlow:
DestinationAddress:
TCPFlags:
TCPSourceSYNNumber:
NextTCPSYNNumber
TCPACKNUMBER:
TCPWindowSize:
TCPOptions:

[Link].967508
IP67.[Link]
>
[Link].32783:
P
1:
54(53)#originalSYN(1)+payload(53)=nextSYN(54)
ack37
win1984
<nop,nop,timestamp1064879093239675>

Ifthevolumeoftraffictobemonitoredistoogreatforastandardterminalwindowbuffer,thecapturedpackets
canbewrittentoafileinsteadofSTDOUTwithaw(write)optionandthenreadbackinwithar(read)
option.
box:~#tcpdumpw/tmp/tcp.outnieth1
tcpdump:listeningoneth1,linktypeEN10MB(Ethernet),capturesize96bytes
46packetscaptured
46packetsreceivedbyfilter
0packetsdroppedbykernel
box:~#tcpdumpr/tmp/tcp.outnieth1
readingfromfile/tmp/[Link],linktypeEN10MB(Ethernet)
[Link].190888IP192.168.1.105.32783>[Link].993:P3432387731:3432387768(37)
ack2742260475win63712<nop,nop,timestamp2921001065283060>
[Link].227315IP67.[Link]>[Link].32783:P1:54(53)ack37win1984
<nop,nop,timestamp1065403449292100>
<<snip>>

2.2TheetherealUtility
Justliketcpdump,[Link].
[Link]
[Link],thisisbecausetheyusethesame

2005 Darren Hoch - webmaster [at] [Link]

Network Troubleshooting Using Packet Capture Utilities UUASC 6/2/2005


underlyinglibpcapengine.
box:~#tetherealw/tmp/ethereal.outnieth1
Capturingoneth1
0.327450192.168.1.105>67.110.253.165TLSApplicationData
0.36117567.110.253.165>192.168.1.105TLSApplicationData
0.361220192.168.1.105>67.110.253.165TCP32783>993[ACK]Seq=37Ack=53Win=63712
Len=0TSV=389797TSER=1066380554
0.363460192.168.1.105>67.110.253.165TLSApplicationData
0.41095167.110.253.165>192.168.1.105TLSApplicationData
box:~#tetherealr/tmp/[Link]
62.543822192.168.1.105>67.110.253.165TLSApplicationData
72.59333067.110.253.165>192.168.1.105TLSApplicationData
82.593375192.168.1.105>67.110.253.165TCP32783>imaps[ACK]Seq=37Ack=53
Win=63712Len=0TSV=412045TSER=1066603077
92.595989192.168.1.105>67.110.253.165TLSApplicationData

2.3ThedsniffUtility
Unlikethepreviouslymentionedutilities,[Link]
libpcapengine,[Link]
[Link]
captureandreplayallunencryptedsessionsincluding:FTP,telnet,SMTP,IMAP,[Link]
exampledemonstrateshowtousedsnifftoaudittelnetandftpsessions:
box:~#dsniffnieth1
dsniff:listeningoneth1

06/01/[Link]tcp192.168.1.105.32883>[Link].21(ftp)
USERdarren
PASSdarren$$$$

06/01/[Link]tcp192.168.1.105.32889>[Link].23(telnet)
darren
darren$$$$
ls
lsl
psef
exit

2.4ThesnortUtility
[Link],itattemptstomake
[Link],snortattemptstoidentifymalicioustraffic
[Link],snortuseslibpcapasthe
[Link].

2005 Darren Hoch - webmaster [at] [Link]

Network Troubleshooting Using Packet Capture Utilities UUASC 6/2/2005

box:~#snortieth1Ddusnortgsnortc/etc/snort/[Link]

[Link]
/var/log/snort/[Link]:
[root@targus~]#nmapp22sX192.168.1.105

Thisquestionableportscanofthesshport(22)isobfuscatedbythesX(Christmasscan)switch.
Hereistheoutputfromthealertfileonthehostrunningsnort:
box:~#tailf/var/log/snort/alert
[**][Link]SCANnmapXMAS[**]
[Classification:AttemptedInformationLeak][Priority:2]
06/[Link].813099192.168.1.220:37325>[Link]:22
TCPTTL:47TOS:0x0ID:15194IpLen:20DgmLen:40
**U*P**FSeq:0x82A00B2Ack:0x0Win:0x1000TcpLen:20UrgPtr:0x0
[Xref=>[Link]

3.0 Sun Solarissnoop Utility


SnoopisspecifictoSunMicrosystem'[Link],thereis
[Link],itisautilitythatputsyoursystemsinterface(s)in
[Link],sincesnoopusesit'sownpacketcapturelibrary,the

[Link]
(d)withnameresolutiondisabled(r).
pilate>snooprdhme0
Usingdevice/dev/hme(promiscuousmode)
[Link]>67.110.253.164TCPD=22S=32897Ack=1172114638Seq=1267082364Len=0
Win=11200Options=<nop,nop,tstamp663391727479722>
[Link]>66.27.208.74TCPD=32897S=22PushAck=1267082364Seq=1172114638
Len=208Win=47824Options=<nop,nop,tstamp727479725663391>

Likelibpcaputilities,snoopalsoenablestheredirectionofpacketstoafileinsteadofSTDOUT.
pilate>snoopo/tmp/snoop.outrdhme0
Usingdevice/dev/hme(promiscuousmode)
14
pilate>snoopi/tmp/[Link]
[Link]>pilateTCPD=22S=32897
Ack=1172118318Seq=1267084668Len=0Win=15600Options=<nop,nop,tstamp670581727486912>
20.00005pilate>[Link]=32897S=22Push
Ack=1267084668Seq=1172118318Len=112Win=47824Options=<nop,nop,tstamp727486915670581>

2005 Darren Hoch - webmaster [at] [Link]

Network Troubleshooting Using Packet Capture Utilities UUASC 6/2/2005

4.0 Using Filter Expressions


[Link]
[Link]
[Link],boththe
[Link]
inallutilities,themostcommonfiltersarebyport,protocol,[Link]
telnettrafficandhost192.168.1.105:
[root@targus~]#tcpdumpnieth0port23andhost192.168.1.105
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth0,linktypeEN10MB(Ethernet),capturesize96bytes
[Link].905262IP192.168.1.105.32899>[Link].telnet:S1903904803:1903904803(0)
win5840<mss1460,sackOK,timestamp7226130,nop,wscale0>
[root@targus~]#tetherealnieth0port23andhost192.168.1.105
Capturingoneth0
0.000000192.168.1.105>192.168.1.220TCP32900>23[SYN]Seq=0Ack=0Win=5840Len=0
MSS=1460TSV=729689TSER=0WS=0

box:~#dsniffnieth1port23andhost192.168.1.105
dsniff:listeningoneth1[port23andhost192.168.1.105]

06/01/[Link]tcp192.168.1.105.32901>[Link].23(telnet)
root
cangetin
pilate>snooprdhme0port53andhost192.168.1.105

[Link],a
[Link]
[Link]
sshcontroltraffictoandfromthecontrolconnection(192.168.1.105connectedto192.168.1.220asroot)and
allDNStraffic.
[root@targus~]#who
rootpts/2Jun121:30([Link])
[root@targus~]#tcpdumpnieth0nothost192.168.1.105andnotport53
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth0,linktypeEN10MB(Ethernet),capturesize96bytes
[Link].692524IP216.93.214.50.51606>[Link].ssh:S2550704294:2550704294(0)
win5840<mss1460,sackOK,timestamp4316081200,nop,wscale2>
[Link].[Link]>[Link].51606:S729994889:729994889(0)ack
2550704295win5792<mss1460,sackOK,timestamp111008380431608120,nop,wscale2>
[Link].796911IP216.93.214.50.51606>[Link].ssh:.ack1win1460
<nop,nop,timestamp431608221111008380>

2005 Darren Hoch - webmaster [at] [Link]

Network Troubleshooting Using Packet Capture Utilities UUASC 6/2/2005

5.0 Protocol Layer Problems


5.1.0ARPLayerProblemsNoARPReply
[Link]
pinghangsornoreplyisreceived,[Link],
however,therecouldbemultipleissuesattheARPlayerpreventingaworkinghostfromcommunicatingonthe
[Link]
[Link]
fromthedestinationhost.
box:~#ping192.168.1.102
PING192.168.1.102([Link])56(84)bytesofdata.
64bytesfrom192.168.1.102:icmp_seq=1ttl=128time=5.83ms
box:~#tcpdumpnieth1arp
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth1,linktypeEN10MB(Ethernet),capturesize96bytes
[Link].459856arpwhohas192.168.1.102tell192.168.1.105
[Link].462638arpreply192.168.1.102isat[Link]

