Network Interface Packet Analyser, 1.3.0
*** This product is licenced to: Acme Inc ***
*** Demo Copy ***
Verbosity level is 1
Input contains 1 packet-capture session.
Session 1: Hostname=alpha, Interface: le0
Base time is Wed Apr 9 14:35:54 2008
- Evt=1: IP: 10.1.0.1->10.1.0.2; UDP: 33273->SUNRPC; data=56 [RPC C=876903651, rpcbind.2.GetPort]
- Evt=2: IP: 10.1.0.2->10.1.0.1; UDP: SUNRPC->33273; data=28 [RPC R=876903651, status=0,0]
- Evt=3: IP: 10.1.0.1->10.1.0.2; UDP: 33273->32940; data=40 [RPC C=893680867, mountd.2.Null]
- Evt=4: IP: 10.1.0.2->10.1.0.1; UDP: 32940->33273; data=24 [RPC R=893680867, status=0,0]
- Evt=5: IP: 10.1.0.1->10.1.0.2; UDP: 748->32940; data=124 [RPC C=910458083, mountd.2.Mount]
- Evt=6: IP: 10.1.0.2->10.1.0.1; UDP: 32940->748; data=60 [RPC R=910458083, status=0,0]
- Evt=7: IP: 10.1.0.1->10.1.0.2; UDP: 33274->SUNRPC; data=56 [RPC C=877208772, rpcbind.2.GetPort]
- Evt=8: IP: 10.1.0.2->10.1.0.1; UDP: SUNRPC->33274; data=28 [RPC R=877208772, status=0,0]
- Evt=9: IP: 10.1.0.1->10.1.0.2; UDP: 33274->32786; data=112 [RPC C=893985988, nlockmgr.1.Granted]
- Evt=10: IP: 10.1.0.2->10.1.0.1; UDP: 32786->33274; data=32 [RPC R=893985988, status=0,0]
- Evt=11: IP: 10.1.0.1->10.1.0.2; UDP: 33275->SUNRPC; data=56 [RPC C=877343965, rpcbind.2.GetPort]
- Evt=12: IP: 10.1.0.2->10.1.0.1; UDP: SUNRPC->33275; data=28 [RPC R=877343965, status=0,0]
- Evt=13: IP: 10.1.0.1->10.1.0.2; UDP: 33276->NFSD; data=40 [RPC C=877030784, nfs.2.Null]
- Evt=14: IP: 10.1.0.2->10.1.0.1; UDP: NFSD->33276; data=24 [RPC R=877030784, status=0,0]
- Evt=15: IP: 10.1.0.1->10.1.0.2; UDP: 1022->NFSD; data=144 [RPC C=2164886821, nfs.2.GetAttr]
- Evt=16: IP: 10.1.0.2->10.1.0.1; UDP: NFSD->1022; data=96 [RPC R=2164886821, status=0,0]
- Evt=17: IP: 10.1.0.1->10.1.0.2; UDP: 1022->NFSD; data=144 [RPC C=2181664037, nfs.2.FS-Stat]
- Evt=18: IP: 10.1.0.2->10.1.0.1; UDP: NFSD->1022; data=48 [RPC R=2181664037, status=0,0]
- Evt=19: IP: 10.1.0.1->10.1.0.2; UDP: 1022->NFSD; data=152 [RPC C=2198441253, nfs.2.Lookup]
- Evt=20: IP: 10.1.0.2->10.1.0.1; UDP: NFSD->1022; data=128 [RPC R=2198441253, status=0,0]
- Evt=21: IP: 10.1.0.1->10.1.0.2; UDP: 1022->NFSD; data=152 [RPC C=2215218469, nfs.2.Lookup]
- Evt=22: IP: 10.1.0.2->10.1.0.1; UDP: NFSD->1022; data=128 [RPC R=2215218469, status=0,0]
- Evt=23: IP: 10.1.0.1->10.1.0.2; UDP: 1022->NFSD; data=152 [RPC C=2231995685, nfs.2.ReadDir]
- Evt=24: IP: 10.1.0.2->10.1.0.1; %UDP: NFSD->1022; data=320 [RPC R=2231995685, status=0,0]
- Evt=25: IP: 10.1.0.1->10.1.0.2; UDP: 1022->NFSD; data=160 [RPC C=2248772901, nfs.2.Lookup]
- Evt=26: IP: 10.1.0.2->10.1.0.1; UDP: NFSD->1022; data=128 [RPC R=2248772901, status=0,0]
- Evt=27: IP: 10.1.0.1->10.1.0.2; UDP: 1022->NFSD; data=156 [RPC C=2265550117, nfs.2.Lookup]
- Evt=28: IP: 10.1.0.2->10.1.0.1; UDP: NFSD->1022; data=128 [RPC R=2265550117, status=0,0]
- Evt=29: IP: 10.1.0.1->10.1.0.2; UDP: 1022->NFSD; data=156 [RPC C=2282327333, nfs.2.Lookup]
- Evt=30: IP: 10.1.0.2->10.1.0.1; UDP: NFSD->1022; data=128 [RPC R=2282327333, status=0,0]
- Evt=31: IP: 10.1.0.1->10.1.0.2; UDP: 1022->NFSD; data=156 [RPC C=2299104549, nfs.2.Lookup]
- Evt=32: IP: 10.1.0.2->10.1.0.1; UDP: NFSD->1022; data=128 [RPC R=2299104549, status=0,0]
