Packet Captures
3560_CDP.cap (1.2 KB)
| Packets: 3 | Duration: 120s | Downloads: 3652 |
Cisco Discovery Protocol (CDP) advertisements from a Catalyst 3560. Note how much information is offered to a potential attacker.
- Categories: Cisco-proprietary
- Protocols: CDP, Ethernet, LLC
3725_CDP.cap (390 bytes)
| Packets: 1 | Duration: n/a | Downloads: 3236 |
Cisco Discovery Protocol (CDP) from FastEthernet0/0 of a Cisco 3725 router.
- Categories: Cisco-proprietary
- Protocols: CDP, Ethernet, LLC
4-byte_AS_numbers_Full_Support.cap (1.2 KB)
| Packets: 9 | Duration: 56s | Downloads: 5015 |
Router at 172.16.1.2 (hostname "D", AS 40.1 / 2621441) clears a previous established peering with 172.16.1.1 (hostname "A", AS 10.1 / 655361); They both support 32-bit ASN.
While opening the new session, they negotiate the "Four-octet AS Number Capability" (pkts n. 2 and 3).
Then, both "A" and "D" send some UPDATEs containing 4-octect encoded AS_PATH attributes (pkts n. 6 and 9). Please note: WireShark may show wrong paths unless you force 4-byte encoding in the Preferences / Protocols / BGP options.
- Categories: Routing Protocols
- Protocols: BGP, HDLC, IP, TCP
4-byte_AS_numbers_Mixed_Scenario.cap (414 bytes)
| Packets: 4 | Duration: 60s | Downloads: 5413 |
Router "B" (AS 2) at 172.16.3.2 does not support 4-byte AS numbers, while router "A" (AS 10.1 / 655361) at 172.16.3.1 does.
Router "A" receives an UPDATE for the 40.0.0.0/8 subnet from an external router ("D") in the AS 40.1 / 2621441 (not shown), and it forwards it to "B" (pkt n. 2): AS_PATH contains "23456 23456" (the first stands for AS 10.1, the second for the originating AS 40.1), but NEW_AS_PATH contains the real 4-byte AS numbers.
At pkt n. 3 "B" receives the same subnet directly from "D" and sends it to "A", including the original NEW_AS_PATH attribute previously appended by "D".
- Categories: Routing Protocols
- Protocols: BGP, HDLC, IP, TCP
802.1D_spanning_tree.cap (1.1 KB)
| Packets: 14 | Duration: 26s | Downloads: 5849 |
IEEE 802.1D Spanning Tree Protocol (STP) advertisements sent every two seconds.
802.1Q_tunneling.cap (5.0 KB)
| Packets: 26 | Duration: 35s | Downloads: 10852 |
802.1w_rapid_STP.cap (2.3 KB)
| Packets: 30 | Duration: 56s | Downloads: 4977 |
Rapid Spanning Tree Protocol BPDUs are received from a Catalyst switch after connecting to a port not configured for PortFast. The port transitions through the blocking and learning states before issuing a topology change notification (packet #30) and transitioning to the forwarding state.
802.1X.cap (498 bytes)
| Packets: 7 | Duration: 19s | Downloads: 5045 |
A wired client authenticates to its switch using 802.1x/EAP and MD5 challenge authentication.
- Categories: Authentication
- Protocols: EAPoL, Ethernet
Auto-RP.cap (726 bytes)
| Packets: 9 | Duration: 239s | Downloads: 3246 |
Routers 2 and 3 have been configured as candidate RPs, and multicast RP announcements to 239.0.1.39. Router 1 is the RP. R1 sees the candidate RP announcements from R2 and R3, and designates R3 the RP because it has a higher IP address (3.3.3.3). R1 multicasts the RP mapping to 224.0.1.40. The capture is from the R1-R2 link.
BGP_AS_set.cap (1.6 KB)
| Packets: 18 | Duration: 1s | Downloads: 3632 |
Packet #15 includes a BGP update containing both an AS sequence and an AS set in its AS path attribute.
- Categories: Routing Protocols
- Protocols: BGP, Ethernet, IP, TCP
BGP_hard_reset.cap (3.2 KB)
| Packets: 32 | Duration: 208s | Downloads: 3127 |
A hard reset (clear ip bgp) is performed on R1 for its adjacency with R2. Packet #7 shows R1 sending a packet with the TCP FIN flag set, indicating the connection is to be torn down. The TCP connection is then reestablished and UPDATEs are retransmitted.
- Categories: Routing Protocols
- Protocols: BGP, Ethernet, IP, TCP
BGP_MD5.cap (1.7 KB)
| Packets: 16 | Duration: 61s | Downloads: 6083 |
An EBGP with TCP MD5 authentication enabled
- Categories: Authentication, Routing Protocols
- Protocols: BGP, Ethernet, IP, TCP
BGP_MP_NLRI.cap (2.9 KB)
| Packets: 24 | Duration: 60s | Downloads: 8878 |
IPv6 routes are carried as a separate address family inside MP_REACH_NLRI attributes.
BGP_notification.cap (764 bytes)
| Packets: 9 | Duration: n/a | Downloads: 3189 |
R1 has been misconfigured to expect R2 to reside in AS 65100. R2 attempts to peer with R1 advertising itself correctly in AS 65200. R1 issues a NOTIFICATION in packet #5 citing a "bad peer AS" error and terminates the TCP connection.
