RIP Packet FormatRIP routing is broken between two routersWhy is RIP not scalable?Why we can not ping to multicast address 224.0.0.9 of RIPRouters are not learning routes when using RIPHow does OSPF understand its directly connected networks if you're configuring interfaces?How do you define cost in Quagga for BGP and RIP?Does RIP stores information about entire AS?Why is RIP sending classless updates?Clarifications about RIP and OSPFthe difference between RIP and OSPF
Apply MapThread to all but one variable
Was there a Viking Exchange as well as a Columbian one?
What route did the Hindenburg take when traveling from Germany to the U.S.?
How can the Zone of Truth spell be defeated without the caster knowing?
How to have a sharp product image?
Sci-fi novel series with instant travel between planets through gates. A river runs through the gates
A Note on N!
Why do games have consumables?
Why does processed meat contain preservatives, while canned fish needs not?
How would one muzzle a full grown polar bear in the 13th century?
how to sum variables from file in bash
Binary Numbers Magic Trick
Which big number is bigger?
Pass By Reference VS Pass by Value
How to get a plain text file version of a CP/M .BAS (M-BASIC) program?
Why is it that the natural deduction method can't test for invalidity?
A Strange Latex Symbol
Will tsunami waves travel forever if there was no land?
Is the 5 MB static resource size limit 5,242,880 bytes or 5,000,000 bytes?
What is the most expensive material in the world that could be used to create Pun-Pun's lute?
French for 'It must be my imagination'?
Realistic Necromancy?
How to solve constants out of the internal energy equation?
How exactly does Hawking radiation decrease the mass of black holes?
RIP Packet Format
RIP routing is broken between two routersWhy is RIP not scalable?Why we can not ping to multicast address 224.0.0.9 of RIPRouters are not learning routes when using RIPHow does OSPF understand its directly connected networks if you're configuring interfaces?How do you define cost in Quagga for BGP and RIP?Does RIP stores information about entire AS?Why is RIP sending classless updates?Clarifications about RIP and OSPFthe difference between RIP and OSPF
I am trying to investigate a RIP packet. It clearly states that the packet is RIP v1. But its format does not match with the either RIP v1 or v2. Any ideas what this packet actually is?
routing packet-analysis rip
New contributor
add a comment |
I am trying to investigate a RIP packet. It clearly states that the packet is RIP v1. But its format does not match with the either RIP v1 or v2. Any ideas what this packet actually is?
routing packet-analysis rip
New contributor
You should use the verbose output (-vv
) to get more information with the full protocol decode.
– Ron Maupin♦
Apr 23 at 18:56
1
I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin
– Bat
Apr 23 at 18:59
add a comment |
I am trying to investigate a RIP packet. It clearly states that the packet is RIP v1. But its format does not match with the either RIP v1 or v2. Any ideas what this packet actually is?
routing packet-analysis rip
New contributor
I am trying to investigate a RIP packet. It clearly states that the packet is RIP v1. But its format does not match with the either RIP v1 or v2. Any ideas what this packet actually is?
routing packet-analysis rip
routing packet-analysis rip
New contributor
New contributor
New contributor
asked Apr 23 at 18:43
BatBat
1233
1233
New contributor
New contributor
You should use the verbose output (-vv
) to get more information with the full protocol decode.
– Ron Maupin♦
Apr 23 at 18:56
1
I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin
– Bat
Apr 23 at 18:59
add a comment |
You should use the verbose output (-vv
) to get more information with the full protocol decode.
– Ron Maupin♦
Apr 23 at 18:56
1
I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin
– Bat
Apr 23 at 18:59
You should use the verbose output (
-vv
) to get more information with the full protocol decode.– Ron Maupin♦
Apr 23 at 18:56
You should use the verbose output (
-vv
) to get more information with the full protocol decode.– Ron Maupin♦
Apr 23 at 18:56
1
1
I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin
– Bat
Apr 23 at 18:59
I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin
– Bat
Apr 23 at 18:59
add a comment |
3 Answers
3
active
oldest
votes
Given how simple RIP v1 is, this is pretty easy to do by eye from Figure 1 in the RFC 1058:
- 5 longs from
45c0
is the IP header - 4 shorts from
0208
(the italic portion) is the UDP header - The rest from
0201
(the bold portion) is the RIP body
01:00:00.000000 IP 128.238.62.2.route > 255.255.255.255.route: RIPv1, Response, length: 44
0x0000: 45c0 0048 0000 0000 0211 f8f5 80ee 3e02 E..H..........>.
