should have a look "packet capture".
3 views
Skip to first unread message
Fahad Rahmani
Feb 21, 2009, 5:50:56 AM2/21/09
to network...@googlegroups.com
Hello,
Here under is my analysis of icmp sequence of 2, originated from .122 and destined to .124.
Let's look at the technology:
You have mirrored two ports, say pA & pB for both directions. So what do you expect ?
Capture at: "Look legend for explanation"
pA input
pA output
pB input
pB output
Now, look at the icmp.seq ==2 on your capture, what do you see...
8 reqeust or replies... why ?
sA sends ping to sB, this is how things unfold...
icmp request in pA - input - CAPTURE.
icmp request out pA - output - CAPTURE.
icmp request in pB - input - CAPTURE.
icmp request out pB - output - CAPTURE.
So, one ping request = 4 captures. Same goes true for reply as well...
Hope this makes sense......
In context to this capture, if we go by time, this is the sequence.
Capture number: 6419 "icmp request in pA - input - CAPTURE."
Capture number: 6420 "icmp request out pA - output - CAPTURE."
Capture number: 14941 "icmp request in pB - input - CAPTURE."
Capture number: 14942 "icmp request out pB - output - CAPTURE."
You can further interpret this for replies...
Legend:
pA - port mapped to Server A
pB - port mapped to server B
sA - Server A
sB - Server B
########################### CAPTURE #####################################
No. Time Source Destination Protocol Info
6419 588.909904 192.168.20.121 192.168.20.122 ICMP Echo (ping) request
Frame 6419 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Vmware_4e:3e:13 (00:50:56:4e:3e:13), Dst: Vmware_4a:17:98 (00:50:56:4a:17:98)
Internet Protocol, Src: 192.168.20.121 (192.168.20.121), Dst: 192.168.20.122 (192.168.20.122)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0 ()
Checksum: 0x50f9 [correct]
Identifier: 0x4f13
Sequence number: 2 (0x0002)
Data (56 bytes)
0000 ff 5a 9e 49 c4 49 0b 00 08 09 0a 0b 0c 0d 0e 0f .Z.I.I..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
No. Time Source Destination Protocol Info
6420 588.909909 192.168.20.121 192.168.20.122 ICMP Echo (ping) request
Frame 6420 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Vmware_4e:3e:13 (00:50:56:4e:3e:13), Dst: Vmware_4a:17:98 (00:50:56:4a:17:98)
Internet Protocol, Src: 192.168.20.121 (192.168.20.121), Dst: 192.168.20.122 (192.168.20.122)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0 ()
Checksum: 0x50f9 [correct]
Identifier: 0x4f13
Sequence number: 2 (0x0002)
Data (56 bytes)
0000 ff 5a 9e 49 c4 49 0b 00 08 09 0a 0b 0c 0d 0e 0f .Z.I.I..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
No. Time Source Destination Protocol Info
6421 588.909976 192.168.20.122 192.168.20.121 ICMP Echo (ping) reply
Frame 6421 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Vmware_4a:17:98 (00:50:56:4a:17:98), Dst: Vmware_4e:3e:13 (00:50:56:4e:3e:13)
Internet Protocol, Src: 192.168.20.122 (192.168.20.122), Dst: 192.168.20.121 (192.168.20.121)
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0 ()
Checksum: 0x58f9 [correct]
Identifier: 0x4f13
Sequence number: 2 (0x0002)
Data (56 bytes)
0000 ff 5a 9e 49 c4 49 0b 00 08 09 0a 0b 0c 0d 0e 0f .Z.I.I..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
No. Time Source Destination Protocol Info
6422 588.909980 192.168.20.122 192.168.20.121 ICMP Echo (ping) reply
Frame 6422 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Vmware_4a:17:98 (00:50:56:4a:17:98), Dst: Vmware_4e:3e:13 (00:50:56:4e:3e:13)
Internet Protocol, Src: 192.168.20.122 (192.168.20.122), Dst: 192.168.20.121 (192.168.20.121)
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0 ()
Checksum: 0x58f9 [correct]
Identifier: 0x4f13
Sequence number: 2 (0x0002)
