SCOUG-HELP Mailing List Archives

<< Previous Message << >> Next Message >>

Date:	Fri, 11 Jul 2003 10:31:09 PDT7
From:	"Steven Levine" <steve53@earthlink.net >
Reply-To:	scoug-help@scoug.com
To:	scoug-help@scoug.com
Subject:	SCOUG-Help: iptrace

=====================================================
If you are responding to someone asking for help who
may not be a member of this list, be sure to use the
REPLY TO ALL feature of your email program.
=====================================================

In <3F0ED7F6.DEF88108@verizon.net>, on 07/11/03
at 08:29 AM, Zdenek Jizba said:

> (Again I am in eCS 1.1 Steve. I can't use your message
>to refresh your memory because it is on my eCS 1.0
>listing of messages)

Well, you could print it out. :-)

I've attached the guts of the article to help refresh your memory. :-)/2

>C:\mptn\bin\iptrace

Mr. KIA said:

iptrace

It does not matter in this case, but if you don't understand what you are
doing, it's better to try to follow the suggested procedure exactly.

> but did not press enter.

You are not being clear. You did press enter once to start the trace.
Correct? You didn't press it a second time to stop the trace. Correct?

>Then I went to the mail and
>messages window and in the file pull down menu
>clicked on subscribe. Within less than 5 seconds I went
>back to the command window and pressed enter.
>The messages from iptrace were identical to the ones
>described earlier, except that the lo: line appeared after only two of
>the ppp0: lines.

This all all as expected. As the article notes:

The summary messages identify the interface and the time
since the last packet. The summary messages are usually
not as important as the fact that they occur. If you don't
see packets coming and going from the expected sources and
destinations, it may be time to look for NIC set problems
or similar issues.

Clearly this does not apply to your situation.

When I issued the following message:

> C:\mptn\bin\ipformat >iptrace.dmp

What Mr. KIA said was:

ipformat >iptrace.txt

If you really did what you wrote, you destroyed the trace data you went to
all the trouble of collecting.

> the response was another prompt:

> C:\mptn\bin\

If you read the Mr. KIA article, this is a normal response to the ipformat
command.

Now it's time to do the important stuff that the article talks about which
is interpreting the trace data. Mr. KIA said:

Now comes what can be the hard part. Interpreting the decoded
trace data. Much of the art of interpreting trace data is knowing
what to ignore. The output is verbose and repetitive.

He assumed that the reader would understand that the decoded trace data
was in iptrace.txt and that this would need to be printed or viewed with a
text editor or something. Was he wrong?

You need to start over and use the suggested procedure. As the article
says:

If you need help analyzing a specific trace, you can always ask Mr. KIA.

He says he's sorta busy at the moment, so you can e-mail the trace file to
me, if you want.

Steven

--
----------------------------------------------------------------------
"Steven Levine" MR2/ICE 2.37 #10183 Warp4/FP15/14.093c_W4
www.scoug.com irc.webbnet.info irc.fyrelizard.org #scoug (Wed 7pm PST)
----------------------------------------------------------------------
Iptrace is an IBM tool that captures TCP/IP packets and writes them to a binary file. Ipformat is the tool that reads this file, decodes the output and writes the results to the standard output.

For those that have not read the online help, use:

tcphelp iptrace

and

tcphelp ipformat

to get a feel for the features and options.

Perhaps, the best way to learn how to use these tools is to start with a simple example. Let's say your ISP is not accepting your e-mail login and best you can tell you are using the correct userid and password.

To capture the trace data:

* If you are using Injoy, open Injoy settings dialog and tell Injoy to expose TCP/IP packets to iptrace. Injoy does not do this by default.
* Open a command line window.
* Start iptrace with the command:

iptrace

As packets are sent and received, iptrace will display summary messages in the window:

[d:\tmp]iptrace
lo: tracing enabled
ppp0: tracing enabled
lo:[ 0.000]: Dest: 127.0.0.1 Source: 127.0.0.1
lo:[ 0.000]: Dest: 127.0.0.1 Source: 127.0.0.1
lo:[ 0.104]: Dest: 127.0.0.1 Source: 127.0.0.1
lo:[ 0.000]: Dest: 127.0.0.1 Source: 127.0.0.1
ppp0:[ 0.885]: process_pkt: len=53, type=24
ppp0:[ 0.166]: process_pkt: len=53, type=24
ppp0:[ 0.000]: process_pkt: len=44, type=24
ppp0:[ 0.180]: process_pkt: len=117, type=24