[Link]
destinationhost([Link]).Thiscouldmeanthatthedestinationhostisnotonline.
box:~#ping192.168.1.107
PING192.168.1.107([Link])56(84)bytesofdata.
From192.168.1.105icmp_seq=1DestinationHostUnreachable
From192.168.1.105icmp_seq=2DestinationHostUnreachable
box:~#tcpdumpnieth1arp
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth1,linktypeEN10MB(Ethernet),capturesize96bytes
[Link].995766arpwhohas192.168.1.107tell192.168.1.105
[Link].992668arpwhohas192.168.1.107tell192.168.1.105
[Link].992667arpwhohas192.168.1.107tell192.168.1.105

5.1.1ARPLayerProblemsDuplicateIPAddresses
WhentwohostshavethesameIPAddressassigned,therewillbetwoARPREPLYtotheARPREQUEST.
Thefirstreplyentersthesourcehost'[Link]
followingexampledemonstrateshowaWindowsXPandLINUXhostcompeteforthesameIPaddress.
Onthesurface,thepingmakesitappearthatthedestinationhost(expectedtobeLINUX)isupanresponding.
box:~#ping192.168.1.102

2005 Darren Hoch - webmaster [at] [Link]

Network Troubleshooting Using Packet Capture Utilities UUASC 6/2/2005


PING192.168.1.102([Link])56(84)bytesofdata.
64bytesfrom192.168.1.102:icmp_seq=1ttl=128time=5.83ms

However,[Link]
[Link]'sentrycameafter.
box:~#tcpdumpnieth1arp
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth1,linktypeEN10MB(Ethernet),capturesize96bytes
[Link].074216arpwhohas192.168.1.102tell192.168.1.105
[Link].078448arpreply192.168.1.102isat[Link]#WindowsHost
[Link].079562arpreply192.168.1.102isat[Link]#LINUXHost

AcheckoftheARPcacheshowsthattheWindowsXPEthernetaddressistheonepopulatedinthecache.
box:~#arpa
targus([Link])at[Link][ether]oneth1
?([Link])at[Link][ether]oneth1
?([Link])at[Link][ether]oneth1

Anattempttousesshtoconnecttotheremotehostfailsbecausethesourcehostisattemptingtoconnecttothe
WindowsXPhostinsteadoftheLINUXhostusingtheWindowsXPEthernetaddress.
box:~#sshv192.168.1.102
OpenSSH_3.[Link].4,OpenSSL0.9.7e25Oct2004
debug1:Readingconfigurationdata/etc/ssh/ssh_config
debug1:Connectingto192.168.1.102[[Link]]port22.
^C

5.2.0IPProblemsMisconfiguredBroadcastAddress
[Link]
relyonaproperlyconfiguredbroadcastaddressincluding:NTP,RIPv1,[Link]
followingexampledemonstratesastandardICMPbroadcastpinganassociatedreply.
box:~#ifconfigeth1
eth1Linkencap:EthernetHWaddr[Link]
inetaddr:192.168.1.105Bcast:192.168.1.255Mask:[Link]
box:~#pingb192.168.1.255
WARNING:pingingbroadcastaddress
PING192.168.1.255([Link])56(84)bytesofdata.
64bytesfrom192.168.1.105:icmp_seq=1ttl=64time=0.052ms
64bytesfrom192.168.1.1:icmp_seq=1ttl=150time=3.54ms(DUP!)
64bytesfrom192.168.1.220:icmp_seq=1ttl=64time=4.43ms(DUP!)

Ifthebroadcastaddressisnotconsistentwiththerestofthehostsonthenetwork,noneofthosehostswillreply
[Link],[Link],thesource
hosthasamisconfigurednetmaskof255.0.0.0.

