Network-I Manual - level 4 nifpan output

Back
Network Interface Packet Analyser, 1.3.0
*** This product is licenced to: Acme Inc ***
*** Demo Copy ***
Verbosity level is 4
Input contains 1 packet-capture session.
If this log file had been created by nifmerge, it would contain
more than 1 session

details of each niftap session follow
--------------------------------------------------------------
Session 1:
Packet capture started Wed Apr  9 14:35:54 2008

information on the listening interface
Hostname: alpha
Interface: le0 (alpha <10.1.0.1>)
Subnet mask: 0xFFFF0000		Interface MTU: 1500
Link Type: Ethernet

information on the network driver
DLPI driver is version 2
Data-Link Address: <08:00:20:28:16:02> - 6 bytes
Data-Link SAP: 0

The following packet-capture modes were in effect:
- Promiscuous mode: On
- Raw Data-Link capture mode: On
- Snapshot length: 300
if a filter had been used, it would also be printed here

--------------------------------------------------------------

Base time is Wed Apr  9 14:35:54 2008

Analysis of interface events follows ...

Event 1 (1) means "event 1 in this log file (event 1 within
its original session)"
=================== Event 1 (1) ==================== (pkt_off=188)
pkt_off is the offset of this packet within the log file
Session: 1		Time: 14:36:15.565895 (Apr09 2008)
indicates which niftap session this packet came from (cf nifmerge)
	21.565895 seconds elapsed, Delta = +0 microseconds
The first figure is the no. of seconds since the packet capture session
began. The Delta figure is the no. of microseconds since the previous
packet (obviously zero, for the first packet).
Packet 1 (1) arrived
Packet 1 (1) means "packet 1 in this log file (packet 1 within its
original session)"

Layer-by-layer dump of the packet follows.
98-octet PDU follows: Layer = 2, Protocol = Ethernet

+ETHER: Dest Addr = 08:00:20:28:16:02
+ETHER: Source Addr = 00:AA:00:A6:66:0C
+ETHER: Type = 0x0800 (IP)

84-octet PDU follows: Layer = 3, Protocol = IP

+IP: Header Len = 5 (20 octets)
+IP: Version = 4
+IP: Service-Precedence = 0
+IP: Service-TOS =  (0x0)
+IP: Service-Reserved = 0
+IP: Fragment Size = 84
+IP: Datagram ID = 13863 (0x3627)
+IP: Flags = <0, Don't Fragment, Last Fragment> (0x2)
+IP: Fragment Offset = 0 (0x00) -> 0 octets
+IP: TTL = 255
+IP: Protocol = UDP (17)
+IP: CheckSum = 0x726B (over 20 bytes) ... would say if checksum was invalid
+IP: Source = alpha <10.1.0.1>
+IP: Dest = beta <10.1.0.2>

64-octet PDU follows: Layer = 4, Protocol = UDP (17)

+UDP: Source Port = 33273
+UDP: Dest Port = SUNRPC (111)
+UDP: PDU Size = 64
+UDP: CheckSum = 0xEB75 (over 76 bytes)

56-octet PDU follows: Layer = 5, Protocol = SUNRPC (111)

+rpc.rpcbind: SUN-RPC Version = 2
+rpc.rpcbind: RPC Call, XID=876903651
+rpc.rpcbind: Program = rpcbind (100000), Version = 2
+rpc.rpcbind: Procedure = GetPort (3)
+rpc.rpcbind: Credentials flavour = None <0> (0 bytes)
+rpc.rpcbind: Verifier flavour = None <0> (0 bytes)
+rpc.rpcbind: --------------- 16-byte parameter block, at offset 40
   40 is the offset from the start of the RPC message
+rpc.rpcbind: Prog = mountd V2, Protocol = UDP (17)

=================== Event 2 (2) ==================== (pkt_off=310)
Session: 1		Time: 14:36:15.854016 (Apr09 2008)
	21.854016 seconds elapsed, Delta = +288,121 microseconds
Packet 2 (2) arrived