The summary messages identify the interface and the time since the last packet. The summary messages are usually not as important as the fact that they occur. If you don't see packets coming and going from the expected sources and destinations, it may be time to look for NIC set problems or similar issues.

iptrace writes the packets will be written to the file iptrace.dmp, in the current directory. This cannot be changed. Don't try to run iptrace when logged to a read-only filesystem like a CD.
* Switch to the e-mail program window. Try to login. Wait for the login to fail and for the packet activity to stop.
* Switch back to the iptrace window.
* Press the Enter key to stop iptrace.
* Enter the command:

ipformat >iptrace.txt

to write the decoded trace output to the text file iptrace.txt. The file name can be whatever you want.

It should be obvious, but it's a good idea to shutdown as many Internet applications as possible before starting to capture the trace data. If you don't do this, the trace might contain lots of not very helpful data.

Now comes what can be the hard part. Interpreting the decoded trace data. Much of the art of interpreting trace data is knowing what to ignore. The output is verbose and repetitive.

What follows is the decoded output of our failed login attempt along with some commentary describing the elements.

Opening IPTRACE.DMP ... Sucessful
Reading packet headers ... 18 headers read.
PreProcess packet info

This tells us that iptrace.dmp recorded 18 packets.

-------------------------- #:1 --------------------------

This is the packet number. There should be no missing packet numbers in the output.

Delta Time: 0.000sec Packet Length: 41 bytes (29 hex)

The Delta Time is the time since the last packet was sent or received. This is not too relevant in this example. It is often very important when working on response timeouts and throughput problems.

IP: Dest: 127.000.000.001 Source: 127.000.000.001
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 41 (x29) bytes Id: 5C36
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: E096 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51519 (Unassigned port) Dest Port: 51520 (Unassigned port)
TCP: Sequence #: 2276667649
TCP: Ack #: 2276570671
TCP: Offset: 20 bytes
TCP: Flags: 18
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 1... Push bit On
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32912 Checksum: 7022 (Correct)
TCP: No Options
--------------------------------- DATA -----------------------------------
0000 38 8

-------------------------- #:2 --------------------------
Delta Time: 0.000sec Packet Length: 41 bytes (29 hex)
IP: Dest: 127.000.000.001 Source: 127.000.000.001
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 41 (x29) bytes Id: 5C36
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: E096 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51519 (Unassigned port) Dest Port: 51520 (Unassigned port)
TCP: Sequence #: 2276667649
TCP: Ack #: 2276570671
TCP: Offset: 20 bytes
TCP: Flags: 18
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 1... Push bit On
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32912 Checksum: 7022 (Correct)
TCP: No Options
--------------------------------- DATA -----------------------------------
0000 38 8

-------------------------- #:3 --------------------------
Delta Time: 0.049sec Packet Length: 40 bytes (28 hex)
IP: Dest: 127.000.000.001 Source: 127.000.000.001
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 5C37
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: E096 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51520 (Unassigned port) Dest Port: 51519 (Unassigned port)
TCP: Sequence #: 2276570671
TCP: Ack #: 2276667650
TCP: Offset: 20 bytes
TCP: Flags: 10
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32912 Checksum: A82A (Correct)
TCP: No Options
TCP: No data or not output.

-------------------------- #:4 --------------------------
Delta Time: 0.000sec Packet Length: 40 bytes (28 hex)
IP: Dest: 127.000.000.001 Source: 127.000.000.001
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 5C37
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: E096 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51520 (Unassigned port) Dest Port: 51519 (Unassigned port)
TCP: Sequence #: 2276570671
TCP: Ack #: 2276667650
TCP: Offset: 20 bytes
TCP: Flags: 10
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32912 Checksum: A82A (Correct)
TCP: No Options
TCP: No data or not output.

This is where the output starts to get interesting. For our purposes, the previous packets are noise, although they do illustrate why it's a good idea to shut down as much TCP/IP traffic as possible before capturing trace data.