2005 Darren Hoch - webmaster [at] [Link]

Network Troubleshooting Using Packet Capture Utilities UUASC 6/2/2005

box:~#ifconfigeth1
eth1Linkencap:EthernetHWaddr[Link]
inetaddr:192.168.1.105Bcast:192.255.255.255Mask:[Link]

Abroadcastpingreturnsnorepliesfromthenetwork.
box:~#pingb192.168.1.255
PING192.168.1.255([Link])56(84)bytesofdata.
From192.168.1.105icmp_seq=1DestinationHostUnreachable

Apacketcapturefurtherconfirmstheproblem.Thecorrectbroadcastis192.168.1.255,howeversincethe
sourcehost'sbroadcastis192.255.255.255,thesourcehostismistakinglytryingtoARPfor192.168.1.255,
[Link]
havea.255init'slastoctet.

box:~#tcpdumpnieth1
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth1,linktypeEN10MB(Ethernet),capturesize96bytes
[Link].512750arpwhohas192.168.1.255tell192.168.1.105
[Link].512665arpwhohas192.168.1.255tell192.168.1.105

5.2.1IPProblemsMisconfiguredDefaultGateway
WhenaclienthostonaLANcan'tcommunicatewiththeoutsideworld,itcanbeoneof4issues:
nonetworkconnectivity
misconfigured/etc/[Link]
misconfiguredornonexistent/etc/[Link]
misconfiguredorwronggatewayinformation
[Link]
[Link]
gatewayisroutingpackets.
TheclienthostisunabletoreachahostontheInternet.
box:~#[Link]
ping:[Link]

[Link],thereisnowaytotellwhetherthegatewayis
actuallyrouting.
box:~#netstatrn
KernelIProutingtable
DestinationGatewayGenmaskFlagsMSSWindowirttIface
[Link].0.0.0255.255.255.0U000eth1
0.0.0.0192.168.1.2200.0.0.0UG000eth1

2005 Darren Hoch - webmaster [at] [Link]

Network Troubleshooting Using Packet Capture Utilities UUASC 6/2/2005

[Link]
[Link],buttheinterfaceisNOTshowingthereturnpacket.
[root@targus~]#tcpdumpnieth0notport22
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth0,linktypeEN10MB(Ethernet),capturesize96bytes
[Link].063347IP192.168.1.105.32770>[Link].domain:49762+A?[Link].(27)
[Link].075062IP192.168.1.105.32771>[Link].domain:49762+A?[Link].(27)

Fromtheclientprospective,therouterisonthenetworkasitrepliestoapingrequest.
box:~#ping192.168.1.220
PING192.168.1.220([Link])56(84)bytesofdata.
64bytesfrom192.168.1.220:icmp_seq=1ttl=64time=2.69ms
64bytesfrom192.168.1.220:icmp_seq=2ttl=64time=2.95ms

However,theclientisnotreceivinganyrepliesfromit'[Link],however
theyaregettingdropped.
box:~#tcpdumpnieth1notport22
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth1,linktypeEN10MB(Ethernet),capturesize96bytes
[Link].367238IP192.168.1.105.32772>[Link].53:49099+A?[Link].(27)
[Link].381598IP192.168.1.105.32773>[Link].53:49099+A?[Link].(27)

5.2.0TCPProblemsClosedPorts
[Link]
beengiventotroubleshootattheEthernet,ARP,[Link]
isavailableattheIPlevel,itdoesnotmeanthatitisavailableattheTCPlevel.
ThehostisavailableattheIPlevelasperthepingreplies.
box:~#ping192.168.1.220
PING192.168.1.220([Link])56(84)bytesofdata.
64bytesfrom192.168.1.220:icmp_seq=1ttl=64time=2.71ms
64bytesfrom192.168.1.220:icmp_seq=2ttl=64time=2.64ms

Thetelnetserviceisnotavailabletotheclient.
box:~#telnet192.168.1.220
Trying192.168.1.220...
telnet:Unabletoconnecttoremotehost:Connectionrefused

2005 Darren Hoch - webmaster [at] [Link]

Network Troubleshooting Using Packet Capture Utilities UUASC 6/2/2005


Takingalookatthepacketcapture,[Link]
closedportsistosendaresetflagtothesourcehost.
box:~#tcpdumpnieth1port23
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth1,linktypeEN10MB(Ethernet),capturesize96bytes
[Link].495679IP192.168.1.105.32780>[Link].23:S2557844136:2557844136(0)win
5840<mss1460,sackOK,timestamp16439310,nop,wscale0>
[Link].498346IP192.[Link]>[Link].32780:R0:0(0)ack2557844137win0

