RIP Packet FormatRIP routing is broken between two routersWhy is RIP not scalable?Why we can not ping to multicast address 224.0.0.9 of RIPRouters are not learning routes when using RIPHow does OSPF understand its directly connected networks if you're configuring interfaces?How do you define cost in Quagga for BGP and RIP?Does RIP stores information about entire AS?Why is RIP sending classless updates?Clarifications about RIP and OSPFthe difference between RIP and OSPF

Apply MapThread to all but one variable

Was there a Viking Exchange as well as a Columbian one?

What route did the Hindenburg take when traveling from Germany to the U.S.?

How can the Zone of Truth spell be defeated without the caster knowing?

How to have a sharp product image?

Sci-fi novel series with instant travel between planets through gates. A river runs through the gates

A ​Note ​on ​N!

Why do games have consumables?

Why does processed meat contain preservatives, while canned fish needs not?

How would one muzzle a full grown polar bear in the 13th century?

how to sum variables from file in bash

Binary Numbers Magic Trick

Which big number is bigger?

Pass By Reference VS Pass by Value

How to get a plain text file version of a CP/M .BAS (M-BASIC) program?

Why is it that the natural deduction method can't test for invalidity?

A Strange Latex Symbol

Will tsunami waves travel forever if there was no land?

Is the 5 MB static resource size limit 5,242,880 bytes or 5,000,000 bytes?

What is the most expensive material in the world that could be used to create Pun-Pun's lute?

French for 'It must be my imagination'?

Realistic Necromancy?

How to solve constants out of the internal energy equation?

How exactly does Hawking radiation decrease the mass of black holes?



RIP Packet Format


RIP routing is broken between two routersWhy is RIP not scalable?Why we can not ping to multicast address 224.0.0.9 of RIPRouters are not learning routes when using RIPHow does OSPF understand its directly connected networks if you're configuring interfaces?How do you define cost in Quagga for BGP and RIP?Does RIP stores information about entire AS?Why is RIP sending classless updates?Clarifications about RIP and OSPFthe difference between RIP and OSPF













4















I am trying to investigate a RIP packet. It clearly states that the packet is RIP v1. But its format does not match with the either RIP v1 or v2. Any ideas what this packet actually is?



enter image description here










share|improve this question







New contributor




Bat is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • You should use the verbose output (-vv) to get more information with the full protocol decode.

    – Ron Maupin
    Apr 23 at 18:56






  • 1





    I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin

    – Bat
    Apr 23 at 18:59
















4















I am trying to investigate a RIP packet. It clearly states that the packet is RIP v1. But its format does not match with the either RIP v1 or v2. Any ideas what this packet actually is?



enter image description here










share|improve this question







New contributor




Bat is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • You should use the verbose output (-vv) to get more information with the full protocol decode.

    – Ron Maupin
    Apr 23 at 18:56






  • 1





    I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin

    – Bat
    Apr 23 at 18:59














4












4








4








I am trying to investigate a RIP packet. It clearly states that the packet is RIP v1. But its format does not match with the either RIP v1 or v2. Any ideas what this packet actually is?



enter image description here










share|improve this question







New contributor




Bat is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I am trying to investigate a RIP packet. It clearly states that the packet is RIP v1. But its format does not match with the either RIP v1 or v2. Any ideas what this packet actually is?



enter image description here







routing packet-analysis rip






share|improve this question







New contributor




Bat is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




Bat is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




Bat is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Apr 23 at 18:43









BatBat

1233




1233




New contributor




Bat is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Bat is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Bat is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • You should use the verbose output (-vv) to get more information with the full protocol decode.

    – Ron Maupin
    Apr 23 at 18:56






  • 1





    I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin

    – Bat
    Apr 23 at 18:59


















  • You should use the verbose output (-vv) to get more information with the full protocol decode.

    – Ron Maupin
    Apr 23 at 18:56






  • 1





    I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin

    – Bat
    Apr 23 at 18:59

















You should use the verbose output (-vv) to get more information with the full protocol decode.

– Ron Maupin
Apr 23 at 18:56





You should use the verbose output (-vv) to get more information with the full protocol decode.

