tcpdump output - what is 0x0020?

I read the damn man page twice and still have no clue.

tcpdump -nn -i eth1 -X | grep "0000 4009 0700 0000" shows this,
0x0020: 5010 f923 aa07 0000 0000 4009 0700 0000
P..#......@.....
0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
P..#.!....@.....
0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
P..#.!....@.....
0x0020: 5010 fc00 9eba 0000 0000 4009 0700 0000
P.........@.....
0x0020: 5018 f94d f1dd 0000 0000 4009 0700 0000
P..M......@.....

1. what is 0x0020?
2. it seems that pattern 0000 4009 0700 0000 seems to corrospond to
"..@.....", what is the math b/h this?

<(E-Mail Removed)> schrieb
> I read the damn man page twice and still have no clue.
>
> tcpdump -nn -i eth1 -X | grep "0000 4009 0700 0000" shows this,
> 0x0020: 5010 f923 aa07 0000 0000 4009 0700 0000
> P..#......@.....
> 0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
> P..#.!....@.....
> 0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
> P..#.!....@.....
> 0x0020: 5010 fc00 9eba 0000 0000 4009 0700 0000
> P.........@.....
> 0x0020: 5018 f94d f1dd 0000 0000 4009 0700 0000
> P..M......@.....
>
> 1. what is 0x0020?
> 2. it seems that pattern 0000 4009 0700 0000 seems to
> corrospond to
> "..@.....", what is the math b/h this?
>

I have actually no idea, but I would guess that:
- 0x0020 is the offset into the packet data displayed
- the packet is displayed as you asked for (with -X) in
hex and ascii, so 80(hex)==P(ascii), 40(hex)==@(ascii),
stuff that is non-printable is shown with .

BTW: My tcpdump man page hasn't -nn.

HTH
Martin

that -nn flag (redhat FC6) turns off service resolutions so you'll see
80 instead of http. Thanks for that info. I coocked up a signature but
it doen't work on my commercial IDS (works fine on snort).

On Jan 29, 3:10 pm, "Martin Blume" <mbl...@socha.net> wrote:
> <news8...@yahoo.com> schrieb
>
>
>
> > I read the damn man page twice and still have no clue.
>
> >tcpdump-nn -i eth1 -X | grep "0000 4009 0700 0000" shows this,
> > 0x0020: 5010 f923 aa07 0000 0000 4009 0700 0000
> > P..#......@.....
> > 0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
> > P..#.!....@.....
> > 0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
> > P..#.!....@.....
> > 0x0020: 5010 fc00 9eba 0000 0000 4009 0700 0000
> > P.........@.....
> > 0x0020: 5018 f94d f1dd 0000 0000 4009 0700 0000
> > P..M......@.....
>
> > 1. what is 0x0020?
> > 2. it seems that pattern 0000 4009 0700 0000 seems to
> > corrospond to
> > "..@.....", what is the math b/h this?I have actually no idea, but I would guess that:
> - 0x0020 is the offset into the packet data displayed
> - the packet is displayed as you asked for (with -X) in
> hex and ascii, so 80(hex)==P(ascii), 40(hex)==@(ascii),
> stuff that is non-printable is shown with .
>
> BTW: Mytcpdumpman page hasn't -nn.
>
> HTH
> Martin

In comp.os.linux.networking Martin Blume <(E-Mail Removed)> wrote:
> <(E-Mail Removed)> schrieb
>> I read the damn man page twice and still have no clue.
>>
>> tcpdump -nn -i eth1 -X | grep "0000 4009 0700 0000" shows this,
>> 0x0020: 5010 f923 aa07 0000 0000 4009 0700 0000
>> P..#......@.....
>> ...
>> 1. what is 0x0020?
>> 2. it seems that pattern 0000 4009 0700 0000 seems to
>> corrospond to
>> "..@.....", what is the math b/h this?
>>

> I have actually no idea, but I would guess that:
> - 0x0020 is the offset into the packet data displayed

Indeed, and the OP can confirm that by looking at the output in its
full context - without the pipe to grep - the increment of that number
will show that it is indeed an offset into the packet.

> - the packet is displayed as you asked for (with -X) in
> hex and ascii, so 80(hex)==P(ascii), 40(hex)==@(ascii),
> stuff that is non-printable is shown with .

Yep. The manpage for "ascii" is often helpful in those situations.

rick jones
--
firebug n, the idiot who tosses a lit cigarette out his car window
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

In article <45be54b9$0$18824$(E-Mail Removed)>,
Martin Blume <(E-Mail Removed)> wrote:
><(E-Mail Removed)> schrieb
>> I read the damn man page twice and still have no clue.
>>
>> tcpdump -nn -i eth1 -X | grep "0000 4009 0700 0000" shows this,
>> 0x0020: 5010 f923 aa07 0000 0000 4009 0700 0000
>> P..#......@.....
>> 0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
>> P..#.!....@.....
>> 0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
>> P..#.!....@.....
>> 0x0020: 5010 fc00 9eba 0000 0000 4009 0700 0000
>> P.........@.....
>> 0x0020: 5018 f94d f1dd 0000 0000 4009 0700 0000
>> P..M......@.....
>>
>> 1. what is 0x0020?
>> 2. it seems that pattern 0000 4009 0700 0000 seems to
>> corrospond to
>> "..@.....", what is the math b/h this?
>>
>
>I have actually no idea, but I would guess that:
>- 0x0020 is the offset into the packet data displayed

Exactly.

>- the packet is displayed as you asked for (with -X) in
> hex and ascii, so 80(hex)==P(ascii), 40(hex)==@(ascii),
> stuff that is non-printable is shown with .

Actually, 80(hex) is NOT 'P', but 50(hex) is. And 4d(hex) is 'M'.

Patrick