5.2.1TCPProblemsTCPWrappedServices
[Link]
closedports,[Link],acheckismadetothe
/etc/[Link]/etc/[Link],thenastandardTCP
[Link],[Link]
wrappedsshservice.
box:~#ssh192.168.1.220
ssh_exchange_identification:Connectionclosedbyremotehost

Alookatthepacketcaptureshowsthatupondeterminingthattheclientisdenied,thesshserverinitiatesa
standardportclosingthroughaseriesofFINpacketexchanges.
box:~#tcpdumpnieth1port22
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth1,linktypeEN10MB(Ethernet),capturesize96bytes
[Link].508208IP192.168.1.105.32786>[Link].22:S2304868053:2304868053(0)win
5840<mss1460,sackOK,timestamp20431320,nop,wscale0>
[Link].510770IP192.[Link]>[Link].32786:S762146323:762146323(0)ack
2304868054win5792<mss1460,sackOK,timestamp444552762043132,nop,wscale2>
[Link].510807IP192.168.1.105.32786>[Link].22:.ack1win5840
<nop,nop,timestamp204313244455276>
[Link].526296IP192.[Link]>[Link].3[Link](0)ack1win1448
<nop,nop,timestamp444602922043132>
[Link].526647IP192.168.1.105.32786>[Link].[Link](0)ack2win5840
<nop,nop,timestamp204363444460292>
[Link].529124IP192.[Link]>[Link].32786:.ack2win1448
<nop,nop,timestamp444602952043634>

5.2.2TCPProblemsPacketFilteredTCPPorts
Whenaportisblockedbyapacketfilter(IPTablesorIPFilterforexample),itmaybeopenbutfilteredattheIP
[Link],theclientwillsendmultipleSYNpacketstotheserverandtheserverwillnotrespondsimply
becausethepackethasbeendroppedbythefilter.

2005 Darren Hoch - webmaster [at] [Link]

10

Network Troubleshooting Using Packet Capture Utilities UUASC 6/2/2005

box:~#telnet192.168.1.220
Trying192.168.1.220...
telnet:Unabletoconnecttoremotehost:Noroutetohost

Alookatthepacketcaptureshowsthattheclientsent3TCPSYNpacketstothetelnetport(23)thatwere
simplydroppedbytheserverandnotrepliedtointheclient.
box:~#tcpdumpnieth1port23
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth1,linktypeEN10MB(Ethernet),capturesize96bytes
[Link].302120IP192.168.1.105.32787>[Link].23:S2934062463:2934062463(0)win
5840<mss1460,sackOK,timestamp21049120,nop,wscale0>
[Link].847729IP192.168.1.105.32788>[Link].23:S2951328215:2951328215(0)win
5840<mss1460,sackOK,timestamp21060660,nop,wscale0>
[Link].518837IP192.168.1.105.32789>[Link].23:S2947681121:2947681121(0)win
5840<mss1460,sackOK,timestamp21066330,nop,wscale0>

6.0 Application Layer Problems


6.1.0DHCPProblemsIPAddressalreadyassigned
[Link]
piecesthatcompriseaDHCPexchangebetweenaclientandaDHCPserver.
[root@targusdhcp]#tetherealnieth1notport22
4.4718020.0.0.0>255.255.255.255DHCPDHCPDiscoverTransactionID0x803fcf50

AftertheinitialDHCPDISCOVERmadebytheclient,theserversendsoutanARPrequesttothenetworktoseeif
anyotherhosthastakentheIPAddressfromtheDHCPpool.
4.4757[Link]>[Link]RPWhohas192.168.1.104?Tell
[Link]

IftherearenoARPreplies,[Link]
andtheDHCPserveracknowledgesthattheleaseisnowassigned.
5.135171192.168.1.1>255.255.255.255DHCPDHCPOfferTransactionID0x803fcf50
5.1354710.0.0.0>255.255.255.255DHCPDHCPRequestTransactionID0x803fcf50
5.139041192.168.1.1>255.255.255.255DHCPDHCPACKTransactionID0x803fcf50