– Ron Maupin
Apr 23 at 18:56




1




1





I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin

– Bat
Apr 23 at 18:59






I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin

– Bat
Apr 23 at 18:59











3 Answers
3






active

oldest

votes


















7














Given how simple RIP v1 is, this is pretty easy to do by eye from Figure 1 in the RFC 1058:



  • 5 longs from 45c0 is the IP header

  • 4 shorts from 0208 (the italic portion) is the UDP header

  • The rest from 0201 (the bold portion) is the RIP body


01:00:00.000000 IP 128.238.62.2.route > 255.255.255.255.route: RIPv1, Response, length: 44
0x0000: 45c0 0048 0000 0000 0211 f8f5 80ee 3e02 E..H..........>.
0x0010: ffff ffff 0208 0208 0034 b9a0 0201 0000 .........4......
0x0020: 0002 0000 80ee 3f00 0000 0000 0000 0000 ......?.........
0x0030: 0000 0001 0002 0000 80ee 4000 0000 0000 ..........@.....
0x0040: 0000 0000 0000 0002 ........


 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| command (1) | version (1) | must be zero (2) |
+---------------+---------------+-------------------------------+
| address family identifier (2) | must be zero (2) |
+-------------------------------+-------------------------------+
| IP address (4) |
+---------------------------------------------------------------+
| must be zero (4) |
+---------------------------------------------------------------+
| must be zero (4) |
+---------------------------------------------------------------+
| metric (4) |
+---------------------------------------------------------------+

The portion of the datagram from address family identifier through
metric may appear up to 25 times.


We have:



command=02 version=01 mbz=0000
family=0002 mbz=0000 addr=80ee3f00 mbz=00000000 mbz=00000000 metric=00000001
family=0002 mbz=0000 adda=80ee4000 mbz=00000000 mbz=00000000 metric=00000002


But if you have more complex packets ...



One way to solve this kind of problem is to make a PCAP file from the data (with a tool or just a programming language such as python), and then use standard tools to examine it.



Your packet analysed with tshark is:



Internet Protocol Version 4, Src: 128.238.62.2, Dst: 255.255.255.255
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 72
Identification: 0x0000 (0)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 2
[Expert Info (Note/Sequence): "Time To Live" only 2]
["Time To Live" only 2]
[Severity level: Note]
[Group: Sequence]
Protocol: UDP (17)
Header checksum: 0xf8f5 [validation disabled]
[Header checksum status: Unverified]
Source: 128.238.62.2
Destination: 255.255.255.255
User Datagram Protocol, Src Port: 520, Dst Port: 520
Source Port: 520
Destination Port: 520
Length: 52
Checksum: 0xb9a0 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
Routing Information Protocol
Command: Response (2)
Version: RIPv1 (1)
IP Address: 128.238.63.0, Metric: 1
Address Family: IP (2)
IP Address: 128.238.63.0
Metric: 1
IP Address: 128.238.64.0, Metric: 2
Address Family: IP (2)
IP Address: 128.238.64.0
Metric: 2





share|improve this answer
































    9














    It's a RIPv1 packet. You're looking at the full IP packet. RIP starts at 0x001c.






    share|improve this answer

























    • The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.

      – Bat
      Apr 23 at 19:09






    • 4





      That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x001c.

      – Ron Trunk
      Apr 23 at 19:12



















    0














    This is a response header. Response means ' A message containing all or part of the sender's routing table. This message may be sent in response to a request or poll, or it may be an update message generated by the sender.'



    In addition to that you can see sender ip address.



    If you want to see more details you can use -vv






    share|improve this answer

























    • Edited.........

      – serverAdmin123
      Apr 24 at 11:24












    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "496"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );






    Bat is a new contributor. Be nice, and check out our Code of Conduct.









    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f58674%2frip-packet-format%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    7














    Given how simple RIP v1 is, this is pretty easy to do by eye from Figure 1 in the RFC 1058:



    • 5 longs from 45c0 is the IP header

    • 4 shorts from 0208 (the italic portion) is the UDP header

    • The rest from 0201 (the bold portion) is the RIP body


    01:00:00.000000 IP 128.238.62.2.route > 255.255.255.255.route: RIPv1, Response, length: 44
    0x0000: 45c0 0048 0000 0000 0211 f8f5 80ee 3e02 E..H..........>.
    0x0010: ffff ffff 0208 0208 0034 b9a0 0201 0000 .........4......
    0x0020: 0002 0000 80ee 3f00 0000 0000 0000 0000 ......?.........
    0x0030: 0000 0001 0002 0000 80ee 4000 0000 0000 ..........@.....
    0x0040: 0000 0000 0000 0002 ........