0x0010: ffff ffff 0208 0208 0034 b9a0 0201 0000 .........4......
0x0020: 0002 0000 80ee 3f00 0000 0000 0000 0000 ......?.........
0x0030: 0000 0001 0002 0000 80ee 4000 0000 0000 ..........@.....
0x0040: 0000 0000 0000 0002 ........
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| command (1) | version (1) | must be zero (2) |
+---------------+---------------+-------------------------------+
| address family identifier (2) | must be zero (2) |
+-------------------------------+-------------------------------+
| IP address (4) |
+---------------------------------------------------------------+
| must be zero (4) |
+---------------------------------------------------------------+
| must be zero (4) |
+---------------------------------------------------------------+
| metric (4) |
+---------------------------------------------------------------+
The portion of the datagram from address family identifier through
metric may appear up to 25 times.
We have:
command=02 version=01 mbz=0000
family=0002 mbz=0000 addr=80ee3f00 mbz=00000000 mbz=00000000 metric=00000001
family=0002 mbz=0000 adda=80ee4000 mbz=00000000 mbz=00000000 metric=00000002
But if you have more complex packets ...
One way to solve this kind of problem is to make a PCAP file from the data (with a tool or just a programming language such as python), and then use standard tools to examine it.
Your packet analysed with tshark is:
Internet Protocol Version 4, Src: 128.238.62.2, Dst: 255.255.255.255
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 72
Identification: 0x0000 (0)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 2
[Expert Info (Note/Sequence): "Time To Live" only 2]
["Time To Live" only 2]
[Severity level: Note]
[Group: Sequence]
Protocol: UDP (17)
Header checksum: 0xf8f5 [validation disabled]
[Header checksum status: Unverified]
Source: 128.238.62.2
Destination: 255.255.255.255
User Datagram Protocol, Src Port: 520, Dst Port: 520
Source Port: 520
Destination Port: 520
Length: 52
Checksum: 0xb9a0 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
Routing Information Protocol
Command: Response (2)
Version: RIPv1 (1)
IP Address: 128.238.63.0, Metric: 1
Address Family: IP (2)
IP Address: 128.238.63.0
Metric: 1
IP Address: 128.238.64.0, Metric: 2
Address Family: IP (2)
IP Address: 128.238.64.0
Metric: 2
add a comment |
It's a RIPv1 packet. You're looking at the full IP packet. RIP starts at 0x001c.
The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.
– Bat
Apr 23 at 19:09
4
That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x001c.
– Ron Trunk
Apr 23 at 19:12
add a comment |
This is a response header. Response means ' A message containing all or part of the sender's routing table. This message may be sent in response to a request or poll, or it may be an update message generated by the sender.'
In addition to that you can see sender ip address.
If you want to see more details you can use -vv
Edited.........
– serverAdmin123
Apr 24 at 11:24
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "496"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Bat is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f58674%2frip-packet-format%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Given how simple RIP v1 is, this is pretty easy to do by eye from Figure 1 in the RFC 1058:
- 5 longs from
45c0
is the IP header - 4 shorts from
0208
(the italic portion) is the UDP header - The rest from
0201
(the bold portion) is the RIP body
01:00:00.000000 IP 128.238.62.2.route > 255.255.255.255.route: RIPv1, Response, length: 44
0x0000: 45c0 0048 0000 0000 0211 f8f5 80ee 3e02 E..H..........>.
0x0010: ffff ffff 0208 0208 0034 b9a0 0201 0000 .........4......
0x0020: 0002 0000 80ee 3f00 0000 0000 0000 0000 ......?.........
0x0030: 0000 0001 0002 0000 80ee 4000 0000 0000 ..........@.....
0x0040: 0000 0000 0000 0002 ........
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| command (1) | version (1) | must be zero (2) |
+---------------+---------------+-------------------------------+
| address family identifier (2) | must be zero (2) |
+-------------------------------+-------------------------------+
| IP address (4) |
+---------------------------------------------------------------+
| must be zero (4) |
+---------------------------------------------------------------+
| must be zero (4) |
+---------------------------------------------------------------+
| metric (4) |
+---------------------------------------------------------------+
The portion of the datagram from address family identifier through
metric may appear up to 25 times.