Fromthispointon,[Link]
fromthenetworkandthentriestoreconnect,[Link]
followingpacketcapture,theclientrequestsit'soldIPaddressof192.168.1.104.
[root@targusdhcp]#tetherealnieth1notport22
Capturingoneth1

2005 Darren Hoch - webmaster [at] [Link]

11

Network Troubleshooting Using Packet Capture Utilities UUASC 6/2/2005


4.4629230.0.0.0>255.255.255.255DHCPDHCPRequestTransactionID0x6ccda4f

TheDHCPserversentoutanARPrequestandreceivedavalidARPreplyfromanotherhost.
4.4657[Link]>[Link]RPWhohas192.168.1.104?Tell
[Link]
4.4657[Link]>[Link]RP192.168.1.104isat[Link]
4.467191192.168.1.1>192.168.1.104ICMP[MalformedPacket]

Therefore,theoldrequestedaddressof192.168.1.104isnolongeravailableandtheDHCPserversendsa
NAK(noacknowledgment)packetbacktotheclient,causingtheclienttostartatthebeginningwithaDHCP
DISCOVER.
4.471480192.168.1.1>255.255.255.255DHCPDHCPNAKTransactionID0x6ccda4f

6.1.1DHCPProblemsUsingDHCPforManualNetworkConfiguration
IftherearehardwareorsoftwareversionissuesthatpreventaclientfromnegotiatingaleasefromaDHCP
server,thenaNICcardcanbeconfiguredmanuallywithallthenetworkinginformationfromaDHCPACK
[Link]
includesallinformationneededtosuccessfullyconfigureaNICmanually.
[root@targus~]#ifconfigeth1up
[root@targus~]#ifupeth1
[root@targus~]#tetherealnVieth1portbootpc
Capturingoneth1
<<snip>>
Your(client)IPaddress:[Link]([Link])
NextserverIPaddress:[Link]([Link])
RelayagentIPaddress:[Link]([Link])
ClientMACaddress:00:40:f4:83:48:24(CameoCom_[Link])
Serverhostnamenotgiven
Bootfilenamenotgiven
Magiccookie:(OK)
Option53:DHCPMessageType=DHCPACK
Option1:SubnetMask=[Link]
Option3:Router=[Link]
Option6:DomainNameServer
IPAddress:[Link]
IPAddress:[Link]
IPAddress:[Link]
Option15:DomainName="[Link]"
Option51:IPAddressLeaseTime=1day
Option54:ServerIdentifier=[Link]
EndOption
Padding

2005 Darren Hoch - webmaster [at] [Link]

12

Network Troubleshooting Using Packet Capture Utilities UUASC 6/2/2005


6.1.2SambaProblemsUnabletoConnecttoSambaServer
TheSambaprotocol,oftenusedtonetworkWindowsclientstoUNIXservers,islargelyabroadcastprotocol.
WhenfailingtoconnectaWindowsbasedclienttoaUNIXserver,thereisnousefuldebugginginformation
[Link]
[Link]'tcommunicateoverSamba
[Link]([Link])isattemptingtodiscovertheserver
([Link]),however,bothhavedifferentbroadcastdomainsandthereforecan'thereeachother'srequests.
[root@targustmp]#tcpdumpnieth0notport22andnothost192.168.1.1
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth0,linktypeEN10MB(Ethernet),capturesize96bytes
[Link].[Link]>[Link].netbiosns:NBTUDPPACKET
(137):QUERY;REQUEST;BROADCAST
[Link].[Link]>[Link].netbiosns:NBTUDPPACKET
(137):QUERY;REQUEST;BROADCAST
[Link].[Link]>[Link].netbiosns:NBTUDPPACKET
(137):QUERY;REQUEST;BROADCAST
[Link].[Link]>[Link].netbiosns:NBTUDPPACKET
(137):QUERY;REQUEST;BROADCAST
[Link].[Link]>[Link].netbiosns:NBTUDPPACKET
(137):QUERY;REQUEST;BROADCAST
References
Thedsniffproject[Link]
Thesnooputility[Link]
Thetcpdump/libpcapproject[Link]
Thesnortproject[Link]
Theetherealproject[Link]
DHCPProtocol[Link]
SMBProtocol[Link]

2005 Darren Hoch - webmaster [at] [Link]

13

You might also like