April 2003
Mr. Know-It-All has the answers to even the really tough questions.
Question:
I often see recommendations to use iptrace and ipformat to diagnose TCP/IP
problems. I read the online help, but I don't really understand what it's
telling me to do. Can you help?
Answer:
Iptrace is an IBM tool that captures TCP/IP packets and writes them to a
binary file.
Ipformat is the tool that reads this file, decodes the
output and writes the results to the standard output.
For those that have not read the online help, use:
tcphelp iptrace
and
tcphelp ipformat
to get a feel for the features and options.
Perhaps, the best way to learn how to use these tools is to start with a simple example.
Let's say your ISP is not accepting your e-mail login and as best you can tell you are
using the correct userid and password.
To capture the trace data:
It should be obvious, but it's a good idea to shutdown as many
Internet applications as possible before starting to capture the trace data.
If you don't do this, the trace might contain lots of not very helpful data.
Now comes what can be the hard part. Interpreting the decoded trace data.
Much of the art of interpreting trace data is knowing what to ignore.
The output is verbose and repetitive.
What follows is the decoded output of our failed login attempt along with some
commentary describing the elements.
Opening IPTRACE.DMP ... Sucessful
Reading packet headers ... 18 headers read.
PreProcess packet info
This tells us that iptrace.dmp recorded 18 packets.
-------------------------- #:1 --------------------------
This is the packet number.
There should be no missing packet numbers in the output.
Delta Time: 0.000sec Packet Length: 41 bytes (29 hex)
The Delta Time is the time since the last packet was sent or received.
This is not too relevant in this example. It is often very important when
working on response timeouts
and throughput problems.
IP: Dest: 127.000.000.001 Source: 127.000.000.001
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 41 (x29) bytes Id: 5C36
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: E096 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51519 (Unassigned port) Dest Port: 51520 (Unassigned port)
TCP: Sequence #: 2276667649
TCP: Ack #: 2276570671
TCP: Offset: 20 bytes
TCP: Flags: 18
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 1... Push bit On
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32912 Checksum: 7022 (Correct)
TCP: No Options
--------------------------------- DATA -----------------------------------
0000 38 8
-------------------------- #:2 --------------------------
Delta Time: 0.000sec Packet Length: 41 bytes (29 hex)
IP: Dest: 127.000.000.001 Source: 127.000.000.001
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 41 (x29) bytes Id: 5C36
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: E096 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51519 (Unassigned port) Dest Port: 51520 (Unassigned port)
TCP: Sequence #: 2276667649
TCP: Ack #: 2276570671
TCP: Offset: 20 bytes
TCP: Flags: 18
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 1... Push bit On
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32912 Checksum: 7022 (Correct)
TCP: No Options
--------------------------------- DATA -----------------------------------
0000 38 8
-------------------------- #:3 --------------------------
Delta Time: 0.049sec Packet Length: 40 bytes (28 hex)
IP: Dest: 127.000.000.001 Source: 127.000.000.001
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 5C37
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: E096 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51520 (Unassigned port) Dest Port: 51519 (Unassigned port)
TCP: Sequence #: 2276570671
TCP: Ack #: 2276667650
TCP: Offset: 20 bytes
TCP: Flags: 10
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32912 Checksum: A82A (Correct)
TCP: No Options
TCP: No data or not output.
-------------------------- #:4 --------------------------
Delta Time: 0.000sec Packet Length: 40 bytes (28 hex)
IP: Dest: 127.000.000.001 Source: 127.000.000.001
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 5C37
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: E096 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51520 (Unassigned port) Dest Port: 51519 (Unassigned port)
TCP: Sequence #: 2276570671
TCP: Ack #: 2276667650
TCP: Offset: 20 bytes
TCP: Flags: 10
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32912 Checksum: A82A (Correct)
TCP: No Options
TCP: No data or not output.
This is where the output starts to get interesting.
For our purposes, the previous packets are noise, although they do
illustrate why it's a good idea to shut down as much TCP/IP traffic as possible before
capturing trace data.
For the curious, the traffic was generated by Mozilla talking to itself.
-------------------------- #:5 --------------------------
Delta Time: 0.885sec Packet Length: 53 bytes (35 hex)
PPP: Protocol 0x0021 (IP)
PPP: Dest: 207.217.121.215 Source: 209.179.045.140
This identifies the start of a Point-to-Point Protocol packet.
This usually means that the packet is going through a dial-up connection.
If you are connected via DSL or cable, you would not see this.
Internet packets are layered like an onion.