For the curious, the traffic was generated by Mozilla talking to itself.

-------------------------- #:5 --------------------------
Delta Time: 0.885sec Packet Length: 53 bytes (35 hex)
PPP: Protocol 0x0021 (IP)
PPP: Dest: 207.217.121.215 Source: 209.179.045.140

This identifies the start of a Point-to-Point Protocol packet. This usually means that the packet is going through a dial-up connection. If you are connected via DSL or cable, you would not see this. Internet packets are layered like an onion. The TCP packet is wrapped in an IP packet. The IP packet is wrapped in a PPP packet.

Which layers exist depends on the application and the network connection.

The most interesting elements of the PPP packet are the source and destination addresses. In the case of DSL or cable, these addresses will be reported in the IP packets. See packet #1 for an example of this.

----------------------- IP HEADER -----------------------

This identifies the start of an Internet Protocol packet.

IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 48 (x30) bytes Id: 5C38
IP: Flags: 2
IP: .1.. Don't Fragment

The Don't Fragment flag says this IP packet may not be broken into multiple IP packets as it travels though the Internet. If for some reason this request can not be honored, the packet will be discarded.

IP: ..0. Last Fragment
IP: Fragment Offset: 000

The Fragment Offset is used to reassemble IP packets that have been broken into multiple IP packets. Use the 000 offset is a reference point to find the first (or only) fragment of a set of IP packets.

There's nothing bad about fragmented packets, per se, but not all TCP/IP implementations handle fragmentation well for all MTU (maximum transmission unit) sizes. The MTU defines the largest IP packet a host will transmit. The MTU size and the Don't Fragment flag are elements to look at if you are experiencing timeouts and such. Often changing the MTU value will resolve problems caused by fragmentation. Usually the MTU needs to be lowered, but there are cases where it will need to be increased.

IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: 959F (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------

This identifies the start of a Transmission Control Protocol packet. These are the packets we need to look at most often because TCP packets carry the data that many client and server applications use to communicate at the application level. This includes our e-mail client and server.

TCP: Source Port: 51690 (Unassigned port) Dest Port: 110 (Unassigned port)

Port 110 is the well known port of the POP mail server. This packet is going from our e-mail client to the mail server.

Other useful port numbers are 25 for SMTP mail, 80 for web pages and 119 for news.

TCP: Sequence #: 2383959362
TCP: Ack #: 0
TCP: Offset: 28 bytes
TCP: Flags: 02
TCP: ..0. .... Urgent bit Off
TCP: ...0 .... Ack bit Off
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..1. Synchronize bit On

This SYN flag says this is the first TCP packet of this connection. It is a useful reference point.

TCP: .... ...0 Finish bit Off
TCP: Window: 32768 Checksum: D7B (Correct)
TCP: Option Code: 02 Length: 4 bytes [MSS]
TCP: Max Segment Size 1460 (x5B4)
TCP: Option Code: 01 Length: 1 bytes [NOP]
TCP: No Operation
TCP: Option Code: 03 Length: 3 bytes [WIN_SCALE]
TCP: Window scale factor 0 (x0)
TCP: No data or not output.

-------------------------- #:6 --------------------------
Delta Time: 0.166sec Packet Length: 53 bytes (35 hex)
PPP: Protocol 0x0021 (IP)
PPP: Dest: 209.179.045.140 Source: 207.217.121.215
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 48 (x30) bytes Id: 1C73
IP: Flags: 0
IP: .0.. May Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 251 sec Protocol: 6 TCP
IP: Header Checksum: 5A64 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 110 (Unassigned port) Dest Port: 51690 (Unassigned port)
TCP: Sequence #: 1959031622
TCP: Ack #: 2383959363
TCP: Offset: 28 bytes
TCP: Flags: 12
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On

The ACK flag says the mail server has heard the client's call and is willing to continue.

TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..1. Synchronize bit On

This SYN flag says the server agrees that a new connection is starting.

TCP: .... ...0 Finish bit Off
TCP: Window: 65535 Checksum: A55E (Correct)
TCP: Option Code: 01 Length: 1 bytes [NOP]
TCP: No Operation
TCP: Option Code: 03 Length: 3 bytes [WIN_SCALE]
TCP: Window scale factor 1 (x1)
TCP: Option Code: 02 Length: 4 bytes [MSS]
TCP: Max Segment Size 1460 (x5B4)
TCP: No data or not output.

