Ethereal-users: RE: [Ethereal-users] Convert Cisco IOS debug packet dumps and showbuffer dump

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Joshua Wright" <Joshua.Wright@xxxxxxx>
Date: Wed, 23 Jul 2003 08:12:41 -0400
Michael,

This isn't an Ethereal answer to your question, but if all you want to do is identify source/dest ports you just need to count the bytes offset to that portion of the embedded protocol.  I suggest picking up a copy of Dr. Richard Stevens "TCP/IP Illustrated, volume 1" - it is an invaluable reference.

> I understood I have to convert this first to change the 
> sequence number or smthg like that (I found a perl-script 
> somewhere on the list archives) which outputs something like this:

> 00000000 45 00 00 2F FF 7E 00 B9 7E 11 F9 30 AC 17 29 6E
> 00000010 95 CC D8 03 A8 19 30 17 02 01 17 02 02 FF 7B 02
> 00000020 01 80 02 01 03 02 01 01 02 01 18 02 02 FF 79 01

Embedded protocol is 11 (9th byte offset).  This is a UDP packet.  Since the low-order nibble of the 0 byte offset is 5, we know the IP header length is 20 bytes, and there are no IP options set.
The UDP header starts at the 20th byte offset, giving us the source port of 0xa819 (43033), and dest port of 0x3017 (12311).
The information from the Cisco router only gave you a partial packet capture.  The 4th and 5th bytes offset indicate the total length of the packet in bytes, including headers.  This tells us that there 0x0201 bytes (513) in the packet.  This is probably what is causing your router to beef about the packet - it is larger than the maximum UDP packet size of 512 bytes.

I believe you aren't able to convert this packet with text2pcap since there is no Ethernet link-type, only embedded IP Protocol shown.  I'm not positive about this though, perhaps someone else can chime in here.

-Joshua Wright
Senior Network and Security Architect
Johnson & Wales University
Joshua.Wright@xxxxxxx 
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73