The TCP packet is wrapped in an IP packet.
The IP packet is wrapped in a PPP packet.
Which layers exist depends on the application and the network connection.
The most interesting elements of the PPP packet are the source and destination
addresses. In the case of DSL or cable, these addresses will
be reported in the IP packets. See packet #1 for an example of this.
----------------------- IP HEADER -----------------------
This identifies the start of an Internet Protocol packet.
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 48 (x30) bytes Id: 5C38
IP: Flags: 2
IP: .1.. Don't Fragment
The Don't Fragment flag says this IP packet may not be broken into multiple
IP packets as it travels though the Internet.
If for some reason this request can not be honored, the packet will be discarded.
IP: ..0. Last Fragment
IP: Fragment Offset: 000
The Fragment Offset is used to reassemble IP packets that have been broken
into multiple IP packets.
Use the 000 offset is a reference point to find the first (or only)
fragment of a set of IP packets.
There's nothing bad about fragmented packets, per se, but not
all TCP/IP implementations handle fragmentation well for all MTU
(maximum transmission unit) sizes.
The MTU defines the largest IP packet a host will transmit.
The MTU size and the Don't Fragment flag are elements to look at if
you are experiencing timeouts and such.
Often changing the MTU
value will resolve problems caused by fragmentation.
Usually the MTU needs to be lowered, but there are cases where it will
need to be increased.
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: 959F (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
This identifies the start of a Transmission Control Protocol packet.
These are the packets we need to look at most often because TCP packets
carry the data that many client and server applications use to communicate at
the application level.
This includes our e-mail client and server.
TCP: Source Port: 51690 (Unassigned port) Dest Port: 110 (Unassigned port)
Port 110 is the well known port of the POP mail server.
This packet is going from our e-mail client to the mail server.
Other useful port numbers are 25 for SMTP mail, 80 for web pages and 119 for news.
TCP: Sequence #: 2383959362
TCP: Ack #: 0
TCP: Offset: 28 bytes
TCP: Flags: 02
TCP: ..0. .... Urgent bit Off
TCP: ...0 .... Ack bit Off
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..1. Synchronize bit On
This SYN flag says this is the first TCP packet of this connection.
It is a useful reference point.
TCP: .... ...0 Finish bit Off
TCP: Window: 32768 Checksum: D7B (Correct)
TCP: Option Code: 02 Length: 4 bytes [MSS]
TCP: Max Segment Size 1460 (x5B4)
TCP: Option Code: 01 Length: 1 bytes [NOP]
TCP: No Operation
TCP: Option Code: 03 Length: 3 bytes [WIN_SCALE]
TCP: Window scale factor 0 (x0)
TCP: No data or not output.
-------------------------- #:6 --------------------------
Delta Time: 0.166sec Packet Length: 53 bytes (35 hex)
PPP: Protocol 0x0021 (IP)
PPP: Dest: 209.179.045.140 Source: 207.217.121.215
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 48 (x30) bytes Id: 1C73
IP: Flags: 0
IP: .0.. May Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 251 sec Protocol: 6 TCP
IP: Header Checksum: 5A64 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 110 (Unassigned port) Dest Port: 51690 (Unassigned port)
TCP: Sequence #: 1959031622
TCP: Ack #: 2383959363
TCP: Offset: 28 bytes
TCP: Flags: 12
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
The ACK flag says the mail server has heard the client's call and is willing to continue.
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..1. Synchronize bit On
This SYN flag says the server agrees that a new connection is starting.
TCP: .... ...0 Finish bit Off
TCP: Window: 65535 Checksum: A55E (Correct)
TCP: Option Code: 01 Length: 1 bytes [NOP]
TCP: No Operation
TCP: Option Code: 03 Length: 3 bytes [WIN_SCALE]
TCP: Window scale factor 1 (x1)
TCP: Option Code: 02 Length: 4 bytes [MSS]
TCP: Max Segment Size 1460 (x5B4)
TCP: No data or not output.
-------------------------- #:7 --------------------------
Delta Time: 0.000sec Packet Length: 41 bytes (29 hex)
Compressed and Unfiltered Packet Length: 44 bytes (2C hex)
PPP: Protocol 0x002F (VJ Un-Compressed)
PPP: Dest: 207.217.121.215 Source: 209.179.045.140
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 5C39
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: 95A6 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51690 (Unassigned port) Dest Port: 110 (Unassigned port)
TCP: Sequence #: 2383959363
TCP: Ack #: 1959031623
TCP: Offset: 20 bytes
TCP: Flags: 10
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
This ACK flag is the client telling the server it has seen the server's ACK.
