Wireshark-users: Re: [Wireshark-users] Help With EPS/ISAKMP
From: "Josue Del Valle" <jodelvalle@xxxxxxxxxxxxxxx>
Date: Thu, 18 Jun 2009 10:15:08 -0400
This is what's getting logged on the firewall: 6|Jun 18 2009|05:50:16|302015|WebServer|500|AppServer|500|Built inbound UDP connection 34986 for dmz1:WebServer/500 (WebServer/500) to inside:AppServer/500 (AppServer/500) 2|Jun 18 2009|05:50:16|106100|WebServer|500|AppServer|500|access-list dmz_access_in permitted udp dmz1/WebServer(500) -> inside/AppServer(500) hit-cnt 1 first hit [0xba28b9ac, 0x0] -----Original Message----- From: Alex Nedelcu [mailto:alexpheno@xxxxxxxxx] Sent: 2009-06-18 4:45 AM To: Community support list for Wireshark Subject: [SPAM] - Re: [Wireshark-users] Help With EPS/ISAKMP - Email found in subject Can you attach some packet captures and the relevant logs from the servers? As Robert said you shoul also first check if there is some sort of firewall dropping ESP (ip protocol 50). On Wed, Jun 17, 2009 at 11:20 PM, Robert D. Scott<robert@xxxxxxx> wrote: > Sound like an ACL or firewall between the DMZ and the other network dropping > ESP. > > Robert D. Scott Robert@xxxxxxx > Senior Network Engineer 352-273-0113 Phone > CNS - Network Services 352-392-2061 CNS Phone Tree > University of Florida 352-392-9440 FAX > Florida Lambda Rail 352-294-3571 FLR NOC > Gainesville, FL 32611 321-663-0421 Cell > > > -----Original Message----- > From: wireshark-users-bounces@xxxxxxxxxxxxx > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Josue Del Valle > Sent: Wednesday, June 17, 2009 4:16 PM > To: wireshark-users@xxxxxxxxxxxxx > Subject: [Wireshark-users] Help With EPS/ISAKMP > > Hi, > > > > I was hoping someone could help me with this issue. I have configured > IPSec on two Windows 2003 servers using certificates as the authentication. > If I run wireshark from one of the server while having both servers on the > same network, I can see a bunch of ESP which indicate to me that the traffic > is encrypted between the two servers. If I move one of the servers to > another network (DMZ) and try to communicate with the server located on the > trusted network, I can't and instead of getting ESP packets all I see is > ISAKMP packets. I have not change anything on the IPsec except the ip for > the server that has been moved to the DMZ. The trusted network as a > 192.168.10.X subnet and the one on the DMZ is 192.168.20.X. > > > > If I remove IPSec I can communicate from the DMZ to the LAN as intended > which indicate routing on the firewall is working fine. I know it is kind > of confusing, but I'm trying to figure out why WireShark shows ESP packets > when the server is on the LAN and ISAKMP packets when the server is moved to > the DMZ. > > > > Thanks, > > > > Josue > > Please remember coverage cannot be bound, amended or cancelled via the email > or voicemail system. You cannot bind, alter, or cancel coverage without > speaking to an authorized representative of Braishfield Associates, Inc. > Coverage cannot be assumed to be bound without confirmation from an > authorized representative of Braishfield Associates, Inc. > > > DISCLAIMER: > CONFIDENTIALITY NOTICE: Braishfield Associates, Inc. would like you to know > that the information contained in this communication, including attachments > is privileged and confidential. It is intended only for the exclusive use of > the addressee. If the reader of this message is not the intended recipient, > or the employee or agent responsible for delivering it to the intended > recipient, you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. Insurance coverage can > not be bound, amended or changed via an e-mail message without knowledge or > consent from the insuring carrier. If you have received this communication > in error please notify us by telephone immediately at (407) 825-9911 or > e-mail disclaimer@xxxxxxxxxxxxxxx. Thank you. > > > > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
No. Time Source Destination Protocol Info
1 0.000000 192.168.15.3 192.168.40.219 ISAKMP Identity Protection (Main Mode)
Frame 1 (318 bytes on wire, 318 bytes captured)
Arrival Time: Jun 18, 2009 09:27:55.498823000
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 318 bytes
Capture Length: 318 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_80:27:ab (00:11:20:80:30:cd), Dst: Cisco_bb:96:6e (00:14:77:cc:96:6e)
Destination: Cisco_bb:96:6e (00:14:77:cc:96:6e)
Address: Cisco_bb:96:6e (00:14:77:cc:96:6e)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Dell_80:27:ab (00:11:20:80:30:cd)
Address: Dell_80:27:ab (00:11:20:80:30:cd)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.15.3 (192.168.15.3), Dst: 192.168.40.219 (192.168.40.219)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 304