- Evt=33: IP: 10.1.0.1->10.1.0.2; UDP: 1022->NFSD; data=156 [RPC C=2315881765, nfs.2.Lookup]
- Evt=34: IP: 10.1.0.2->10.1.0.1; UDP: NFSD->1022; data=128 [RPC R=2315881765, status=0,0]
- Evt=35: IP: 10.1.0.1->10.1.0.2; UDP: 1022->NFSD; data=156 [RPC C=2332658981, nfs.2.Lookup]
- Evt=36: IP: 10.1.0.2->10.1.0.1; UDP: NFSD->1022; data=128 [RPC R=2332658981, status=0,0]
- Evt=37: IP: 10.1.0.1->10.1.0.2; UDP: 1022->NFSD; data=160 [RPC C=2349436197, nfs.2.Lookup]
- Evt=38: IP: 10.1.0.2->10.1.0.1; UDP: NFSD->1022; data=128 [RPC R=2349436197, status=0,0]
- Evt=39: IP: 10.1.0.1->10.1.0.2; UDP: 1022->NFSD; data=152 [RPC C=2366213413, nfs.2.Lookup]
- Evt=40: IP: 10.1.0.2->10.1.0.1; UDP: NFSD->1022; data=128 [RPC R=2366213413, status=0,0]
- Evt=41: IP: 10.1.0.1->10.1.0.2; UDP: 1022->NFSD; data=156 [RPC C=2382990629, nfs.2.Lookup]
- Evt=42: IP: 10.1.0.2->10.1.0.1; UDP: NFSD->1022; data=128 [RPC R=2382990629, status=0,0]
- Evt=43: IP: 10.1.0.1->10.1.0.2; UDP: 1022->NFSD; data=156 [RPC C=2399767845, nfs.2.Lookup]
- Evt=44: IP: 10.1.0.2->10.1.0.1; UDP: NFSD->1022; data=128 [RPC R=2399767845, status=0,0]
- Evt=45: END - packet-capture session terminated normally
End Of File
Observations
- The first thing to note is the layered nature of the output. Instead of
describing the packet in terms of the overall purpose of its highest protocol
layer, nifpan treats each nested PDU equally, and prints its salient
parameters (actually, level 1 omits all datalink protocols, but retains the
layered approach for IP and higher).
- The prologue gives the time at which the niftap packet-capture session
started, and states what level of verbosity is in effect.
- Each event (ie. packet) is represented as a consecutive numbered event, as
is niftap's shutdown (event 45). Event 0, which never shows up in short-summary
mode, is the logfile header, containing information on the logfile's context.
- The dump format for each protocol layer is a protocol-id tag (IP, UDP, etc),
followed by a colon, followed by the important parameters. The per-protocol
data is then terminated by a semi-colon.
In many cases, (especially for link protocols) there will be no parameters,
simply a protocol-id tag to indicate the PDU's presence.
- The protocol-id tag may be prefixed with one of the following four symbols,
to indicate the validity of the info for that PDU.
* | Protocol header is truncated |
% | Protocol header is intact, but user data is
truncated |
- | Optional checksum is not set |
! | Bad checksum. Note that the checksum can only be
verified if the packet is whole (ie. user-data not truncated). |
Event 24 illustrates the use of a PDU-validity prefix.
- After the highest network-oriented layer (in this case, UDP), nifpan prints
the length of user-data, followed by a summary of it, in square brackets.
In this case, the traffic is all NFS, so for RPC calls (RPC C=), it
shows the transaction ID, and the destination program, version and
procedure.
For the responses (RPC R=), it shows the transaction ID, and the two
result codes associated with all RPC requests. The first is a Boolean
indicating whether the request was accepted, and the second is the status of
the attempt to call the remote procedure.