Data (56 bytes)
0000 ff 5a 9e 49 c4 49 0b 00 08 09 0a 0b 0c 0d 0e 0f .Z.I.I..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
No. Time Source Destination Protocol Info
14941 734.053046 192.168.20.121 192.168.20.122 ICMP Echo (ping) request
Frame 14941 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Vmware_4e:3e:13 (00:50:56:4e:3e:13), Dst: Vmware_4a:17:98 (00:50:56:4a:17:98)
Internet Protocol, Src: 192.168.20.121 (192.168.20.121), Dst: 192.168.20.122 (192.168.20.122)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0 ()
Checksum: 0xbfe8 [correct]
Identifier: 0x5616
Sequence number: 2 (0x0002)
Data (56 bytes)
0000 90 5b 9e 49 bb 56 0d 00 08 09 0a 0b 0c 0d 0e 0f .[.I.V..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
No. Time Source Destination Protocol Info
14942 734.053051 192.168.20.121 192.168.20.122 ICMP Echo (ping) request
Frame 14942 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Vmware_4e:3e:13 (00:50:56:4e:3e:13), Dst: Vmware_4a:17:98 (00:50:56:4a:17:98)
Internet Protocol, Src: 192.168.20.121 (192.168.20.121), Dst: 192.168.20.122 (192.168.20.122)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0 ()
Checksum: 0xbfe8 [correct]
Identifier: 0x5616
Sequence number: 2 (0x0002)
Data (56 bytes)
0000 90 5b 9e 49 bb 56 0d 00 08 09 0a 0b 0c 0d 0e 0f .[.I.V..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
No. Time Source Destination Protocol Info
14943 734.053084 192.168.20.122 192.168.20.121 ICMP Echo (ping) reply
Frame 14943 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Vmware_4a:17:98 (00:50:56:4a:17:98), Dst: Vmware_4e:3e:13 (00:50:56:4e:3e:13)
Internet Protocol, Src: 192.168.20.122 (192.168.20.122), Dst: 192.168.20.121 (192.168.20.121)
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0 ()
Checksum: 0xc7e8 [correct]
Identifier: 0x5616
Sequence number: 2 (0x0002)
Data (56 bytes)
0000 90 5b 9e 49 bb 56 0d 00 08 09 0a 0b 0c 0d 0e 0f .[.I.V..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
No. Time Source Destination Protocol Info
14944 734.053088 192.168.20.122 192.168.20.121 ICMP Echo (ping) reply
Frame 14944 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Vmware_4a:17:98 (00:50:56:4a:17:98), Dst: Vmware_4e:3e:13 (00:50:56:4e:3e:13)
Internet Protocol, Src: 192.168.20.122 (192.168.20.122), Dst: 192.168.20.121 (192.168.20.121)
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0 ()
Checksum: 0xc7e8 [correct]
Identifier: 0x5616
Sequence number: 2 (0x0002)
Data (56 bytes)
0000 90 5b 9e 49 bb 56 0d 00 08 09 0a 0b 0c 0d 0e 0f .[.I.V..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
##############################################
Here under is my analysis of icmp sequence of 2, originated from .122 and destined to .124.
Let's look at the technology:
You have mirrored two ports, say pA & pB for both directions. So what do you expect ?
Capture at: "Look legend for explanation"
pA input
pA output
pB input
pB output
Now, look at the icmp.seq ==2 on your capture, what do you see...
8 reqeust or replies... why ?
sA sends ping to sB, this is how things unfold...
icmp request in pA - input - CAPTURE.
icmp request out pA - output - CAPTURE.
icmp request in pB - input - CAPTURE.
icmp request out pB - output - CAPTURE.
So, one ping request = 4 captures. Same goes true for reply as well...
Hope this makes sense......
In context to this capture, if we go by time, this is the sequence.
Capture number: 6419 "icmp request in pA - input - CAPTURE."
Capture number: 6420 "icmp request out pA - output - CAPTURE."
Capture number: 14941 "icmp request in pB - input - CAPTURE."
Capture number: 14942 "icmp request out pB - output - CAPTURE."
You can further interpret this for replies...