     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | command (1) | version (1) | must be zero (2) |
    +---------------+---------------+-------------------------------+
    | address family identifier (2) | must be zero (2) |
    +-------------------------------+-------------------------------+
    | IP address (4) |
    +---------------------------------------------------------------+
    | must be zero (4) |
    +---------------------------------------------------------------+
    | must be zero (4) |
    +---------------------------------------------------------------+
    | metric (4) |
    +---------------------------------------------------------------+

    The portion of the datagram from address family identifier through
    metric may appear up to 25 times.


    We have:



    command=02 version=01 mbz=0000
    family=0002 mbz=0000 addr=80ee3f00 mbz=00000000 mbz=00000000 metric=00000001
    family=0002 mbz=0000 adda=80ee4000 mbz=00000000 mbz=00000000 metric=00000002


    But if you have more complex packets ...



    One way to solve this kind of problem is to make a PCAP file from the data (with a tool or just a programming language such as python), and then use standard tools to examine it.



    Your packet analysed with tshark is:



    Internet Protocol Version 4, Src: 128.238.62.2, Dst: 255.255.255.255
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
    1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
    .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 72
    Identification: 0x0000 (0)
    Flags: 0x0000
    0... .... .... .... = Reserved bit: Not set
    .0.. .... .... .... = Don't fragment: Not set
    ..0. .... .... .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 2
    [Expert Info (Note/Sequence): "Time To Live" only 2]
    ["Time To Live" only 2]
    [Severity level: Note]
    [Group: Sequence]
    Protocol: UDP (17)
    Header checksum: 0xf8f5 [validation disabled]
    [Header checksum status: Unverified]
    Source: 128.238.62.2
    Destination: 255.255.255.255
    User Datagram Protocol, Src Port: 520, Dst Port: 520
    Source Port: 520
    Destination Port: 520
    Length: 52
    Checksum: 0xb9a0 [unverified]
    [Checksum Status: Unverified]
    [Stream index: 0]
    Routing Information Protocol
    Command: Response (2)
    Version: RIPv1 (1)
    IP Address: 128.238.63.0, Metric: 1
    Address Family: IP (2)
    IP Address: 128.238.63.0
    Metric: 1
    IP Address: 128.238.64.0, Metric: 2
    Address Family: IP (2)
    IP Address: 128.238.64.0
    Metric: 2





    share|improve this answer





























      7














      Given how simple RIP v1 is, this is pretty easy to do by eye from Figure 1 in the RFC 1058:



      • 5 longs from 45c0 is the IP header

      • 4 shorts from 0208 (the italic portion) is the UDP header

      • The rest from 0201 (the bold portion) is the RIP body


      01:00:00.000000 IP 128.238.62.2.route > 255.255.255.255.route: RIPv1, Response, length: 44
      0x0000: 45c0 0048 0000 0000 0211 f8f5 80ee 3e02 E..H..........>.
      0x0010: ffff ffff 0208 0208 0034 b9a0 0201 0000 .........4......
      0x0020: 0002 0000 80ee 3f00 0000 0000 0000 0000 ......?.........
      0x0030: 0000 0001 0002 0000 80ee 4000 0000 0000 ..........@.....
      0x0040: 0000 0000 0000 0002 ........


       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | command (1) | version (1) | must be zero (2) |
      +---------------+---------------+-------------------------------+
      | address family identifier (2) | must be zero (2) |
      +-------------------------------+-------------------------------+
      | IP address (4) |
      +---------------------------------------------------------------+
      | must be zero (4) |
      +---------------------------------------------------------------+
      | must be zero (4) |
      +---------------------------------------------------------------+
      | metric (4) |
      +---------------------------------------------------------------+

      The portion of the datagram from address family identifier through
      metric may appear up to 25 times.