Identification: 0x0f89 (3977)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x8a05 [correct]
[Good: True]
[Bad : False]
Source: 192.168.15.3 (192.168.15.3)
Destination: 192.168.40.219 (192.168.40.219)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 284
Checksum: 0x56c5 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 2C69207A4FB353E8
Responder cookie: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 276
Security Association payload
Next payload: Vendor ID (13)
Payload length: 164
Domain of interpretation: IPSEC (1)
Situation: IDENTITY (1)
Proposal payload # 1
Next payload: NONE (0)
Payload length: 152
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 4
Transform payload # 1
Next payload: Transform (3)
Payload length: 36
Transform number: 1
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Alternate 1024-bit MODP group (2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 2
Next payload: Transform (3)
Payload length: 36
Transform number: 2
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Alternate 1024-bit MODP group (2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 3
Next payload: Transform (3)
Payload length: 36
Transform number: 3
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 4
Next payload: NONE (0)
Payload length: 36
Transform number: 4
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Vendor ID: MS NT5 ISAKMPOAKLEY
Next payload: Vendor ID (13)
Payload length: 24
Vendor ID: MS NT5 ISAKMPOAKLEY
Vendor ID: Microsoft L2TP/IPSec VPN Client
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: Microsoft L2TP/IPSec VPN Client
Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
Vendor ID: 26244D38EDDB61B3172A36E3D0CFB819
Next payload: NONE (0)
Payload length: 20
Vendor ID: 26244D38EDDB61B3172A36E3D0CFB819
0000 00 23 33 bb 96 6e 00 22 19 80 27 ab 08 00 45 00 .#3..n."..'...E.
0010 01 30 0f 89 00 00 80 11 8a 05 c0 a8 14 03 c0 a8 .0..............
0020 0a db 01 f4 01 f4 01 1c 56 c5 2c 69 20 7a 4f b3 ........V.,i zO.
0030 53 e8 00 00 00 00 00 00 00 00 01 10 02 00 00 00 S...............
0040 00 00 00 00 01 14 0d 00 00 a4 00 00 00 01 00 00 ................
0050 00 01 00 00 00 98 01 01 00 04 03 00 00 24 01 01 .............$..
0060 00 00 80 01 00 05 80 02 00 02 80 04 00 02 80 03 ................
0070 00 03 80 0b 00 01 00 0c 00 04 00 00 70 80 03 00 ............p...
0080 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 04 .$..............
0090 00 02 80 03 00 03 80 0b 00 01 00 0c 00 04 00 00 ................
00a0 70 80 03 00 00 24 03 01 00 00 80 01 00 01 80 02 p....$..........
00b0 00 02 80 04 00 01 80 03 00 03 80 0b 00 01 00 0c ................
00c0 00 04 00 00 70 80 00 00 00 24 04 01 00 00 80 01 ....p....$......
00d0 00 01 80 02 00 01 80 04 00 01 80 03 00 03 80 0b ................
00e0 00 01 00 0c 00 04 00 00 70 80 0d 00 00 18 1e 2b ........p......+
00f0 51 69 05 99 1c 7d 7c 96 fc bf b5 87 e4 61 00 00 Qi...}|......a..
0100 00 04 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 ......@H..n...%.
0110 de 7f 00 d6 c2 d3 0d 00 00 14 90 cb 80 91 3e bb ..............>.
0120 69 6e 08 63 81 b5 ec 42 7b 1f 00 00 00 14 26 24 in.c...B{.....&$
0130 4d 38 ed db 61 b3 17 2a 36 e3 d0 cf b8 19 M8..a..*6.....
No. Time Source Destination Protocol Info
2 4.187247 0.0.0.0 255.255.255.255 DHCP DHCP Discover - Transaction ID 0x30311609
Frame 2 (302 bytes on wire, 302 bytes captured)
Arrival Time: Jun 18, 2009 09:27:59.686070000
[Time delta from previous captured frame: 4.187247000 seconds]
[Time delta from previous displayed frame: 4.187247000 seconds]
[Time since reference or first frame: 4.187247000 seconds]
Frame Number: 2
Frame Length: 302 bytes
Capture Length: 302 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:bootp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_80:27:ac (00:22:19:80:27:ac), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Address: Broadcast (ff:ff:ff:ff:ff:ff)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Source: Dell_80:27:ac (00:22:19:80:27:ac)
Address: Dell_80:27:ac (00:22:19:80:27:ac)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 288
Identification: 0xad78 (44408)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xcc55 [correct]
[Good: True]
[Bad : False]
Source: 0.0.0.0 (0.0.0.0)
Destination: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
Source port: bootpc (68)
Destination port: bootps (67)
Length: 268
Checksum: 0xdf98 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Bootstrap Protocol
Message type: Boot Request (1)
Hardware type: Ethernet
Hardware address length: 6
Hops: 0
Transaction ID: 0x30311609
Seconds elapsed: 28 (little endian bug?)
