The packets shown by tcpdump contain the following data: IP header and data portion. The IP data contains a UDP packet, that is, it contains a UDP header and it's data portion. We have used the following typographical notation:
packet 1:
* underlined for IP headers, UDP headers and NFS procedure call parameters
* bold for UDP headers
* italic for RPC headers
* each block of numbers in black and red color indicates a particular
field
packet 2:
* underlined for IP headers, UDP headers
* bold for UDP headers
* italic for file attributes
* each block of numbers in black and red color indicates a particular
field
packet 3:
* underlined for IP headers, UDP headers
* bold for UDP headers
* blue for RPC header
* red for file handler
packet 4:
* underlined for IP headers, UDP headers
* bold for UDP headers
* blue for RPC header
* red for file attributes
packet 5:
* underlined for IP headers, UDP headers
* bold for UDP headers
* blue for RPC header
* red for file handler
packet 6:
* underlined for IP headers, UDP headers, actual file data
* bold for UDP headers
* blue for RPC header
* red for file attributes
Some Useful References:
IP
header format
UDP
header format
ASCII
table
tcpdump
snoop
nfstrace
nfswatch
A
detailed analysis of monitoring NFS systems
RFC1057
RFC1831
RFC1813
Here is the printout of the dumped packets:
packet 1:
21:32:54.898924 moe.baylor.edu.1791010337 > larry.baylor.edu.nfs: 148
lookup fh Unknown/1 "secret" (ttl 64, id 267)
4500
00b0 010b 0000 4011
4efa
813e 93dd
813e 93de 0320
0801
009c db4e 6ac0
a621
0000 0000 0000
0002 0001 86a3 0000 0002
0000
0004 0000 0001 0000
0040 0000 7239
0000 000e 6d6f
652e 6261 796c 6f72 2e65
6475 0c23 0000
0000 0000 0000 0000 0007
0000 0000 0000 0001
0000 0002 0000 0003
0000 0004 0000 0006 0000 000a
0000 0000
0000 0000caba
ebfe c11f 0000 0200 0000
0208 0000 0208 0000 c11f
0000 8b68 2036
0000 0000 0000 00067365
6372 6574 0000
In the first line, host moe.baylor.edu sent a transaction with id 1791010337 to larry.baylor.edu (note that the number following the src host is a transaction id, not the source port). The request was 148 bytes, excluding the UDP and IP headers. The operation was a lookup ( Searches for a file in the current directory and if found, returns a file handle pointing to it plus information on the file's attributes. ) on file handle( fh ) Unknow/1. ( If one is lucky, not in this case, the file handle can be interpreted as a major, minor device number pair, followed by the inode number and generation number, for example 21,24/10.73165 ) The moe asked larry to lookup name "secret" in directory file "Unknown/1".
Additional information that is
readily available from the IP header:
4
Version 4
5 Internet Header
Length - 5 32-bit words.
00
Type of Service - Normel Delay, Normal Throughput, Normal Reliability
00b0 Total Length
- the whole packet is b0 hex (176 decimal = 20 bytes IP header + 8 bytes
UDP header + 148 bytes data for request) bytes long
010b Identification
0000
Flags and Fragmentation Offset
40
Time To Live - 64 hops
11 Protocol - UDP
4efa
Header Checksum
813e 93dd Source Address
- 129.62.147.221 - 81 hex is 129 dec, 3e is 62, 93 is 147 and dd is 221.
813e 93de Destination Address - 129.62.147.222
Additional information that is
readily available from the UDP header:
0320 Source Port, 800 decimal
0801
Destination Port, 2049 decimal, which is usually used as port number for
NFS
009c
Total length for the UDP packet, 9c hex ( 156 decimal = 8 bytes UDP header
+ 148 bytes data for request ) bytes long
db4e
Checksum
Additional information that is
readily available from the RPC header:
6ac0
a621 transaction
identifier
0000
0000 msg_type = CALL
0000
0002 rpcvers = 2 (
in version 2 of the RPC protocol specification, rpcvers must be equal to
2 )
0001
86a3 hex 000186a3 (decimal 100003), remote program
ID
0000
0002 remote program version number
0000
0004 procedure within the remote program to be called ( hex
4 for "lookup" )
0000
0001 auth_flavor = AUTH_UNIX ( for authentification purpose )
0000
000e stamp ( an arbitrary ID which te caller machine may generate
)
6d6f
652e 6261 796c 6f72 2e65 6475 moe.baylor.edu ( name of
the caller machine )
0000
0000 uid ( the caller's effective user ID )
0000
0000 gid ( the caller's effective group ID )
0000
0007 gids ( a counted array of groups which contain the caller as a member
)
0000
