tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tcpdump display/decode bug?

From: Guy Harris <guy () alum mit edu>
Date: Wed, 30 Jul 2008 20:07:02 -0700

On Jul 30, 2008, at 2:12 PM, Stephen Donnelly wrote:


I recently came across some packets which tcpdump appears to display
incorrectly.

Is tcpdump incorrectly invoking some heuristic dissector, or is there
another reason?


I guess that's what I'd call it.
tcpdump assumes that packets to or from certain ports might be KIP- encapsulated AppleTalk packets (KIP = "Kinetics IP"); see the tcpdump man page (look for "KIP AppleTalk (DDP in UDP)"), or RFC 1243: 

        4.7.  The Kinetics Internet Protocol Group

           The Kinetics Internet Protocol (KIP) is a protocol for encapsulating
           and routing AppleTalk datagrams over an IP internet.  This name is
           historical.  The KIP group manages the KIP routing protocol as well
           as the routing tables generated by this protocol.
It uses a heuristic to check, but the heuristic is really weak (it checks whether, if the payload were an AppleTalk LLAP packet, the type would be DDP, so it checks one count 'em one byte in the entire payload). 
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: