Oi Pessoal, Perdoem o offtopic, mas acho que alguém desta lista deve saber a resposta...
É o seguinte: estou estudando um pouco as normas IP ICMP TCP: http://rfc.net/std5.html http://rfc.net/rfc792.html http://rfc.net/std7.html E para ver como funciona, fiz alguns testes com ping/telnet/etc... # tcpdump -w /tmp/arquivo.raw & # ping -c 1 192.168.131.9 # killall tcpdump # cat /tmp/arquivo.raw | hexdump -C | less e ai o resultado com meus comentarios abaixo: 00000000 45 00 00 54 88 10 00 00 40 01 6b 37 c0 a8 83 07 -- begin of ip header -- 45: 4=version 5=header length (32bits*0x5) 00: type of service 0054: total length: 8bits*0x0054 8810: identification 0000: fragmentation (flags+offset) 40: time to live 01: protocol (0x01=ICMP) 6b37: header checksum c0a88307: source address (192.168.131.7) 00000010 c0 a8 83 09 08 00 94 30 5c 4a 00 00 3c 02 28 03 c0a88309: dest address (192.168.131.9) -- end of IP header -- begin of protocol header (ICMP) -- 08: type (ICMP Echo) 00: code (always 0 for ICMP Echo) 9430: checksum 5c4a: identifier 0000: sequence number 3c022803... databytes... 00000020 00 07 b8 75 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 00000030 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 00000040 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 00000050 34 35 03 28 02 3c 30 bb 07 00 60 00 00 00 62 00 end | begin of what? 00000060 00 00 00 00 21 f1 cd bd 00 00 21 4f da d8 08 00 00000070 45 00 00 54 02 83 00 00 ff 01 31 c4 c0 a8 83 09 45000054... aqui começou o ICMP Echo Reply... 00000080 c0 a8 83 07 00 00 9c 30 5c 4a 00 00 3c 02 28 03 00000090 00 07 b8 75 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 [cortei o resto] Então a pergunta: segundo o totallength, o pacote ICMP/IP Echo termina em 34350328. e a resposta começa em 45000054... O que são estes dados que começam com 023c30bb...até...dad80800 ???? percebi isso também quando efetuo um telnet para uma porta fechada no outro host. E também percebi isso em muitos outros casos... No caso do telnet, é assim: local->remoto TCP com SYN alguns bytes que não sei o que são, como o do exemplo acima remoto->local TCP com PSH+RST (indicando porta fechada) vejam no anexo... e ai, o que são estes bytes que aparecem entre os pacotes? Abraços, Obrigado, Pedro -- .''`. Pedro Zorzenon Neto <[EMAIL PROTECTED]> : :' : Debian GNU/Linux | GNU/Hurd: <http://www.debian.org> `. `'` Debian BR: <http://debian-br.cipsga.org.br> `- Be Happy! Be FREE!
000000e0 45 10 00 3c 8e a9 40 00 40 06 24 a1 c0 a8 83 07 |E..<[EMAIL PROTECTED]@.$¡À¨..| 45: 4=version 5=header length (32bits*0x5) 10: type of service (0x10=low delay) 003c: total length: 8bits*0x003c 8ea9: identification 4000: fragmentation (flags+offset) DF set, dont fragment 40: time to live 06: protocol (0x06=TCP) 24a1: header checksum c0a88307: source address (192.168.131.7) 000000f0 c0 a8 83 09 05 9b 00 50 83 d7 cf 27 00 00 00 00 |À¨.....P.×Ï'....| c0a88309: dest address (192.168.131.9) -- end of IP header -- -- begin of protocol header (TCP) -- 059b: source port 0050: destination port (0x50=80=http) 83d7cf27: sequence number 00000000: acknoledge number 00000100 a0 02 3e bc 85 29 00 00 02 04 05 b4 04 02 08 0a | .>¼.).....´....| a002: dataoffset(4bit) reserved(6bit) (flags URG ACK PSH RST SYN FIN) 3ebc: window 8529: checksum 0000: urgent pointer 0204: option (max segment size) 05b4: maxsegsize (only in SYN connections) 0402080a: data... end | begin of what? 00000110 00 7d a3 58 00 00 00 00 01 03 03 00 20 31 02 3c |.}£X........ 1.<| 00000120 d2 09 0c 00 3c 00 00 00 3c 00 00 00 00 00 21 f1 |Ò...<...<.....!ñ| end of what? | begin of ip packet 00000130 cd bd 00 00 21 4f da d8 08 00 45 10 00 28 03 38 |ͽ..!OÚØ..E..(.8| 45: 4=version 5=header length (32bits*0x5) 10: type of service (0x10=low delay) 0028: total length: 8bits*0x0028 0338: identification 00000140 00 00 ff 06 31 26 c0 a8 83 09 c0 a8 83 07 00 50 |..ÿ.1&À¨..À¨...P| 0000: fragmentation (flags+offset) ff: time to live 06: protocol (0x06=TCP) 3126: header checksum c0a88309: source address (192.168.131.9) c0a88307: dest address (192.168.131.7) -- end of IP header -- -- begin of protocol header (TCP) -- 0050: source port (http) 00000150 05 9b 00 00 00 00 83 d7 cf 28 50 14 00 00 cf 83 |.......×Ï(P...Ï.| 059b: destination port 00000000: sequence number 83d7cf28: acknoledge number 5014: dataoffset(4bit) reserved(6bit) (flags URG ACK PSH RST SYN FIN) PSH+RST 0000: window cf83: checksum | begin of what? 00000160 00 00 0c 0d 0e 0f 10 11 |........| 0000: urgent pointer -- end of protocol header ---