At this point, the server and the client have agreed on Sequence # and Ack #
values and are ready to transfer data.
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 33580 Checksum: 4DF7 (Correct)
TCP: No Options
TCP: No data or not output.
This packet contains no data, but it might for other applications.
-------------------------- #:8 --------------------------
Delta Time: 0.180sec Packet Length: 114 bytes (72 hex)
Compressed and Unfiltered Packet Length: 117 bytes (75 hex)
PPP: Protocol 0x002F (VJ Un-Compressed)
PPP: Dest: 209.179.045.140 Source: 207.217.121.215
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 112 (x70) bytes Id: 1C74
IP: Flags: 0
IP: .0.. May Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 251 sec Protocol: 6 TCP
IP: Header Checksum: 5A23 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 110 (Unassigned port) Dest Port: 51690 (Unassigned port)
TCP: Sequence #: 1959031623
TCP: Ack #: 2383959363
TCP: Offset: 20 bytes
TCP: Flags: 18
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
This ACK is the server telling the client that it received the client's ACK.
TCP: .... 1... Push bit On
The PUSH bit tells the world to send this packet to its destination with minimal buffering.
This is almost always set in the last TCP packet when the data is spread over
multiple TCP packets.
When honored, this helps the data get to the final destination quicker.
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32850 Checksum: 418 (Correct)
TCP: No Options
--------------------------------- DATA -----------------------------------
0000 2B 4F 4B 20 4E 47 50 6F 70 70 65 72 20 76 45 4C +OK NGPopper vEL
0010 5F 34 5F 32 39 20 61 74 20 65 61 72 74 68 6C 69 _4_29 at earthli
0020 6E 6B 2E 6E 65 74 20 72 65 61 64 79 20 3C 31 38 nk.net ready <18
0030 36 37 31 2E 31 30 34 38 35 33 32 34 32 36 40 61 671.1048532426@a
0040 76 6F 63 65 74 3E 0D 0A vocet>..
Finally, some data.
This is the mail server saying hello to the client.
-------------------------- #:9 --------------------------
Delta Time: 0.000sec Packet Length: 55 bytes (37 hex)
Compressed and Unfiltered Packet Length: 23 bytes (17 hex)
PPP: Protocol 0x002D (VJ Compressed)
PPP: Dest: 207.217.121.215 Source: 209.179.045.140
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 54 (x36) bytes Id: 5C3A
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: 9597 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51690 (Unassigned port) Dest Port: 110 (Unassigned port)
TCP: Sequence #: 2383959363
TCP: Ack #: 1959031695
TCP: Offset: 20 bytes
TCP: Flags: 18
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
This ACK flag is the client telling the server, it received the hello message.
TCP: .... 1... Push bit On
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 33580 Checksum: 6776 (Correct)
TCP: No Options
--------------------------------- DATA -----------------------------------
0000 55 53 45 52 20 73 74 65 76 65 33 35 0D 0A USER steve35..
Finally, the client has something to say.
This is the start of the login attempt.
-------------------------- #:10 --------------------------
Delta Time: 0.127sec Packet Length: 42 bytes (2A hex)
Compressed and Unfiltered Packet Length: 11 bytes (B hex)
PPP: Protocol 0x002D (VJ Compressed)
PPP: Dest: 209.179.045.140 Source: 207.217.121.215
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 1C75
IP: Flags: 0
IP: .0.. May Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 251 sec Protocol: 6 TCP
IP: Header Checksum: 5A6A (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 110 (Unassigned port) Dest Port: 51690 (Unassigned port)
TCP: Sequence #: 1959031695
TCP: Ack #: 2383959377
TCP: Offset: 20 bytes
TCP: Flags: 10
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32850 Checksum: 507B (Correct)
TCP: No Options
TCP: No data or not output.
-------------------------- #:11 --------------------------
Delta Time: 0.000sec Packet Length: 47 bytes (2F hex)
Compressed and Unfiltered Packet Length: 15 bytes (F hex)
PPP: Protocol 0x002D (VJ Compressed)
PPP: Dest: 209.179.045.140 Source: 207.217.121.215
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 45 (x2D) bytes Id: 1C76
IP: Flags: 0
IP: .0.. May Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 251 sec Protocol: 6 TCP
IP: Header Checksum: 5A64 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 110 (Unassigned port) Dest Port: 51690 (Unassigned port)
TCP: Sequence #: 1959031695
TCP: Ack #: 2383959377
TCP: Offset: 20 bytes
TCP: Flags: 18
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 1... Push bit On
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32850 Checksum: D011 (Correct)
TCP: No Options
--------------------------------- DATA -----------------------------------
0000 2B 4F 4B 0D 0A +OK..