We have:
command=02 version=01 mbz=0000
family=0002 mbz=0000 addr=80ee3f00 mbz=00000000 mbz=00000000 metric=00000001
family=0002 mbz=0000 adda=80ee4000 mbz=00000000 mbz=00000000 metric=00000002
But if you have more complex packets ...
One way to solve this kind of problem is to make a PCAP file from the data (with a tool or just a programming language such as python), and then use standard tools to examine it.
Your packet analysed with tshark is:
Internet Protocol Version 4, Src: 128.238.62.2, Dst: 255.255.255.255
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 72
Identification: 0x0000 (0)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 2
[Expert Info (Note/Sequence): "Time To Live" only 2]
["Time To Live" only 2]
[Severity level: Note]
[Group: Sequence]
Protocol: UDP (17)
Header checksum: 0xf8f5 [validation disabled]
[Header checksum status: Unverified]
Source: 128.238.62.2
Destination: 255.255.255.255
User Datagram Protocol, Src Port: 520, Dst Port: 520
Source Port: 520
Destination Port: 520
Length: 52
Checksum: 0xb9a0 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
Routing Information Protocol
Command: Response (2)
Version: RIPv1 (1)
IP Address: 128.238.63.0, Metric: 1
Address Family: IP (2)
IP Address: 128.238.63.0
Metric: 1
IP Address: 128.238.64.0, Metric: 2
Address Family: IP (2)
IP Address: 128.238.64.0
Metric: 2
add a comment |
Given how simple RIP v1 is, this is pretty easy to do by eye from Figure 1 in the RFC 1058:
- 5 longs from
45c0
is the IP header - 4 shorts from
0208
(the italic portion) is the UDP header - The rest from
0201
(the bold portion) is the RIP body
01:00:00.000000 IP 128.238.62.2.route > 255.255.255.255.route: RIPv1, Response, length: 44
0x0000: 45c0 0048 0000 0000 0211 f8f5 80ee 3e02 E..H..........>.
0x0010: ffff ffff 0208 0208 0034 b9a0 0201 0000 .........4......
0x0020: 0002 0000 80ee 3f00 0000 0000 0000 0000 ......?.........
0x0030: 0000 0001 0002 0000 80ee 4000 0000 0000 ..........@.....
0x0040: 0000 0000 0000 0002 ........
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| command (1) | version (1) | must be zero (2) |
+---------------+---------------+-------------------------------+
| address family identifier (2) | must be zero (2) |
+-------------------------------+-------------------------------+
| IP address (4) |
+---------------------------------------------------------------+
| must be zero (4) |
+---------------------------------------------------------------+
| must be zero (4) |
+---------------------------------------------------------------+
| metric (4) |
+---------------------------------------------------------------+
The portion of the datagram from address family identifier through
metric may appear up to 25 times.
We have:
command=02 version=01 mbz=0000
family=0002 mbz=0000 addr=80ee3f00 mbz=00000000 mbz=00000000 metric=00000001
family=0002 mbz=0000 adda=80ee4000 mbz=00000000 mbz=00000000 metric=00000002
But if you have more complex packets ...
One way to solve this kind of problem is to make a PCAP file from the data (with a tool or just a programming language such as python), and then use standard tools to examine it.
Your packet analysed with tshark is:
Internet Protocol Version 4, Src: 128.238.62.2, Dst: 255.255.255.255
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 72
Identification: 0x0000 (0)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 2
[Expert Info (Note/Sequence): "Time To Live" only 2]
["Time To Live" only 2]
[Severity level: Note]
[Group: Sequence]
Protocol: UDP (17)
Header checksum: 0xf8f5 [validation disabled]
[Header checksum status: Unverified]
Source: 128.238.62.2
Destination: 255.255.255.255
User Datagram Protocol, Src Port: 520, Dst Port: 520
Source Port: 520
Destination Port: 520
Length: 52
Checksum: 0xb9a0 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
Routing Information Protocol
Command: Response (2)
Version: RIPv1 (1)
IP Address: 128.238.63.0, Metric: 1
Address Family: IP (2)
IP Address: 128.238.63.0
Metric: 1
IP Address: 128.238.64.0, Metric: 2
Address Family: IP (2)
IP Address: 128.238.64.0
Metric: 2
add a comment |
Given how simple RIP v1 is, this is pretty easy to do by eye from Figure 1 in the RFC 1058:
- 5 longs from
45c0
is the IP header - 4 shorts from
0208
(the italic portion) is the UDP header - The rest from
0201
(the bold portion) is the RIP body
01:00:00.000000 IP 128.238.62.2.route > 255.255.255.255.route: RIPv1, Response, length: 44
0x0000: 45c0 0048 0000 0000 0211 f8f5 80ee 3e02 E..H..........>.