Bootp flags: 0x8000 (Broadcast)
1... .... .... .... = Broadcast flag: Broadcast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 0.0.0.0 (0.0.0.0)
Client MAC address: Dell_80:27:ac (00:22:19:80:27:ac)
Server host name not given
Boot file name not given
Magic cookie: (OK)
Option: (t=53,l=1) DHCP Message Type = DHCP Discover
Option: (53) DHCP Message Type
Length: 1
Value: 01
Option: (t=55,l=4) Parameter Request List
Option: (55) Parameter Request List
Length: 4
Value: 01033336
1 = Subnet Mask
3 = Router
51 = IP Address Lease Time
54 = Server Identifier
Option: (t=60,l=8) Vendor class identifier = "brcmftsk"
Option: (60) Vendor class identifier
Length: 8
Value: 6272636D6674736B
End Option
0000 ff ff ff ff ff ff 00 22 19 80 27 ac 08 00 45 00 ......."..'...E.
0010 01 20 ad 78 00 00 40 11 cc 55 00 00 00 00 ff ff . .x..@..U......
0020 ff ff 00 44 00 43 01 0c df 98 01 01 06 00 30 31 ...D.C........01
0030 16 09 1c 00 80 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 22 19 80 27 ac 00 00 00 00 ......."..'.....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 63 82 53 63 35 01 01 37 04 01 ......c.Sc5..7..
0120 03 33 36 3c 08 62 72 63 6d 66 74 73 6b ff .36<.brcmftsk.
No. Time Source Destination Protocol Info
3 6.797278 0.0.0.0 255.255.255.255 DHCP DHCP Discover - Transaction ID 0xad660a1b
Frame 3 (302 bytes on wire, 302 bytes captured)
Arrival Time: Jun 18, 2009 09:28:02.296101000
[Time delta from previous captured frame: 2.610031000 seconds]
[Time delta from previous displayed frame: 2.610031000 seconds]
[Time since reference or first frame: 6.797278000 seconds]
Frame Number: 3
Frame Length: 302 bytes
Capture Length: 302 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:bootp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_80:27:ac (00:22:19:80:27:ac), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Address: Broadcast (ff:ff:ff:ff:ff:ff)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Source: Dell_80:27:ac (00:22:19:80:27:ac)
Address: Dell_80:27:ac (00:22:19:80:27:ac)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 288
Identification: 0xad79 (44409)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xcc54 [correct]
[Good: True]
[Bad : False]
Source: 0.0.0.0 (0.0.0.0)
Destination: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
Source port: bootpc (68)
Destination port: bootps (67)
Length: 268
Checksum: 0x8a51 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Bootstrap Protocol
Message type: Boot Request (1)
Hardware type: Ethernet
Hardware address length: 6
Hops: 0
Transaction ID: 0xad660a1b
Seconds elapsed: 0
Bootp flags: 0x8000 (Broadcast)
1... .... .... .... = Broadcast flag: Broadcast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 0.0.0.0 (0.0.0.0)
Client MAC address: Dell_80:27:ac (00:22:19:80:27:ac)
Server host name not given
Boot file name not given
Magic cookie: (OK)
Option: (t=53,l=1) DHCP Message Type = DHCP Discover
Option: (53) DHCP Message Type
Length: 1
Value: 01
Option: (t=55,l=4) Parameter Request List
Option: (55) Parameter Request List
Length: 4
Value: 01033336
1 = Subnet Mask
3 = Router
51 = IP Address Lease Time
54 = Server Identifier
Option: (t=60,l=8) Vendor class identifier = "brcmftsk"
Option: (60) Vendor class identifier
Length: 8
Value: 6272636D6674736B
End Option
0000 ff ff ff ff ff ff 00 22 19 80 27 ac 08 00 45 00 ......."..'...E.
0010 01 20 ad 79 00 00 40 11 cc 54 00 00 00 00 ff ff . .y..@..T......
0020 ff ff 00 44 00 43 01 0c 8a 51 01 01 06 00 ad 66 ...D.C...Q.....f
0030 0a 1b 00 00 80 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 22 19 80 27 ac 00 00 00 00 ......."..'.....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 63 82 53 63 35 01 01 37 04 01 ......c.Sc5..7..
0120 03 33 36 3c 08 62 72 63 6d 66 74 73 6b ff .36<.brcmftsk.