-------------------------- #:7 --------------------------
Delta Time: 0.000sec Packet Length: 41 bytes (29 hex)
Compressed and Unfiltered Packet Length: 44 bytes (2C hex)
PPP: Protocol 0x002F (VJ Un-Compressed)
PPP: Dest: 207.217.121.215 Source: 209.179.045.140
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 5C39
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: 95A6 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51690 (Unassigned port) Dest Port: 110 (Unassigned port)
TCP: Sequence #: 2383959363
TCP: Ack #: 1959031623
TCP: Offset: 20 bytes
TCP: Flags: 10
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On

This ACK flag is the client telling the server it has seen the server's ACK. At this point, the server and the client have agreed on Sequence # and Ack # values and are ready to transfer data.

TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 33580 Checksum: 4DF7 (Correct)
TCP: No Options
TCP: No data or not output.

This packet contains no data, but it might for other applications.

-------------------------- #:8 --------------------------
Delta Time: 0.180sec Packet Length: 114 bytes (72 hex)
Compressed and Unfiltered Packet Length: 117 bytes (75 hex)
PPP: Protocol 0x002F (VJ Un-Compressed)
PPP: Dest: 209.179.045.140 Source: 207.217.121.215
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 112 (x70) bytes Id: 1C74
IP: Flags: 0
IP: .0.. May Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 251 sec Protocol: 6 TCP
IP: Header Checksum: 5A23 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 110 (Unassigned port) Dest Port: 51690 (Unassigned port)
TCP: Sequence #: 1959031623
TCP: Ack #: 2383959363
TCP: Offset: 20 bytes
TCP: Flags: 18
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On

This ACK is the server telling the client that it received the client's ACK.

TCP: .... 1... Push bit On

The PUSH bit tells the world to send this packet to its destination with minimal buffering. This is almost always set in the last TCP packet when the data is spread over multiple TCP packets. When honored, this helps the data get to the final destination quicker.

TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32850 Checksum: 418 (Correct)
TCP: No Options
--------------------------------- DATA -----------------------------------
0000 2B 4F 4B 20 4E 47 50 6F 70 70 65 72 20 76 45 4C +OK NGPopper vEL
0010 5F 34 5F 32 39 20 61 74 20 65 61 72 74 68 6C 69 _4_29 at earthli
0020 6E 6B 2E 6E 65 74 20 72 65 61 64 79 20 3C 31 38 nk.net ready <18
0030 36 37 31 2E 31 30 34 38 35 33 32 34 32 36 40 61 671.1048532426@a
0040 76 6F 63 65 74 3E 0D 0A vocet>..

Finally, some data. This is the mail server saying hello to the client.

-------------------------- #:9 --------------------------
Delta Time: 0.000sec Packet Length: 55 bytes (37 hex)
Compressed and Unfiltered Packet Length: 23 bytes (17 hex)
PPP: Protocol 0x002D (VJ Compressed)
PPP: Dest: 207.217.121.215 Source: 209.179.045.140
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 54 (x36) bytes Id: 5C3A
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: 9597 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51690 (Unassigned port) Dest Port: 110 (Unassigned port)
TCP: Sequence #: 2383959363
TCP: Ack #: 1959031695
TCP: Offset: 20 bytes
TCP: Flags: 18
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On

This ACK flag is the client telling the server, it received the hello message.

TCP: .... 1... Push bit On
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 33580 Checksum: 6776 (Correct)
TCP: No Options
--------------------------------- DATA -----------------------------------
0000 55 53 45 52 20 73 74 65 76 65 33 35 0D 0A USER steve35..

Finally, the client has something to say. This is the start of the login attempt.

-------------------------- #:10 --------------------------
Delta Time: 0.127sec Packet Length: 42 bytes (2A hex)
Compressed and Unfiltered Packet Length: 11 bytes (B hex)
PPP: Protocol 0x002D (VJ Compressed)
PPP: Dest: 209.179.045.140 Source: 207.217.121.215
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 1C75
IP: Flags: 0
IP: .0.. May Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 251 sec Protocol: 6 TCP
IP: Header Checksum: 5A6A (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 110 (Unassigned port) Dest Port: 51690 (Unassigned port)
TCP: Sequence #: 1959031695
TCP: Ack #: 2383959377
TCP: Offset: 20 bytes
TCP: Flags: 10
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32850 Checksum: 507B (Correct)
TCP: No Options
TCP: No data or not output.