0x0010: ffff ffff 0208 0208 0034 b9a0 0201 0000 .........4......
0x0020: 0002 0000 80ee 3f00 0000 0000 0000 0000 ......?.........
0x0030: 0000 0001 0002 0000 80ee 4000 0000 0000 ..........@.....
0x0040: 0000 0000 0000 0002 ........
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| command (1) | version (1) | must be zero (2) |
+---------------+---------------+-------------------------------+
| address family identifier (2) | must be zero (2) |
+-------------------------------+-------------------------------+
| IP address (4) |
+---------------------------------------------------------------+
| must be zero (4) |
+---------------------------------------------------------------+
| must be zero (4) |
+---------------------------------------------------------------+
| metric (4) |
+---------------------------------------------------------------+
The portion of the datagram from address family identifier through
metric may appear up to 25 times.
We have:
command=02 version=01 mbz=0000
family=0002 mbz=0000 addr=80ee3f00 mbz=00000000 mbz=00000000 metric=00000001
family=0002 mbz=0000 adda=80ee4000 mbz=00000000 mbz=00000000 metric=00000002
But if you have more complex packets ...
One way to solve this kind of problem is to make a PCAP file from the data (with a tool or just a programming language such as python), and then use standard tools to examine it.
Your packet analysed with tshark is:
Internet Protocol Version 4, Src: 128.238.62.2, Dst: 255.255.255.255
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 72
Identification: 0x0000 (0)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 2
[Expert Info (Note/Sequence): "Time To Live" only 2]
["Time To Live" only 2]
[Severity level: Note]
[Group: Sequence]
Protocol: UDP (17)
Header checksum: 0xf8f5 [validation disabled]
[Header checksum status: Unverified]
Source: 128.238.62.2
Destination: 255.255.255.255
User Datagram Protocol, Src Port: 520, Dst Port: 520
Source Port: 520
Destination Port: 520
Length: 52
Checksum: 0xb9a0 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
Routing Information Protocol
Command: Response (2)
Version: RIPv1 (1)
IP Address: 128.238.63.0, Metric: 1
Address Family: IP (2)
IP Address: 128.238.63.0
Metric: 1
IP Address: 128.238.64.0, Metric: 2
Address Family: IP (2)
IP Address: 128.238.64.0
Metric: 2
Given how simple RIP v1 is, this is pretty easy to do by eye from Figure 1 in the RFC 1058:
- 5 longs from
45c0
is the IP header - 4 shorts from
0208
(the italic portion) is the UDP header - The rest from
0201
(the bold portion) is the RIP body
01:00:00.000000 IP 128.238.62.2.route > 255.255.255.255.route: RIPv1, Response, length: 44
0x0000: 45c0 0048 0000 0000 0211 f8f5 80ee 3e02 E..H..........>.
0x0010: ffff ffff 0208 0208 0034 b9a0 0201 0000 .........4......
0x0020: 0002 0000 80ee 3f00 0000 0000 0000 0000 ......?.........
0x0030: 0000 0001 0002 0000 80ee 4000 0000 0000 ..........@.....
0x0040: 0000 0000 0000 0002 ........
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| command (1) | version (1) | must be zero (2) |
+---------------+---------------+-------------------------------+
| address family identifier (2) | must be zero (2) |
+-------------------------------+-------------------------------+
| IP address (4) |
+---------------------------------------------------------------+
| must be zero (4) |
+---------------------------------------------------------------+
| must be zero (4) |
+---------------------------------------------------------------+
| metric (4) |
+---------------------------------------------------------------+
The portion of the datagram from address family identifier through
metric may appear up to 25 times.
We have:
command=02 version=01 mbz=0000
family=0002 mbz=0000 addr=80ee3f00 mbz=00000000 mbz=00000000 metric=00000001
family=0002 mbz=0000 adda=80ee4000 mbz=00000000 mbz=00000000 metric=00000002
But if you have more complex packets ...
One way to solve this kind of problem is to make a PCAP file from the data (with a tool or just a programming language such as python), and then use standard tools to examine it.