      We have:



      command=02 version=01 mbz=0000
      family=0002 mbz=0000 addr=80ee3f00 mbz=00000000 mbz=00000000 metric=00000001
      family=0002 mbz=0000 adda=80ee4000 mbz=00000000 mbz=00000000 metric=00000002


      But if you have more complex packets ...



      One way to solve this kind of problem is to make a PCAP file from the data (with a tool or just a programming language such as python), and then use standard tools to examine it.



      Your packet analysed with tshark is:



      Internet Protocol Version 4, Src: 128.238.62.2, Dst: 255.255.255.255
      0100 .... = Version: 4
      .... 0101 = Header Length: 20 bytes (5)
      Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
      1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
      .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
      Total Length: 72
      Identification: 0x0000 (0)
      Flags: 0x0000
      0... .... .... .... = Reserved bit: Not set
      .0.. .... .... .... = Don't fragment: Not set
      ..0. .... .... .... = More fragments: Not set
      ...0 0000 0000 0000 = Fragment offset: 0
      Time to live: 2
      [Expert Info (Note/Sequence): "Time To Live" only 2]
      ["Time To Live" only 2]
      [Severity level: Note]
      [Group: Sequence]
      Protocol: UDP (17)
      Header checksum: 0xf8f5 [validation disabled]
      [Header checksum status: Unverified]
      Source: 128.238.62.2
      Destination: 255.255.255.255
      User Datagram Protocol, Src Port: 520, Dst Port: 520
      Source Port: 520
      Destination Port: 520
      Length: 52
      Checksum: 0xb9a0 [unverified]
      [Checksum Status: Unverified]
      [Stream index: 0]
      Routing Information Protocol
      Command: Response (2)
      Version: RIPv1 (1)
      IP Address: 128.238.63.0, Metric: 1
      Address Family: IP (2)
      IP Address: 128.238.63.0
      Metric: 1
      IP Address: 128.238.64.0, Metric: 2
      Address Family: IP (2)
      IP Address: 128.238.64.0
      Metric: 2





      share|improve this answer



























        7












        7








        7







        Given how simple RIP v1 is, this is pretty easy to do by eye from Figure 1 in the RFC 1058:



        • 5 longs from 45c0 is the IP header

        • 4 shorts from 0208 (the italic portion) is the UDP header

        • The rest from 0201 (the bold portion) is the RIP body


        01:00:00.000000 IP 128.238.62.2.route > 255.255.255.255.route: RIPv1, Response, length: 44
        0x0000: 45c0 0048 0000 0000 0211 f8f5 80ee 3e02 E..H..........>.
        0x0010: ffff ffff 0208 0208 0034 b9a0 0201 0000 .........4......
        0x0020: 0002 0000 80ee 3f00 0000 0000 0000 0000 ......?.........
        0x0030: 0000 0001 0002 0000 80ee 4000 0000 0000 ..........@.....
        0x0040: 0000 0000 0000 0002 ........


         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        | command (1) | version (1) | must be zero (2) |
        +---------------+---------------+-------------------------------+
        | address family identifier (2) | must be zero (2) |
        +-------------------------------+-------------------------------+
        | IP address (4) |
        +---------------------------------------------------------------+
        | must be zero (4) |
        +---------------------------------------------------------------+
        | must be zero (4) |
        +---------------------------------------------------------------+
        | metric (4) |
        +---------------------------------------------------------------+

        The portion of the datagram from address family identifier through
        metric may appear up to 25 times.


        We have:



        command=02 version=01 mbz=0000
        family=0002 mbz=0000 addr=80ee3f00 mbz=00000000 mbz=00000000 metric=00000001
        family=0002 mbz=0000 adda=80ee4000 mbz=00000000 mbz=00000000 metric=00000002


        But if you have more complex packets ...



        One way to solve this kind of problem is to make a PCAP file from the data (with a tool or just a programming language such as python), and then use standard tools to examine it.