70-octet PDU follows: Layer = 2, Protocol = Ethernet

+ETHER: Dest Addr = 08:00:20:28:16:02
+ETHER: Source Addr = 00:AA:00:A6:66:0C
+ETHER: Type = 0x0800 (IP)

56-octet PDU follows: Layer = 3, Protocol = IP

+IP: Header Len = 5 (20 octets)
+IP: Version = 4
+IP: Service-Precedence = 0
+IP: Service-TOS =  (0x0)
+IP: Service-Reserved = 0
+IP: Fragment Size = 56
+IP: Datagram ID = 44697 (0xAE99)
+IP: Flags = <0, Don't Fragment, Last Fragment> (0x2)
+IP: Fragment Offset = 0 (0x00) -> 0 octets
+IP: TTL = 247
+IP: Protocol = UDP (17)
+IP: CheckSum = 0x215 (over 20 bytes)
+IP: Source = beta <10.1.0.2>
+IP: Dest = alpha <10.1.0.1>

36-octet PDU follows: Layer = 4, Protocol = UDP (17)

+UDP: Source Port = SUNRPC (111)
+UDP: Dest Port = 33273
+UDP: PDU Size = 36
+UDP: CheckSum = 0x7862 (over 48 bytes)

28-octet PDU follows: Layer = 5, Protocol = SUNRPC (111)

+rpc.rpcbind: RPC Reply, XID=876903651 (rpcbind.2.GetPort)
+rpc.rpcbind: Request Status = Accepted
+rpc.rpcbind: Verifier flavour = None <0> (0 bytes)
+rpc.rpcbind: RPC Status = Success <0>
+rpc.rpcbind: --------------- 4-byte parameter block, at offset 24
+rpc.rpcbind: Result = 32940 (00:00:80:AC)
   single-integer RPC results are always displayed as a decimal
   value, followed by a hexadecimal dump

=================== Event 15 (15) ==================== (pkt_off=1820)
Session: 1		Time: 14:36:20.731577 (Apr09 2008)
	26.731577 seconds elapsed, Delta = +4,877,561 microseconds
Note that the delta figure is the time since the last packet included by
the filter (ie. packet 2), and not the time since packet 14.
Packet 15 (15) arrived

186-octet PDU follows: Layer = 2, Protocol = Ethernet

+ETHER: Dest Addr = 08:00:20:28:16:02
+ETHER: Source Addr = 00:AA:00:A6:66:0C
+ETHER: Type = 0x0800 (IP)

172-octet PDU follows: Layer = 3, Protocol = IP

+IP: Header Len = 5 (20 octets)
+IP: Version = 4
+IP: Service-Precedence = 0
+IP: Service-TOS =  (0x0)
+IP: Service-Reserved = 0
+IP: Fragment Size = 172
+IP: Datagram ID = 13870 (0x362E)
+IP: Flags = <0, Don't Fragment, Last Fragment> (0x2)
+IP: Fragment Offset = 0 (0x00) -> 0 octets
+IP: TTL = 255
+IP: Protocol = UDP (17)
+IP: CheckSum = 0x720C (over 20 bytes)
+IP: Source = alpha <10.1.0.1>
+IP: Dest = beta <10.1.0.2>

152-octet PDU follows: Layer = 4, Protocol = UDP (17)

+UDP: Source Port = 1022
+UDP: Dest Port = NFSD (2049)
+UDP: PDU Size = 152
+UDP: CheckSum = 0xA05C (over 164 bytes)

144-octet PDU follows: Layer = 5, Protocol = NFSD (2049)

+rpc.nfs: SUN-RPC Version = 2
+rpc.nfs: RPC Call, XID=2164886821
+rpc.nfs: Program = nfs (100003), Version = 2
+rpc.nfs: Procedure = GetAttr (1)
+rpc.nfs: Credentials flavour = Unix <1> (72 bytes)
	Stamp = 860625380
	7-byte machine name = alpha
	UID = 0, GID = 1
	11 secondary groups:
		1, 0, 2, 3, 4, 5, 6, 7, 8, 9
		12
+rpc.nfs: Verifier flavour = None <0> (0 bytes)
+rpc.nfs: --------------- 32-byte parameter block, at offset 112
nifpan doesn't interpret the parameters for this NFS request, so
it just dumps them in tabular format.
Decimal format, 16 octets per row
0001: 000 128 000 002 000 000 000 002 000 010 000 000 000 000 000 002
0002: 066 018 056 081 000 010 000 000 000 000 000 002 066 018 056 081