0000 AUTH_NULL ( the verifier accompanying the credential )
NFS procedure call parameters:
caba ebfe c11f
0000 0200 0000 0208 0000 0208 0000
c11f
0000 8b68 2036 0000 0000 0000 0006 file handle for
the directory in which to manipulate or access the file
7365
6372 6574 "secret"
( name of the file to be looked up )
packet 2:
21:32:54.899211 larry.baylor.edu.nfs > moe.baylor.edu.1791010337: reply
ok 128 lookup fh Unknown/1 REG 100644 ids 0/0 sz 40 (ttl 64, id 1964)
4500 009c 07ac 0000 4011 486d 813e 93de
813e 93dd 0801 0320 0088 3a66
6ac0 a621
0000
0001 0000 0000 0000
0000 0000 0000
0000 0000 0000 0000
caba ebfe e720 0000
c11f 0000 0208 0000 0208 0000
c11f 0000
131e 0c23 0000 00000000
0001 0000 81a4
0000
0001 0000 00000000
0000 0000 0028
0000 1000 0000 0000
0000 0002 0000 0802
0000
20e7 3802 9d5a 0000 0000 3802
9d5a
0000 0000 3802
9d5a 0000 0000
6ac0 a621 transaction ID
0000 0001 msg_type
= REPLY
0000 0000
reply_stat = MSG_ACCEPTED ( hex 0 )
0000
0000 verifier, auth_flavor = AUTH_NULL ( hex 0 )
0000
0000 accept_stat = SUCCESS ( hex 0 )
caba
ebfe e720 0000 c11f 0000 0208 0000 0208 0000 c11f 0000 131e 0c23 0000 0000
returned file ( "secret" ) handle
0000 0001
file type: REG (regular) = hex 1
0000 81a4
file mode (type and access permission)
0000 0001
link count
0000 0000
user id
0000 0000
group id
0000
0028 file
size ( 40 bytes in decimal )
0000 1000
actually
used disk space (4096 bytes, 2 blokes)
0000 0000
device major number (only meaningful if file is a device)
0000 0002
device
minor number ( only meaningful if file is a device )
0000 0802
file system major number ( 8 ) and minor number ( 2 )
0000 20e7
Inode number
3802 9d5a 0000 0000 Atime, the time when the file data
was last accessed
3802
9d5a 0000 0000 Mtime, the time when the attributes of
the file were last changed
3802
9d5a 0000 0000 Ctime, the time when the attributes of
the file were last changed
packet 3:
21:32:54.900034 moe.baylor.edu.1807787553 > larry.baylor.edu.nfs: 136
getattr fh Unknown/1 (ttl 64, id 268)
4500 00a4 010c 0000 4011 4f05 813e 93dd
813e 93de 0320 0801 0090 bdf86bc0
a621
0000 0000 0000 0002 0001
86a3 0000 0002
0000 0001 0000 0001 0000
0040 0000 7239
0000 000e 6d6f 652e 6261
796c 6f72 2e65
6475 0c23 0000 0000 0000
0000 0000 0007
0000 00000000
0001 0000 0002 0000 0003
0000 0004 0000 0006 0000 000a 0000
0000
0000 0000
caba ebfe e720 0000 c11f 0000
0208 0000 0208 0000 c11f 0000
131e 0c23
0000 0000
packet 4:
21:32:54.900238 larry.baylor.edu.nfs > moe.baylor.edu.1807787553: reply
ok 96 getattr REG 100644 ids 0/0 sz 40 (ttl 64, id 1965)
4500 007c 07ad 0000 4011 488c 813e 93de
813e 93dd 0801 0320 0068 7d116bc0
a621
0000 0001 0000 0000 0000 0000
0000 0000
0000 0000 0000 00000000
0001 0000 81a4
0000 0001 0000 0000 0000 0000
0000 0028
0000 1000 0000 0000 0000 0002
0000 0802
0000 20e7 3802 9d5a 0000 0000
3802 9d5a
0000 0000 3802 9d5a 0000 0000
packet 5:
21:32:54.901147 moe.baylor.edu.1824564769 > larry.baylor.edu.nfs: 148
read fh Unknown/1 4096 bytes @ 0 (ttl 64, id 269)
4500 00b0 010d 0000 4011 4ef8 813e 93dd
813e 93de 0320 0801 009c 98fe 6cc0
a621
0000 0000 0000 0002 0001 86a3
0000 0002
0000 0006 0000 0001 0000 0040
0000 7239
0000 000e 6d6f 652e 6261 796c
6f72 2e65
6475 1000 0000 0000 0000 0000
0000 0007
0000 0000 0000 0001
0000 0002 0000 0003
0000 0004 0000 0006 0000 000a 0000 0000
0000 0000 caba ebfe e720 0000
c11f 0000
0208 0000 0208 0000 c11f 0000
131e 0c23
0000 0000 0000 0000
0000 1000 0000 1000
0000 0000 0000 1000 offset-the
position within the file at which the read is to begin
0000 1000 the number of
bytes of data that are to be read
packet 6:
21:32:54.901513 larry.baylor.edu.nfs > moe.baylor.edu.1824564769: reply
ok 140 read REG 100644 ids 0/0 sz 40 (ttl 64, id 1966)
4500 00a8 07ae 0000 4011 485f 813e 93de
813e 93dd 0801 0320 0094 945a 6cc0
a621
0000 0001 0000 0000 0000 0000
0000 0000
0000 0000 0000 00000000
0001 0000 81a4
0000 0001 0000 0000 0000 0000
0000 0028
0000 1000 0000 0000 0000 0002
0000 0802
0000 20e7 3802 9dd6 0000 0000
3802 9d5a
0000 0000 3802 9d5a 0000 00000000
0028
3031 3233 3435 2054 6869 7320 6973 2061
2073 6563 7265 7420 6d65 7373 6167 652e
2035 3433 3231 300a
0000 0028 count-the number of
bytes of data returned by the read`
3031 3233 3435 2054 6869 7320 6973 2061
2073 6563 7265 7420 6d65 7373 6167 652e
2035 3433 3231 30 file
contents: 012345 This is a secret message. 543210
0a Line Feed