3560_CDP.cap (1.2 KB)
|Packets: 3||Duration: 120s||Downloads: 3652|
Cisco Discovery Protocol (CDP) advertisements from a Catalyst 3560. Note how much information is offered to a potential attacker.
3725_CDP.cap (390 bytes)
|Packets: 1||Duration: n/a||Downloads: 3236|
Cisco Discovery Protocol (CDP) from FastEthernet0/0 of a Cisco 3725 router.
4-byte_AS_numbers_Full_Support.cap (1.2 KB)
|Packets: 9||Duration: 56s||Downloads: 5015|
Router at 172.16.1.2 (hostname "D", AS 40.1 / 2621441) clears a previous established peering with 172.16.1.1 (hostname "A", AS 10.1 / 655361); They both support 32-bit ASN.
While opening the new session, they negotiate the "Four-octet AS Number Capability" (pkts n. 2 and 3).
Then, both "A" and "D" send some UPDATEs containing 4-octect encoded AS_PATH attributes (pkts n. 6 and 9). Please note: WireShark may show wrong paths unless you force 4-byte encoding in the Preferences / Protocols / BGP options.
4-byte_AS_numbers_Mixed_Scenario.cap (414 bytes)
|Packets: 4||Duration: 60s||Downloads: 5413|
Router "B" (AS 2) at 172.16.3.2 does not support 4-byte AS numbers, while router "A" (AS 10.1 / 655361) at 172.16.3.1 does.
Router "A" receives an UPDATE for the 220.127.116.11/8 subnet from an external router ("D") in the AS 40.1 / 2621441 (not shown), and it forwards it to "B" (pkt n. 2): AS_PATH contains "23456 23456" (the first stands for AS 10.1, the second for the originating AS 40.1), but NEW_AS_PATH contains the real 4-byte AS numbers.
At pkt n. 3 "B" receives the same subnet directly from "D" and sends it to "A", including the original NEW_AS_PATH attribute previously appended by "D".
802.1D_spanning_tree.cap (1.1 KB)
|Packets: 14||Duration: 26s||Downloads: 5849|
IEEE 802.1D Spanning Tree Protocol (STP) advertisements sent every two seconds.
802.1Q_tunneling.cap (5.0 KB)
|Packets: 26||Duration: 35s||Downloads: 10852|
802.1w_rapid_STP.cap (2.3 KB)
|Packets: 30||Duration: 56s||Downloads: 4977|
Rapid Spanning Tree Protocol BPDUs are received from a Catalyst switch after connecting to a port not configured for PortFast. The port transitions through the blocking and learning states before issuing a topology change notification (packet #30) and transitioning to the forwarding state.
802.1X.cap (498 bytes)
|Packets: 7||Duration: 19s||Downloads: 5045|
A wired client authenticates to its switch using 802.1x/EAP and MD5 challenge authentication.
Auto-RP.cap (726 bytes)
|Packets: 9||Duration: 239s||Downloads: 3246|
Routers 2 and 3 have been configured as candidate RPs, and multicast RP announcements to 18.104.22.168. Router 1 is the RP. R1 sees the candidate RP announcements from R2 and R3, and designates R3 the RP because it has a higher IP address (22.214.171.124). R1 multicasts the RP mapping to 126.96.36.199. The capture is from the R1-R2 link.
BGP_AS_set.cap (1.6 KB)
|Packets: 18||Duration: 1s||Downloads: 3632|
Packet #15 includes a BGP update containing both an AS sequence and an AS set in its AS path attribute.
BGP_hard_reset.cap (3.2 KB)
|Packets: 32||Duration: 208s||Downloads: 3127|
A hard reset (clear ip bgp) is performed on R1 for its adjacency with R2. Packet #7 shows R1 sending a packet with the TCP FIN flag set, indicating the connection is to be torn down. The TCP connection is then reestablished and UPDATEs are retransmitted.
BGP_MD5.cap (1.7 KB)
|Packets: 16||Duration: 61s||Downloads: 6083|
An EBGP with TCP MD5 authentication enabled
BGP_MP_NLRI.cap (2.9 KB)
|Packets: 24||Duration: 60s||Downloads: 8878|
IPv6 routes are carried as a separate address family inside MP_REACH_NLRI attributes.
BGP_notification.cap (764 bytes)
|Packets: 9||Duration: n/a||Downloads: 3189|
R1 has been misconfigured to expect R2 to reside in AS 65100. R2 attempts to peer with R1 advertising itself correctly in AS 65200. R1 issues a NOTIFICATION in packet #5 citing a "bad peer AS" error and terminates the TCP connection.
BGP_redist.cap (378 bytes)
|Packets: 2||Duration: n/a||Downloads: 5932|
The OSPF metric is preserved and propagated within the MPLS cloud by the MP-BGP MED attribute.
BGP_soft_reset.cap (2.0 KB)
|Packets: 17||Duration: 180s||Downloads: 3276|
R1 performs a soft bidirectional reset (clear ip bgp soft) on its adjacency with R2. The ROUTE-REFRESH message is visible in packet #7. Note that the TCP connection remains uninterrupted, and neither router views the reset as disruptive.
cm4116_telnet.cap (9.4 KB)
|Packets: 113||Duration: 14s||Downloads: 6520|
Short Telnet session with an Opengear CM4116 used to demonstrate the urgent flag and pointer
connection termination.cap (316 bytes)
|Packets: 4||Duration: n/a||Downloads: 3832|
This is a connection termination packet in which both the server and client sends fin & ack to each other.
For details of how connection is been teared down by both client and server see the link below.
DECnet_Phone.pcap.cap (7.5 KB)
|Packets: 139||Duration: 100s||Downloads: 4443|
A DECnet Phone session, using the Linux DECnet stack and a clone/port of the OpenVMS eponymous tool.
DHCP.cap (5.8 KB)
|Packets: 12||Duration: 153s||Downloads: 6770|
R0 is the client and R1 is the DHCP server. Lease time is 1 minute.
DHCP_Inter_VLAN.cap (2.0 KB)
|Packets: 4||Duration: n/a||Downloads: 5438|
R1 is a router-on-a-stick. It receives a DHCP Discover on the trunk interface, it sets the "Relay agent IP address" to the sub-interface's IP address it received the packet on and, finally, it forwards it to the DHCP server. Capture perspective is R1-DHCP server link.
DHCP_MessageType 10,11,12 and 13.cap (1.9 KB)
|Packets: 6||Duration: 13s||Downloads: 6832|
Access Concentrator/router queries lease for particular IP addresses using message type as "DHCP LEASE QUERY" and gets response as DHCP LEASE ACTIVE,LEASE UNASSIGNED and LEASE UNKNOWN.
Access Concenttrator/Router IP=10.10.39.14
DHCP server IP=10.10.35.33
dtls_null.cap (2.2 KB)
|Packets: 7||Duration: 7s||Downloads: 2229|
DTLS handshake with one application data packet.
Authentication with server certificate only.
NULL encryption is used to demonstrate the transmission of "TESTING"
DTP.cap (934 bytes)
|Packets: 10||Duration: 120s||Downloads: 3895|
Dynamic Trunking Protocol (DTP) emanated from a Catalyst 3560 every 60 seconds, both with and without ISL encapsulation.
EBGP_adjacency.cap (2.7 KB)
|Packets: 24||Duration: 182s||Downloads: 3514|
The external BGP adjacency between routers 1 and 2 is brought online and routes are exchanged. Keepalives are then exchanged every 60 seconds. Note that the IP TTL (normally 1) has been increased to 2 with ebgp-multihop to facilitate communication between the routers' loopback interfaces.
EIGRPv2_adjacency.cap (4.1 KB)
|Packets: 31||Duration: 52s||Downloads: 3197|
Routers 1 and 2 form an EIGRPv2 adjacency and exchange IPv6 routes.
EIGRPv2_subnet_transition.cap (5.3 KB)
|Packets: 49||Duration: 65s||Downloads: 3044|
R4's 2001:db8:0:400::/64 subnet goes down, then comes back up roughly thirty seconds later. Capture perspective from R1's 2001:db8:0:12::1 interface.
EIGRP_adjacency.cap (5.1 KB)
|Packets: 53||Duration: 104s||Downloads: 4220|
Formation of an EIGRP adjacency between routers R1 and R2. Capture point is R1's 10.0.0.1 interface.
EIGRP_goodbye.cap (1.3 KB)
|Packets: 15||Duration: 43s||Downloads: 3442|
R2 designates its interface facing R1 as passive. The final hello message from R2 (packet #9) has all its K values set to 255, designating the message as a "goodbye." Capture perspective is from R1's 10.0.0.1 interface.
EIGRP_subnet_down.cap (1.8 KB)
|Packets: 21||Duration: 23s||Downloads: 2991|
R4's interface to 192.168.4.0/24 goes down and the route is advertised as unreachable. Queries are issued by all routers to find a new path to the subnet but none exists, and the route is removed from the topology. Capture perspective is from R1's 10.0.0.1 interface.