-------------------------- #:11 --------------------------
Delta Time: 0.000sec Packet Length: 47 bytes (2F hex)
Compressed and Unfiltered Packet Length: 15 bytes (F hex)
PPP: Protocol 0x002D (VJ Compressed)
PPP: Dest: 209.179.045.140 Source: 207.217.121.215
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 45 (x2D) bytes Id: 1C76
IP: Flags: 0
IP: .0.. May Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 251 sec Protocol: 6 TCP
IP: Header Checksum: 5A64 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 110 (Unassigned port) Dest Port: 51690 (Unassigned port)
TCP: Sequence #: 1959031695
TCP: Ack #: 2383959377
TCP: Offset: 20 bytes
TCP: Flags: 18
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 1... Push bit On
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32850 Checksum: D011 (Correct)
TCP: No Options
--------------------------------- DATA -----------------------------------
0000 2B 4F 4B 0D 0A +OK..

The server has accepted the user name.

-------------------------- #:12 --------------------------
Delta Time: 0.000sec Packet Length: 51 bytes (33 hex)
Compressed and Unfiltered Packet Length: 20 bytes (14 hex)
PPP: Protocol 0x002D (VJ Compressed)
PPP: Dest: 207.217.121.215 Source: 209.179.045.140
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 50 (x32) bytes Id: 5C3B
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: 959A (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51690 (Unassigned port) Dest Port: 110 (Unassigned port)
TCP: Sequence #: 2383959377
TCP: Ack #: 1959031700
TCP: Offset: 20 bytes
TCP: Flags: 18
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 1... Push bit On
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 33580 Checksum: 3FB (Correct)
TCP: No Options
--------------------------------- DATA -----------------------------------
0000 50 41 53 53 20 78 78 78 0D 0A PASS xxx..

Now the client sends the password.

-------------------------- #:13 --------------------------
Delta Time: 0.238sec Packet Length: 42 bytes (2A hex)
Compressed and Unfiltered Packet Length: 11 bytes (B hex)
PPP: Protocol 0x002D (VJ Compressed)
PPP: Dest: 209.179.045.140 Source: 207.217.121.215
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 1C77
IP: Flags: 0
IP: .0.. May Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 251 sec Protocol: 6 TCP
IP: Header Checksum: 5A68 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 110 (Unassigned port) Dest Port: 51690 (Unassigned port)
TCP: Sequence #: 1959031700
TCP: Ack #: 2383959387
TCP: Offset: 20 bytes
TCP: Flags: 10
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32850 Checksum: 506C (Correct)
TCP: No Options
TCP: No data or not output.

-------------------------- #:14 --------------------------
Delta Time: 4.914sec Packet Length: 81 bytes (51 hex)
Compressed and Unfiltered Packet Length: 48 bytes (30 hex)
PPP: Protocol 0x002D (VJ Compressed)
PPP: Dest: 209.179.045.140 Source: 207.217.121.215
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 79 (x4F) bytes Id: 1C78
IP: Flags: 0
IP: .0.. May Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 251 sec Protocol: 6 TCP
IP: Header Checksum: 5A40 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 110 (Unassigned port) Dest Port: 51690 (Unassigned port)
TCP: Sequence #: 1959031700
TCP: Ack #: 2383959387
TCP: Offset: 20 bytes
TCP: Flags: 18
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 1... Push bit On
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32850 Checksum: CAFC (Correct)
TCP: No Options
--------------------------------- DATA -----------------------------------
0000 2D 45 52 52 20 62 61 64 20 70 61 73 73 77 6F 72 -ERR bad passwor
0010 64 20 6F 72 20 75 6E 6B 6E 6F 77 6E 20 75 73 65 d or unknown use
0020 72 6E 61 6D 65 0D 0A rname..