        Your packet analysed with tshark is:



        Internet Protocol Version 4, Src: 128.238.62.2, Dst: 255.255.255.255
        0100 .... = Version: 4
        .... 0101 = Header Length: 20 bytes (5)
        Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
        1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
        Total Length: 72
        Identification: 0x0000 (0)
        Flags: 0x0000
        0... .... .... .... = Reserved bit: Not set
        .0.. .... .... .... = Don't fragment: Not set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
        Time to live: 2
        [Expert Info (Note/Sequence): "Time To Live" only 2]
        ["Time To Live" only 2]
        [Severity level: Note]
        [Group: Sequence]
        Protocol: UDP (17)
        Header checksum: 0xf8f5 [validation disabled]
        [Header checksum status: Unverified]
        Source: 128.238.62.2
        Destination: 255.255.255.255
        User Datagram Protocol, Src Port: 520, Dst Port: 520
        Source Port: 520
        Destination Port: 520
        Length: 52
        Checksum: 0xb9a0 [unverified]
        [Checksum Status: Unverified]
        [Stream index: 0]
        Routing Information Protocol
        Command: Response (2)
        Version: RIPv1 (1)
        IP Address: 128.238.63.0, Metric: 1
        Address Family: IP (2)
        IP Address: 128.238.63.0
        Metric: 1
        IP Address: 128.238.64.0, Metric: 2
        Address Family: IP (2)
        IP Address: 128.238.64.0
        Metric: 2





        share|improve this answer















        Given how simple RIP v1 is, this is pretty easy to do by eye from Figure 1 in the RFC 1058:



        • 5 longs from 45c0 is the IP header

        • 4 shorts from 0208 (the italic portion) is the UDP header

        • The rest from 0201 (the bold portion) is the RIP body


        01:00:00.000000 IP 128.238.62.2.route > 255.255.255.255.route: RIPv1, Response, length: 44
        0x0000: 45c0 0048 0000 0000 0211 f8f5 80ee 3e02 E..H..........>.
        0x0010: ffff ffff 0208 0208 0034 b9a0 0201 0000 .........4......
        0x0020: 0002 0000 80ee 3f00 0000 0000 0000 0000 ......?.........
        0x0030: 0000 0001 0002 0000 80ee 4000 0000 0000 ..........@.....
        0x0040: 0000 0000 0000 0002 ........


         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        | command (1) | version (1) | must be zero (2) |
        +---------------+---------------+-------------------------------+
        | address family identifier (2) | must be zero (2) |
        +-------------------------------+-------------------------------+
        | IP address (4) |
        +---------------------------------------------------------------+
        | must be zero (4) |
        +---------------------------------------------------------------+
        | must be zero (4) |
        +---------------------------------------------------------------+
        | metric (4) |
        +---------------------------------------------------------------+

        The portion of the datagram from address family identifier through
        metric may appear up to 25 times.


        We have:



        command=02 version=01 mbz=0000
        family=0002 mbz=0000 addr=80ee3f00 mbz=00000000 mbz=00000000 metric=00000001
        family=0002 mbz=0000 adda=80ee4000 mbz=00000000 mbz=00000000 metric=00000002


        But if you have more complex packets ...



        One way to solve this kind of problem is to make a PCAP file from the data (with a tool or just a programming language such as python), and then use standard tools to examine it.



        Your packet analysed with tshark is:



        Internet Protocol Version 4, Src: 128.238.62.2, Dst: 255.255.255.255
        0100 .... = Version: 4
        .... 0101 = Header Length: 20 bytes (5)
        Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
        1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
        Total Length: 72
        Identification: 0x0000 (0)
        Flags: 0x0000
        0... .... .... .... = Reserved bit: Not set
        .0.. .... .... .... = Don't fragment: Not set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
        Time to live: 2
        [Expert Info (Note/Sequence): "Time To Live" only 2]
        ["Time To Live" only 2]
        [Severity level: Note]
        [Group: Sequence]
        Protocol: UDP (17)
        Header checksum: 0xf8f5 [validation disabled]
        [Header checksum status: Unverified]
        Source: 128.238.62.2
        Destination: 255.255.255.255
        User Datagram Protocol, Src Port: 520, Dst Port: 520
        Source Port: 520
        Destination Port: 520
        Length: 52
        Checksum: 0xb9a0 [unverified]
        [Checksum Status: Unverified]
        [Stream index: 0]
        Routing Information Protocol
        Command: Response (2)
        Version: RIPv1 (1)
        IP Address: 128.238.63.0, Metric: 1
        Address Family: IP (2)
        IP Address: 128.238.63.0
        Metric: 1
        IP Address: 128.238.64.0, Metric: 2
        Address Family: IP (2)
        IP Address: 128.238.64.0
        Metric: 2