- Categories: Routing Protocols
- Protocols: BGP, Ethernet, IP, TCP
BGP_redist.cap (378 bytes)
| Packets: 2 | Duration: n/a | Downloads: 5932 |
The OSPF metric is preserved and propagated within the MPLS cloud by the MP-BGP MED attribute.
BGP_soft_reset.cap (2.0 KB)
| Packets: 17 | Duration: 180s | Downloads: 3276 |
R1 performs a soft bidirectional reset (clear ip bgp soft) on its adjacency with R2. The ROUTE-REFRESH message is visible in packet #7. Note that the TCP connection remains uninterrupted, and neither router views the reset as disruptive.
- Categories: Routing Protocols
- Protocols: BGP, Ethernet, IP, TCP
cm4116_telnet.cap (9.4 KB)
| Packets: 113 | Duration: 14s | Downloads: 6520 |
Short Telnet session with an Opengear CM4116 used to demonstrate the urgent flag and pointer
- Categories: Management
- Protocols: Ethernet, IP, TCP, Telnet
connection termination.cap (316 bytes)
| Packets: 4 | Duration: n/a | Downloads: 3832 |
This is a connection termination packet in which both the server and client sends fin & ack to each other.
For details of how connection is been teared down by both client and server see the link below.
http://www.firewall.cx/networking-topics/protocols/tcp/136-tcp-flag-options.html
DECnet_Phone.pcap.cap (7.5 KB)
| Packets: 139 | Duration: 100s | Downloads: 4443 |
A DECnet Phone session, using the Linux DECnet stack and a clone/port of the OpenVMS eponymous tool.
DHCP.cap (5.8 KB)
| Packets: 12 | Duration: 153s | Downloads: 6770 |
R0 is the client and R1 is the DHCP server. Lease time is 1 minute.
DHCP_Inter_VLAN.cap (2.0 KB)
| Packets: 4 | Duration: n/a | Downloads: 5438 |
R1 is a router-on-a-stick. It receives a DHCP Discover on the trunk interface, it sets the "Relay agent IP address" to the sub-interface's IP address it received the packet on and, finally, it forwards it to the DHCP server. Capture perspective is R1-DHCP server link.
DHCP_MessageType 10,11,12 and 13.cap (1.9 KB)
| Packets: 6 | Duration: 13s | Downloads: 6832 |
Access Concentrator/router queries lease for particular IP addresses using message type as "DHCP LEASE QUERY" and gets response as DHCP LEASE ACTIVE,LEASE UNASSIGNED and LEASE UNKNOWN.
Access Concenttrator/Router IP=10.10.39.14
DHCP server IP=10.10.35.33
dtls_null.cap (2.2 KB)
| Packets: 7 | Duration: 7s | Downloads: 2229 |
DTLS handshake with one application data packet.
Authentication with server certificate only.
NULL encryption is used to demonstrate the transmission of "TESTING"
DTP.cap (934 bytes)
| Packets: 10 | Duration: 120s | Downloads: 3895 |
Dynamic Trunking Protocol (DTP) emanated from a Catalyst 3560 every 60 seconds, both with and without ISL encapsulation.
EBGP_adjacency.cap (2.7 KB)
| Packets: 24 | Duration: 182s | Downloads: 3514 |
The external BGP adjacency between routers 1 and 2 is brought online and routes are exchanged. Keepalives are then exchanged every 60 seconds. Note that the IP TTL (normally 1) has been increased to 2 with ebgp-multihop to facilitate communication between the routers' loopback interfaces.
- Categories: Routing Protocols
- Protocols: BGP, Ethernet, IP, TCP
EIGRPv2_adjacency.cap (4.1 KB)
| Packets: 31 | Duration: 52s | Downloads: 3197 |
Routers 1 and 2 form an EIGRPv2 adjacency and exchange IPv6 routes.
- Categories: Cisco-proprietary, Routing Protocols
- Protocols: EIGRP, Ethernet, IPv6
EIGRPv2_subnet_transition.cap (5.3 KB)
| Packets: 49 | Duration: 65s | Downloads: 3044 |
R4's 2001:db8:0:400::/64 subnet goes down, then comes back up roughly thirty seconds later. Capture perspective from R1's 2001:db8:0:12::1 interface.
- Categories: Cisco-proprietary, Routing Protocols
- Protocols: EIGRP, Ethernet, IPv6
EIGRP_adjacency.cap (5.1 KB)
| Packets: 53 | Duration: 104s | Downloads: 4220 |
Formation of an EIGRP adjacency between routers R1 and R2. Capture point is R1's 10.0.0.1 interface.
- Categories: Cisco-proprietary, Routing Protocols
- Protocols: EIGRP, Ethernet, IP
EIGRP_goodbye.cap (1.3 KB)
| Packets: 15 | Duration: 43s | Downloads: 3442 |
R2 designates its interface facing R1 as passive. The final hello message from R2 (packet #9) has all its K values set to 255, designating the message as a "goodbye." Capture perspective is from R1's 10.0.0.1 interface.
- Categories: Cisco-proprietary, Routing Protocols
- Protocols: EIGRP, Ethernet, IP
EIGRP_subnet_down.cap (1.8 KB)
| Packets: 21 | Duration: 23s | Downloads: 2991 |
R4's interface to 192.168.4.0/24 goes down and the route is advertised as unreachable. Queries are issued by all routers to find a new path to the subnet but none exists, and the route is removed from the topology. Capture perspective is from R1's 10.0.0.1 interface.
- Categories: Cisco-proprietary, Routing Protocols
- Protocols: EIGRP, Ethernet, IP