The server has accepted the user name.
-------------------------- #:12 --------------------------
Delta Time: 0.000sec Packet Length: 51 bytes (33 hex)
Compressed and Unfiltered Packet Length: 20 bytes (14 hex)
PPP: Protocol 0x002D (VJ Compressed)
PPP: Dest: 207.217.121.215 Source: 209.179.045.140
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 50 (x32) bytes Id: 5C3B
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: 959A (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51690 (Unassigned port) Dest Port: 110 (Unassigned port)
TCP: Sequence #: 2383959377
TCP: Ack #: 1959031700
TCP: Offset: 20 bytes
TCP: Flags: 18
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 1... Push bit On
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 33580 Checksum: 3FB (Correct)
TCP: No Options
--------------------------------- DATA -----------------------------------
0000 50 41 53 53 20 78 78 78 0D 0A PASS xxx..
Now the client sends the password.
-------------------------- #:13 --------------------------
Delta Time: 0.238sec Packet Length: 42 bytes (2A hex)
Compressed and Unfiltered Packet Length: 11 bytes (B hex)
PPP: Protocol 0x002D (VJ Compressed)
PPP: Dest: 209.179.045.140 Source: 207.217.121.215
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 1C77
IP: Flags: 0
IP: .0.. May Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 251 sec Protocol: 6 TCP
IP: Header Checksum: 5A68 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 110 (Unassigned port) Dest Port: 51690 (Unassigned port)
TCP: Sequence #: 1959031700
TCP: Ack #: 2383959387
TCP: Offset: 20 bytes
TCP: Flags: 10
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32850 Checksum: 506C (Correct)
TCP: No Options
TCP: No data or not output.
-------------------------- #:14 --------------------------
Delta Time: 4.914sec Packet Length: 81 bytes (51 hex)
Compressed and Unfiltered Packet Length: 48 bytes (30 hex)
PPP: Protocol 0x002D (VJ Compressed)
PPP: Dest: 209.179.045.140 Source: 207.217.121.215
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 79 (x4F) bytes Id: 1C78
IP: Flags: 0
IP: .0.. May Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 251 sec Protocol: 6 TCP
IP: Header Checksum: 5A40 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 110 (Unassigned port) Dest Port: 51690 (Unassigned port)
TCP: Sequence #: 1959031700
TCP: Ack #: 2383959387
TCP: Offset: 20 bytes
TCP: Flags: 18
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 1... Push bit On
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32850 Checksum: CAFC (Correct)
TCP: No Options
--------------------------------- DATA -----------------------------------
0000 2D 45 52 52 20 62 61 64 20 70 61 73 73 77 6F 72 -ERR bad passwor
0010 64 20 6F 72 20 75 6E 6B 6E 6F 77 6E 20 75 73 65 d or unknown use
0020 72 6E 61 6D 65 0D 0A rname..
Well, we expected this.
However, a closer look at the USER command tells us where the
problem is. steve35 should have been steve53.
I don't know how we missed this on the e-mail settings page, but we
did. Sometimes just seeing something presented in a different
way helps to solve the problem.
The above failure is rather easy to analyze.
Another that I see a lot is related to SMTP-Auth.
Many ISPs are changing to SMTP-Auth verification for sending e-mail.
A login failure caused by this would be clearly identified in the
trace output. The e-mail client might not report this with any useful detail.
-------------------------- #:15 --------------------------
Delta Time: 0.006sec Packet Length: 45 bytes (2D hex)
Compressed and Unfiltered Packet Length: 46 bytes (2E hex)
PPP: Protocol 0x0021 (IP)
PPP: Dest: 207.217.121.215 Source: 209.179.045.140
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 5C3C
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: 95A3 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51690 (Unassigned port) Dest Port: 110 (Unassigned port)
TCP: Sequence #: 2383959387
TCP: Ack #: 1959031739
TCP: Offset: 20 bytes
TCP: Flags: 11
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...1 Finish bit On
This FIN flag tells the server the client wants to end this connection.
TCP: Window: 33580 Checksum: 4D6A (Correct)
TCP: No Options
TCP: No data or not output.