        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Apr 24 at 2:10

























        answered Apr 23 at 22:41









        jonathanjojonathanjo

        12.6k1938




        12.6k1938





















            9














            It's a RIPv1 packet. You're looking at the full IP packet. RIP starts at 0x001c.






            share|improve this answer

























            • The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.

              – Bat
              Apr 23 at 19:09






            • 4





              That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x001c.

              – Ron Trunk
              Apr 23 at 19:12
















            9














            It's a RIPv1 packet. You're looking at the full IP packet. RIP starts at 0x001c.






            share|improve this answer

























            • The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.

              – Bat
              Apr 23 at 19:09






            • 4





              That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x001c.

              – Ron Trunk
              Apr 23 at 19:12














            9












            9








            9







            It's a RIPv1 packet. You're looking at the full IP packet. RIP starts at 0x001c.






            share|improve this answer















            It's a RIPv1 packet. You're looking at the full IP packet. RIP starts at 0x001c.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Apr 23 at 23:35

























            answered Apr 23 at 18:59









            Ron TrunkRon Trunk

            40.4k33781




            40.4k33781












            • The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.

              – Bat
              Apr 23 at 19:09






            • 4





              That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x001c.

              – Ron Trunk
              Apr 23 at 19:12


















            • The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.

              – Bat
              Apr 23 at 19:09






            • 4





              That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x001c.

              – Ron Trunk
              Apr 23 at 19:12

















            The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.

            – Bat
            Apr 23 at 19:09





            The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.

            – Bat
            Apr 23 at 19:09




            4




            4





            That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x001c.

            – Ron Trunk
            Apr 23 at 19:12






            That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x001c.

            – Ron Trunk
            Apr 23 at 19:12












            0














            This is a response header. Response means ' A message containing all or part of the sender's routing table. This message may be sent in response to a request or poll, or it may be an update message generated by the sender.'



            In addition to that you can see sender ip address.



            If you want to see more details you can use -vv






            share|improve this answer

























            • Edited.........

              – serverAdmin123
              Apr 24 at 11:24
















            0














            This is a response header. Response means ' A message containing all or part of the sender's routing table. This message may be sent in response to a request or poll, or it may be an update message generated by the sender.'



            In addition to that you can see sender ip address.



            If you want to see more details you can use -vv






            share|improve this answer

























            • Edited.........

              – serverAdmin123
              Apr 24 at 11:24














            0












            0








            0







            This is a response header. Response means ' A message containing all or part of the sender's routing table. This message may be sent in response to a request or poll, or it may be an update message generated by the sender.'



            In addition to that you can see sender ip address.



            If you want to see more details you can use -vv






            share|improve this answer















            This is a response header. Response means ' A message containing all or part of the sender's routing table. This message may be sent in response to a request or poll, or it may be an update message generated by the sender.'



            In addition to that you can see sender ip address.



            If you want to see more details you can use -vv







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Apr 24 at 11:17

























            answered Apr 23 at 18:59









            serverAdmin123serverAdmin123

            45017




            45017












            • Edited.........

              – serverAdmin123
              Apr 24 at 11:24


















            • Edited.........

              – serverAdmin123
              Apr 24 at 11:24

















            Edited.........

            – serverAdmin123
            Apr 24 at 11:24






            Edited.........

            – serverAdmin123
            Apr 24 at 11:24











            Bat is a new contributor. Be nice, and check out our Code of Conduct.









            draft saved

            draft discarded


















            Bat is a new contributor. Be nice, and check out our Code of Conduct.












            Bat is a new contributor. Be nice, and check out our Code of Conduct.











            Bat is a new contributor. Be nice, and check out our Code of Conduct.














            Thanks for contributing an answer to Network Engineering Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f58674%2frip-packet-format%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Sum ergo cogito? 1 nng

            三茅街道4182Guuntc Dn precexpngmageondP