Well, we expected this. However, a closer look at the USER command tells us where the problem is. steve35 should have been steve53. I don't know how we missed this on the e-mail settings page, but we did. Sometimes just seeing something presented in a different way helps to solve the problem.

The above failure is rather easy to analyze. Another that I see a lot is related to SMTP-Auth. Many ISPs are changing to SMTP-Auth verification for sending e-mail. A login failure caused by this would be clearly identified in the trace output. The e-mail client might not report this with any useful detail.

-------------------------- #:15 --------------------------
Delta Time: 0.006sec Packet Length: 45 bytes (2D hex)
Compressed and Unfiltered Packet Length: 46 bytes (2E hex)
PPP: Protocol 0x0021 (IP)
PPP: Dest: 207.217.121.215 Source: 209.179.045.140
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 5C3C
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: 95A3 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51690 (Unassigned port) Dest Port: 110 (Unassigned port)
TCP: Sequence #: 2383959387
TCP: Ack #: 1959031739
TCP: Offset: 20 bytes
TCP: Flags: 11
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...1 Finish bit On

This FIN flag tells the server the client wants to end this connection.

TCP: Window: 33580 Checksum: 4D6A (Correct)
TCP: No Options
TCP: No data or not output.

-------------------------- #:16 --------------------------
Delta Time: 0.004sec Packet Length: 45 bytes (2D hex)
Compressed and Unfiltered Packet Length: 46 bytes (2E hex)
PPP: Protocol 0x0021 (IP)
PPP: Dest: 209.179.045.140 Source: 207.217.121.215
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 1C79
IP: Flags: 0
IP: .0.. May Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 251 sec Protocol: 6 TCP
IP: Header Checksum: 5A66 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 110 (Unassigned port) Dest Port: 51690 (Unassigned port)
TCP: Sequence #: 1959031739
TCP: Ack #: 2383959387
TCP: Offset: 20 bytes
TCP: Flags: 11
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...1 Finish bit On

This FIN flag tells the client that the server is willing to end this connection.

TCP: Window: 32850 Checksum: 5044 (Correct)
TCP: No Options
TCP: No data or not output.

-------------------------- #:17 --------------------------
Delta Time: 0.000sec Packet Length: 41 bytes (29 hex)
Compressed and Unfiltered Packet Length: 11 bytes (B hex)
PPP: Protocol 0x002D (VJ Compressed)
PPP: Dest: 207.217.121.215 Source: 209.179.045.140
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 5C3D
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: 95A2 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51690 (Unassigned port) Dest Port: 110 (Unassigned port)
TCP: Sequence #: 2383959388
TCP: Ack #: 1959031740
TCP: Offset: 20 bytes
TCP: Flags: 10
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On

This ACK tells the server that the client has received the server's FIN response.

TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 33580 Checksum: 4D69 (Correct)
TCP: No Options
TCP: No data or not output.

-------------------------- #:18 --------------------------
Delta Time: 0.146sec Packet Length: 42 bytes (2A hex)
Compressed and Unfiltered Packet Length: 12 bytes (C hex)
PPP: Protocol 0x002D (VJ Compressed)
PPP: Dest: 209.179.045.140 Source: 207.217.121.215
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 1C7A
IP: Flags: 0
IP: .0.. May Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 251 sec Protocol: 6 TCP
IP: Header Checksum: 5A65 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 110 (Unassigned port) Dest Port: 51690 (Unassigned port)
TCP: Sequence #: 1959031740
TCP: Ack #: 2383959388
TCP: Offset: 20 bytes
TCP: Flags: 10
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On

This ACK tells the client that the server has received the client's ACK response.

TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32850 Checksum: 5043 (Correct)
TCP: No Options
TCP: No data or not output.
Finished

That's it for our simple trip though TCP/IP packet analysis.

=====================================================

To unsubscribe from this list, send an email message
to "steward@scoug.com". In the body of the message,
put the command "unsubscribe scoug-help".

For problems, contact the list owner at
"rollin@scoug.com".

=====================================================

Return to [ 11 | July | 2003 ]

SCOUG, Warp Expo West, and Warpfest are trademarks of the Southern California OS/2 User Group. OS/2, Workplace Shell, and IBM are registered trademarks of International Business Machines Corporation. All other trademarks remain the property of their respective owners.