=================== Event 16 (16) ==================== (pkt_off=2030)
Session: 1		Time: 14:36:21.098874 (Apr09 2008)
	27.098874 seconds elapsed, Delta = +367,297 microseconds
Packet 16 (16) arrived

138-octet PDU follows: Layer = 2, Protocol = Ethernet

+ETHER: Dest Addr = 08:00:20:28:16:02
+ETHER: Source Addr = 00:AA:00:A6:66:0C
+ETHER: Type = 0x0800 (IP)

124-octet PDU follows: Layer = 3, Protocol = IP

+IP: Header Len = 5 (20 octets)
+IP: Version = 4
+IP: Service-Precedence = 0
+IP: Service-TOS =  (0x0)
+IP: Service-Reserved = 0
+IP: Fragment Size = 124
+IP: Datagram ID = 44704 (0xAEA0)
+IP: Flags = <0, Don't Fragment, Last Fragment> (0x2)
+IP: Fragment Offset = 0 (0x00) -> 0 octets
+IP: TTL = 247
+IP: Protocol = UDP (17)
+IP: CheckSum = 0x1CA (over 20 bytes)
+IP: Source = beta <10.1.0.2>
+IP: Dest = alpha <10.1.0.1>

104-octet PDU follows: Layer = 4, Protocol = UDP (17)

+UDP: Source Port = NFSD (2049)
+UDP: Dest Port = 1022
+UDP: PDU Size = 104
+UDP: CheckSum = 0xD40A (over 116 bytes)

96-octet PDU follows: Layer = 5, Protocol = NFSD (2049)

+rpc.nfs: RPC Reply, XID=2164886821 (nfs.2.GetAttr)
+rpc.nfs: Request Status = Accepted
+rpc.nfs: Verifier flavour = None <0> (0 bytes)
+rpc.nfs: RPC Status = Success <0>
+rpc.nfs: --------------- 72-byte parameter block, at offset 24
+rpc.nfs: Status = 0 (OK)
+rpc.nfs: ftype = 2 (directory)
+rpc.nfs: file-mode = 16895 (0x000041ff = 040777)
+rpc.nfs: nlink (no. of hard links) = 7 (0x00000007 = 07)
+rpc.nfs: UID = 2 (0x00000002 = 02)
+rpc.nfs: GID = 2 (0x00000002 = 02)
+rpc.nfs: file-size = 512 (0x00000200 = 01000)
+rpc.nfs: block-size = 8192 (0x00002000 = 020000)
+rpc.nfs: rdev (device number) = 0 (0x00000000 = 00)
+rpc.nfs: blocks (size in blocks) = 2 (0x00000002 = 02)
+rpc.nfs: filesystem ID = 8388610 (0x00800002 = 040000002)
+rpc.nfs: file ID = 2 (0x00000002 = 02)
+rpc.nfs: atime (last access) = 858093069 (11.03.2008, 15:11:09.660009 GMT)
+rpc.nfs: mtime (last modification) = 858012501 (10.03.2008, 16:48:21.500006 GMT)
+rpc.nfs: ctime (last status modification) = 858012501 (10.03.2008, 16:48:21.500006 GMT)




Statistics for each session:

Session 1: Events=17  Packets=4  Bytes=295  Duration=00:01:05
	Rejected Traffic: Packets=0  Bytes=0
NB: Because nifpan generated this file with a -e switch which excluded the final event,
the trailer stats only represent the packets up to and including the final selected event.
Also beware that all these totals may wrap around after a long session on a busy network,
and they will then be invalid.
Back