'Re: [tcpdump-workers] problem with parsing Leipzig-I trace'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tcpdump-workers
Subject:    Re: [tcpdump-workers] problem with parsing Leipzig-I trace
From:       Stephen Donnelly <stephen () endace ! com>
Date:       2005-07-11 1:39:17
Message-ID: 42D1CDC5.9020300 () endace ! com
[Download RAW message or body]

Hi Zhen,

Well, 0x21 is the IANA PPP DLL protocol number for Internet Protocol 
version 4, so perhaps the link in question is RFC2615 PPP over SONET rather 
than PoS/Cisco HDLC.

You could try changing DLT_CHDLC to DLT_PPP_SERIAL in dagbpf.c and 
recompiling. Alternatively contact NLANR PMA via the feedback address on 
the webpage you mentioned and ask them about how to process the trace.

Regards,
Stephen.

Zhen Wu wrote:
> Yes. I tried different flags. Here is what I got by trying "dagbpf -p".
> -------------------------
> $ zcat 20021125-140000-0.gz | /usr/local/dagtools-0.8.1/pcap/dagbpf -p  
> | /usr/local/sbin/tcpdump -n -tt -r -| more
> reading from file -, link-type C_HDLC (Cisco HDLC)
> 1038229200.000249 unknown CHDLC protocol (0x0021)
> 1038229200.000275 unknown CHDLC protocol (0x0021)
> 1038229200.000312 unknown CHDLC protocol (0x0021)
> 1038229200.000385 unknown CHDLC protocol (0x0021)
> 
> There must be a way to read/parse the Leipzig-I trace. I just couldn't 
> figure it out. I would appreciate any suggestion. Thanks!
> 
> Zhen
> 
> On Jul 10, 2005, at 2:19 PM, Stephen Donnelly wrote:
> 
>> From the web pages you mentioned, the Leipzig-I trace page says that 
>> it was taken from a Packet over SONET link. Did you try the "dagbpf 
>> -p" flag for PoS?
>>
>> Regards,
>> Stephen.
>>
>> Zhen Wu wrote:
>>
>>> Hello, everyone:
>>> I am using dagtools and tcpdump to parse the Leipzig-I trace. The 
>>> output is NOT what I expected. Using the same command, I can 
>>> successfully parse the Auckland-IV trace.
>>> Anyone can help me??? Thanks a lot!
>>> Zhen
>>> output from parsing Leipzig-I trace, from 
>>> "http://pma.nlanr.net/Special/leip1.html"
>>> --------------------------
>>> $ zcat 20021125-140000-0.gz | /usr/local/dagtools-0.8.1/pcap/dagbpf 
>>> -v | /usr/local/sbin/tcpdump -n -tt -r -| more
>>> dagbpf: verbose: header
>>> dagbpf: verbose: sloop
>>> reading from file -, link-type ATM_RFC1483 (RFC 1483 IP-over-ATM)
>>> 1038229200.000249 sap 02 > sap 0a 83/P
>>> 1038229200.000275 sap 00 > sap 0a rnr (r=59,F)
>>> 1038229200.000312 sap 02 > sap 0a 83/P
>>> 1038229200.000385 sap 02 > sap 0a 83/P
>>> output from parsing Auckland-IV trace, from 
>>> "http://pma.nlanr.net/Traces/long/auck4.html"
>>> ----------------------
>>> $ zcat 20010309-020000-0.gz | /usr/local/dagtools-0.8.1/pcap/dagbpf 
>>> -v | /usr/local/sbin/tcpdump -n -tt -r - | more
>>> dagbpf: verbose: header
>>> dagbpf: verbose: sloop
>>> reading from file -, link-type ATM_RFC1483 (RFC 1483 IP-over-ATM)
>>> 984056400.009423 IP 10.0.45.255.80 > 10.0.0.53.4608: . ack 397996760 
>>> win 8760
>>> 984056400.012529 IP 10.0.45.255.80 > 10.0.0.53.4608: P 0:159(159) ack 
>>> 1 win 8760
>>> 984056400.012546 IP 10.0.45.255.80 > 10.0.0.53.4608: F 159:159(0) ack 
>>> 1 win 8760
>>> 984056400.013616 IP 10.2.179.148.2875 > 10.0.1.19.80: . ack 584221866 
>>> win 31856 <[|tcp]>
>>> The version of my tcpdump
>>> ------------------
>>> tcpdump version current-cvs.tcpdump.org.2004.06.20
>>> libpcap version 0.7
>>> -
>>> This is the tcpdump-workers list.
>>> Visit https://lists.sandelman.ca/ to unsubscribe.
>>
>>
>>
>> -- 
>> -----------------------------------------------------------------------
>>     Stephen Donnelly BCMS PhD           email: sfd@endace.com
>>     Endace Technology Ltd               phone: +64 7 839 0540
>>     Hamilton, New Zealand               cell:  +64 21 1104378
>> -----------------------------------------------------------------------
>> -
>> This is the tcpdump-workers list.
>> Visit https://lists.sandelman.ca/ to unsubscribe.
> 
> 
> -
> This is the tcpdump-workers list.
> Visit https://lists.sandelman.ca/ to unsubscribe.


-- 
-----------------------------------------------------------------------
     Stephen Donnelly BCMS PhD           email: sfd@endace.com
     Endace Technology Ltd   	        phone: +64 7 839 0540
     Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic