The part where it does this: E..(..@...q[.... .4...o........wM P."8Y.........
Is where it's trying to make sense of this: 0x0000 4500 0028 1489 4000 8006 715b c0a8 0003 0x0010 d834 dc0b 056f 0014 00c2 be9c 82a5 774d 0x0020 5010 2238 59dc 0000 0000 0000 0100 basically, it's reading the hex and octal codes, then translating those codes into ASCII chars. It does this because sometimes when plaintext is transmitted through packets, it is simply transmitted as hex or octal codes. If you run tcpdump long enough, you are bound to find some actual cleartext transmitted across the lines that actually make sense and spell things out. This is rare however. Miles Stevenson -----Original Message----- From: Mike Cramp [mailto:[EMAIL PROTECTED]] Sent: Sunday, October 21, 2001 5:42 PM To: [EMAIL PROTECTED] Subject: TCPDUMP Output Mailer: SecurityFocus Hey guys, I am trying to understand this tcpdump output. I do a tcpdump -x -X on the command line, and I get this: 20:33:44.633857 192.168.0.3.1391 > 216.52.220.11.ftp-data: . ack 944300 win 8760 (DF) 0x0000 4500 0028 1489 4000 8006 715b c0a8 0003 0x0010 d834 dc0b 056f 0014 00c2 be9c 82a5 774d 0x0020 5010 2238 59dc 0000 0000 0000 0100 E..(..@...q[.... .4...o........wM (This stuff is off to the right) P."8Y......... That the heck is this stuff below? E..(..@...q[.... .4...o........wM P."8Y......... Please explain... -mike cramp