Legend:
pA - port mapped to Server A
pB - port mapped to server B
sA - Server A
sB - Server B
########################### CAPTURE #####################################
No. Time Source Destination Protocol Info
6419 588.909904 192.168.20.121 192.168.20.122 ICMP Echo (ping) request
Frame 6419 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Vmware_4e:3e:13 (00:50:56:4e:3e:13), Dst: Vmware_4a:17:98 (00:50:56:4a:17:98)
Internet Protocol, Src: 192.168.20.121 (192.168.20.121), Dst: 192.168.20.122 (192.168.20.122)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0 ()
Checksum: 0x50f9 [correct]
Identifier: 0x4f13
Sequence number: 2 (0x0002)
Data (56 bytes)
0000 ff 5a 9e 49 c4 49 0b 00 08 09 0a 0b 0c 0d 0e 0f .Z.I.I..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
No. Time Source Destination Protocol Info
6420 588.909909 192.168.20.121 192.168.20.122 ICMP Echo (ping) request
Frame 6420 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Vmware_4e:3e:13 (00:50:56:4e:3e:13), Dst: Vmware_4a:17:98 (00:50:56:4a:17:98)
Internet Protocol, Src: 192.168.20.121 (192.168.20.121), Dst: 192.168.20.122 (192.168.20.122)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0 ()
Checksum: 0x50f9 [correct]
Identifier: 0x4f13
Sequence number: 2 (0x0002)
Data (56 bytes)
0000 ff 5a 9e 49 c4 49 0b 00 08 09 0a 0b 0c 0d 0e 0f .Z.I.I..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
No. Time Source Destination Protocol Info
6421 588.909976 192.168.20.122 192.168.20.121 ICMP Echo (ping) reply
Frame 6421 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Vmware_4a:17:98 (00:50:56:4a:17:98), Dst: Vmware_4e:3e:13 (00:50:56:4e:3e:13)
Internet Protocol, Src: 192.168.20.122 (192.168.20.122), Dst: 192.168.20.121 (192.168.20.121)
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0 ()
Checksum: 0x58f9 [correct]
Identifier: 0x4f13
Sequence number: 2 (0x0002)
Data (56 bytes)
0000 ff 5a 9e 49 c4 49 0b 00 08 09 0a 0b 0c 0d 0e 0f .Z.I.I..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
No. Time Source Destination Protocol Info
6422 588.909980 192.168.20.122 192.168.20.121 ICMP Echo (ping) reply
Frame 6422 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Vmware_4a:17:98 (00:50:56:4a:17:98), Dst: Vmware_4e:3e:13 (00:50:56:4e:3e:13)
Internet Protocol, Src: 192.168.20.122 (192.168.20.122), Dst: 192.168.20.121 (192.168.20.121)
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0 ()
Checksum: 0x58f9 [correct]
Identifier: 0x4f13
Sequence number: 2 (0x0002)
Data (56 bytes)
0000 ff 5a 9e 49 c4 49 0b 00 08 09 0a 0b 0c 0d 0e 0f .Z.I.I..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
No. Time Source Destination Protocol Info
14941 734.053046 192.168.20.121 192.168.20.122 ICMP Echo (ping) request
Frame 14941 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Vmware_4e:3e:13 (00:50:56:4e:3e:13), Dst: Vmware_4a:17:98 (00:50:56:4a:17:98)
Internet Protocol, Src: 192.168.20.121 (192.168.20.121), Dst: 192.168.20.122 (192.168.20.122)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0 ()
Checksum: 0xbfe8 [correct]
Identifier: 0x5616
Sequence number: 2 (0x0002)
Data (56 bytes)
0000 90 5b 9e 49 bb 56 0d 00 08 09 0a 0b 0c 0d 0e 0f .[.I.V..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
No. Time Source Destination Protocol Info
14942 734.053051 192.168.20.121 192.168.20.122 ICMP Echo (ping) request
Frame 14942 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Vmware_4e:3e:13 (00:50:56:4e:3e:13), Dst: Vmware_4a:17:98 (00:50:56:4a:17:98)
Internet Protocol, Src: 192.168.20.121 (192.168.20.121), Dst: 192.168.20.122 (192.168.20.122)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0 ()
Checksum: 0xbfe8 [correct]
Identifier: 0x5616
Sequence number: 2 (0x0002)
Data (56 bytes)
0000 90 5b 9e 49 bb 56 0d 00 08 09 0a 0b 0c 0d 0e 0f .[.I.V..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
No. Time Source Destination Protocol Info
14943 734.053084 192.168.20.122 192.168.20.121 ICMP Echo (ping) reply
Frame 14943 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Vmware_4a:17:98 (00:50:56:4a:17:98), Dst: Vmware_4e:3e:13 (00:50:56:4e:3e:13)
Internet Protocol, Src: 192.168.20.122 (192.168.20.122), Dst: 192.168.20.121 (192.168.20.121)
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0 ()
Checksum: 0xc7e8 [correct]
Identifier: 0x5616
Sequence number: 2 (0x0002)
Data (56 bytes)
0000 90 5b 9e 49 bb 56 0d 00 08 09 0a 0b 0c 0d 0e 0f .[.I.V..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
No. Time Source Destination Protocol Info
14944 734.053088 192.168.20.122 192.168.20.121 ICMP Echo (ping) reply
Frame 14944 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Vmware_4a:17:98 (00:50:56:4a:17:98), Dst: Vmware_4e:3e:13 (00:50:56:4e:3e:13)
Internet Protocol, Src: 192.168.20.122 (192.168.20.122), Dst: 192.168.20.121 (192.168.20.121)
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0 ()
Checksum: 0xc7e8 [correct]
Identifier: 0x5616
Sequence number: 2 (0x0002)
Data (56 bytes)
0000 90 5b 9e 49 bb 56 0d 00 08 09 0a 0b 0c 0d 0e 0f .[.I.V..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
##############################################
Fahad Rahmani
Feb 21, 2009, 6:07:48 AM2/21/09
to network...@googlegroups.com
The analysis has some wrong info regarding packet capture, will update with correct information soon...
Regards.
Reply all
Reply to author
Forward
0 new messages