tcpdump mailing list archives
Re: tcpdump display/decode bug?
From: Guy Harris <guy () alum mit edu>
Date: Wed, 30 Jul 2008 20:07:02 -0700
On Jul 30, 2008, at 2:12 PM, Stephen Donnelly wrote:
I recently came across some packets which tcpdump appears to display incorrectly. Is tcpdump incorrectly invoking some heuristic dissector, or is there another reason?
I guess that's what I'd call it.tcpdump assumes that packets to or from certain ports might be KIP- encapsulated AppleTalk packets (KIP = "Kinetics IP"); see the tcpdump man page (look for "KIP AppleTalk (DDP in UDP)"), or RFC 1243:
4.7. The Kinetics Internet Protocol Group The Kinetics Internet Protocol (KIP) is a protocol for encapsulating and routing AppleTalk datagrams over an IP internet. This name is historical. The KIP group manages the KIP routing protocol as well as the routing tables generated by this protocol.It uses a heuristic to check, but the heuristic is really weak (it checks whether, if the payload were an AppleTalk LLAP packet, the type would be DDP, so it checks one count 'em one byte in the entire payload).
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- tcpdump display/decode bug? Stephen Donnelly (Jul 30)
- Re: tcpdump display/decode bug? Guy Harris (Jul 30)
- Re: tcpdump display/decode bug? Stephen Donnelly (Jul 30)
- Re: tcpdump display/decode bug? Guy Harris (Jul 30)