-------------------------- #:16 --------------------------
Delta Time: 0.004sec Packet Length: 45 bytes (2D hex)
Compressed and Unfiltered Packet Length: 46 bytes (2E hex)
PPP: Protocol 0x0021 (IP)
PPP: Dest: 209.179.045.140 Source: 207.217.121.215
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 1C79
IP: Flags: 0
IP: .0.. May Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 251 sec Protocol: 6 TCP
IP: Header Checksum: 5A66 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 110 (Unassigned port) Dest Port: 51690 (Unassigned port)
TCP: Sequence #: 1959031739
TCP: Ack #: 2383959387
TCP: Offset: 20 bytes
TCP: Flags: 11
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...1 Finish bit On
This FIN flag tells the client that the server is willing to end this connection.
TCP: Window: 32850 Checksum: 5044 (Correct)
TCP: No Options
TCP: No data or not output.
-------------------------- #:17 --------------------------
Delta Time: 0.000sec Packet Length: 41 bytes (29 hex)
Compressed and Unfiltered Packet Length: 11 bytes (B hex)
PPP: Protocol 0x002D (VJ Compressed)
PPP: Dest: 207.217.121.215 Source: 209.179.045.140
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 5C3D
IP: Flags: 2
IP: .1.. Don't Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 64 sec Protocol: 6 TCP
IP: Header Checksum: 95A2 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 51690 (Unassigned port) Dest Port: 110 (Unassigned port)
TCP: Sequence #: 2383959388
TCP: Ack #: 1959031740
TCP: Offset: 20 bytes
TCP: Flags: 10
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
This ACK tells the server that the client has received the server's FIN response.
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 33580 Checksum: 4D69 (Correct)
TCP: No Options
TCP: No data or not output.
-------------------------- #:18 --------------------------
Delta Time: 0.146sec Packet Length: 42 bytes (2A hex)
Compressed and Unfiltered Packet Length: 12 bytes (C hex)
PPP: Protocol 0x002D (VJ Compressed)
PPP: Dest: 209.179.045.140 Source: 207.217.121.215
----------------------- IP HEADER -----------------------
IP: Version: 4 Correct Header Length: 20 bytes
IP: Type Of Service: 00
IP: 000. .... Routine
IP: ...0 .... Normal Delay
IP: .... 0... Normal Throughput
IP: .... .0.. Normal Reliability
IP: Total Len: 40 (x28) bytes Id: 1C7A
IP: Flags: 0
IP: .0.. May Fragment
IP: ..0. Last Fragment
IP: Fragment Offset: 000
IP: Time To Live: 251 sec Protocol: 6 TCP
IP: Header Checksum: 5A65 (Correct)
IP: No Options
---------------------- TCP HEADER ----------------------
TCP: Source Port: 110 (Unassigned port) Dest Port: 51690 (Unassigned port)
TCP: Sequence #: 1959031740
TCP: Ack #: 2383959388
TCP: Offset: 20 bytes
TCP: Flags: 10
TCP: ..0. .... Urgent bit Off
TCP: ...1 .... Ack bit On
This ACK tells the client that the server has received the client's ACK response.
TCP: .... 0... Push bit Off
TCP: .... .0.. Reset bit Off
TCP: .... ..0. Synchronize bit Off
TCP: .... ...0 Finish bit Off
TCP: Window: 32850 Checksum: 5043 (Correct)
TCP: No Options
TCP: No data or not output.
Finished
That's it for our simple trip though TCP/IP packet analysis.
If you want to understand a bit more about the guts of the TCP/IP protocols,
take a look at the RFC's. RFC 791 and 793 are the real deal. You can find them
at the RFC FTP Site. As you might expect,
there are plenty of resources on the web that cover this material in more or less detail.
It should be easy enough to find one written to your comfort level.
The ipformat output is sufficient for resolving many problems.
However, there are cases where the output volume is just too large
and you are going to need a packet analyzer to provide some sorting and filtering.
Mr. KIA has been told that Ethereal runs well under Odin.
Ipformat can generate the "sniffer" compatible output that Ethereal understands.
If you need help analyzing a specific trace, you can always ask
Mr. KIA.
Curious or in doubt, you can ask
Mr. Know-It-All
OS/2 is his specialty and sharing solutions is his passion
Mr. Know-It-All lives in Southern California.
The Southern California OS/2 User Group
P.O. Box 26904
Santa Ana, CA 92799-6904, USA
Copyright 2003 the Southern California OS/2 User Group. ALL RIGHTS
RESERVED.
SCOUG, Warp Expo West, and Warpfest are trademarks of the Southern California OS/2 User Group.
OS/2, Workplace Shell, and IBM are registered trademarks of International
Business Machines Corporation.
All other trademarks remain the property of their respective owners.
|