Your packet analysed with tshark is:
Internet Protocol Version 4, Src: 128.238.62.2, Dst: 255.255.255.255
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 72
Identification: 0x0000 (0)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 2
[Expert Info (Note/Sequence): "Time To Live" only 2]
["Time To Live" only 2]
[Severity level: Note]
[Group: Sequence]
Protocol: UDP (17)
Header checksum: 0xf8f5 [validation disabled]
[Header checksum status: Unverified]
Source: 128.238.62.2
Destination: 255.255.255.255
User Datagram Protocol, Src Port: 520, Dst Port: 520
Source Port: 520
Destination Port: 520
Length: 52
Checksum: 0xb9a0 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
Routing Information Protocol
Command: Response (2)
Version: RIPv1 (1)
IP Address: 128.238.63.0, Metric: 1
Address Family: IP (2)
IP Address: 128.238.63.0
Metric: 1
IP Address: 128.238.64.0, Metric: 2
Address Family: IP (2)
IP Address: 128.238.64.0
Metric: 2
edited Apr 24 at 2:10
answered Apr 23 at 22:41
jonathanjojonathanjo
12.6k1938
12.6k1938
add a comment |
add a comment |
It's a RIPv1 packet. You're looking at the full IP packet. RIP starts at 0x001c.
The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.
– Bat
Apr 23 at 19:09
4
That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x001c.
– Ron Trunk
Apr 23 at 19:12
add a comment |
It's a RIPv1 packet. You're looking at the full IP packet. RIP starts at 0x001c.
The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.
– Bat
Apr 23 at 19:09
4
That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x001c.
– Ron Trunk
Apr 23 at 19:12
add a comment |
It's a RIPv1 packet. You're looking at the full IP packet. RIP starts at 0x001c.
It's a RIPv1 packet. You're looking at the full IP packet. RIP starts at 0x001c.
edited Apr 23 at 23:35
answered Apr 23 at 18:59
Ron TrunkRon Trunk
40.4k33781
40.4k33781
The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.
– Bat
Apr 23 at 19:09
4
That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x001c.
– Ron Trunk
Apr 23 at 19:12
add a comment |
The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.
– Bat
Apr 23 at 19:09
4
That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x001c.
– Ron Trunk
Apr 23 at 19:12
The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.
– Bat
Apr 23 at 19:09
The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.
– Bat
Apr 23 at 19:09
4
4
That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x001c.
– Ron Trunk
Apr 23 at 19:12
That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x001c.
– Ron Trunk
Apr 23 at 19:12
add a comment |
This is a response header. Response means ' A message containing all or part of the sender's routing table. This message may be sent in response to a request or poll, or it may be an update message generated by the sender.'
In addition to that you can see sender ip address.
If you want to see more details you can use -vv
Edited.........
– serverAdmin123
Apr 24 at 11:24
add a comment |
This is a response header. Response means ' A message containing all or part of the sender's routing table. This message may be sent in response to a request or poll, or it may be an update message generated by the sender.'
In addition to that you can see sender ip address.
If you want to see more details you can use -vv
Edited.........
– serverAdmin123
Apr 24 at 11:24
add a comment |
This is a response header. Response means ' A message containing all or part of the sender's routing table. This message may be sent in response to a request or poll, or it may be an update message generated by the sender.'
In addition to that you can see sender ip address.
If you want to see more details you can use -vv
This is a response header. Response means ' A message containing all or part of the sender's routing table. This message may be sent in response to a request or poll, or it may be an update message generated by the sender.'
In addition to that you can see sender ip address.
If you want to see more details you can use -vv
edited Apr 24 at 11:17
answered Apr 23 at 18:59
serverAdmin123serverAdmin123
45017
45017
Edited.........
– serverAdmin123
Apr 24 at 11:24
add a comment |
Edited.........
– serverAdmin123
Apr 24 at 11:24
Edited.........
– serverAdmin123
Apr 24 at 11:24
Edited.........
– serverAdmin123
Apr 24 at 11:24
add a comment |
Bat is a new contributor. Be nice, and check out our Code of Conduct.
Bat is a new contributor. Be nice, and check out our Code of Conduct.
Bat is a new contributor. Be nice, and check out our Code of Conduct.
Bat is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Network Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f58674%2frip-packet-format%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
You should use the verbose output (
-vv
) to get more information with the full protocol decode.– Ron Maupin♦
Apr 23 at 18:56
1
I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin
– Bat
Apr 23 at 18:59