No. Time Source Destination Protocol Info
4 7.999650 192.168.15.3 192.168.40.219 ISAKMP Identity Protection (Main Mode)
Frame 4 (318 bytes on wire, 318 bytes captured)
Arrival Time: Jun 18, 2009 09:28:03.498473000
[Time delta from previous captured frame: 1.202372000 seconds]
[Time delta from previous displayed frame: 1.202372000 seconds]
[Time since reference or first frame: 7.999650000 seconds]
Frame Number: 4
Frame Length: 318 bytes
Capture Length: 318 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_80:27:ab (00:11:20:80:30:cd), Dst: Cisco_bb:96:6e (00:14:77:cc:96:6e)
Destination: Cisco_bb:96:6e (00:14:77:cc:96:6e)
Address: Cisco_bb:96:6e (00:14:77:cc:96:6e)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Dell_80:27:ab (00:11:20:80:30:cd)
Address: Dell_80:27:ab (00:11:20:80:30:cd)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.15.3 (192.168.15.3), Dst: 192.168.40.219 (192.168.40.219)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 304
Identification: 0x1031 (4145)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x895d [correct]
[Good: True]
[Bad : False]
Source: 192.168.15.3 (192.168.15.3)
Destination: 192.168.40.219 (192.168.40.219)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 284
Checksum: 0x56c5 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 2C69207A4FB353E8
Responder cookie: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 276
Security Association payload
Next payload: Vendor ID (13)
Payload length: 164
Domain of interpretation: IPSEC (1)
Situation: IDENTITY (1)
Proposal payload # 1
Next payload: NONE (0)
Payload length: 152
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 4
Transform payload # 1
Next payload: Transform (3)
Payload length: 36
Transform number: 1
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Alternate 1024-bit MODP group (2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 2
Next payload: Transform (3)
Payload length: 36
Transform number: 2
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Alternate 1024-bit MODP group (2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 3
Next payload: Transform (3)
Payload length: 36
Transform number: 3
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 4
Next payload: NONE (0)
Payload length: 36
Transform number: 4
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Vendor ID: MS NT5 ISAKMPOAKLEY
Next payload: Vendor ID (13)
Payload length: 24
Vendor ID: MS NT5 ISAKMPOAKLEY
Vendor ID: Microsoft L2TP/IPSec VPN Client
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: Microsoft L2TP/IPSec VPN Client
Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
Vendor ID: 26244D38EDDB61B3172A36E3D0CFB819
Next payload: NONE (0)
Payload length: 20
Vendor ID: 26244D38EDDB61B3172A36E3D0CFB819
0000 00 23 33 bb 96 6e 00 22 19 80 27 ab 08 00 45 00 .#3..n."..'...E.
0010 01 30 10 31 00 00 80 11 89 5d c0 a8 14 03 c0 a8 .0.1.....]......
0020 0a db 01 f4 01 f4 01 1c 56 c5 2c 69 20 7a 4f b3 ........V.,i zO.
0030 53 e8 00 00 00 00 00 00 00 00 01 10 02 00 00 00 S...............
0040 00 00 00 00 01 14 0d 00 00 a4 00 00 00 01 00 00 ................
0050 00 01 00 00 00 98 01 01 00 04 03 00 00 24 01 01 .............$..
0060 00 00 80 01 00 05 80 02 00 02 80 04 00 02 80 03 ................
0070 00 03 80 0b 00 01 00 0c 00 04 00 00 70 80 03 00 ............p...
0080 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 04 .$..............
0090 00 02 80 03 00 03 80 0b 00 01 00 0c 00 04 00 00 ................
00a0 70 80 03 00 00 24 03 01 00 00 80 01 00 01 80 02 p....$..........
00b0 00 02 80 04 00 01 80 03 00 03 80 0b 00 01 00 0c ................
00c0 00 04 00 00 70 80 00 00 00 24 04 01 00 00 80 01 ....p....$......
00d0 00 01 80 02 00 01 80 04 00 01 80 03 00 03 80 0b ................
00e0 00 01 00 0c 00 04 00 00 70 80 0d 00 00 18 1e 2b ........p......+
00f0 51 69 05 99 1c 7d 7c 96 fc bf b5 87 e4 61 00 00 Qi...}|......a..
0100 00 04 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 ......@H..n...%.
0110 de 7f 00 d6 c2 d3 0d 00 00 14 90 cb 80 91 3e bb ..............>.
0120 69 6e 08 63 81 b5 ec 42 7b 1f 00 00 00 14 26 24 in.c...B{.....&$
0130 4d 38 ed db 61 b3 17 2a 36 e3 d0 cf b8 19 M8..a..*6.....
No. Time Source Destination Protocol Info
5 10.186972 0.0.0.0 255.255.255.255 DHCP DHCP Discover - Transaction ID 0xae660a1b
Frame 5 (302 bytes on wire, 302 bytes captured)
Arrival Time: Jun 18, 2009 09:28:05.685795000
[Time delta from previous captured frame: 2.187322000 seconds]
[Time delta from previous displayed frame: 2.187322000 seconds]
[Time since reference or first frame: 10.186972000 seconds]
Frame Number: 5
Frame Length: 302 bytes
Capture Length: 302 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:bootp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_80:27:ac (00:22:19:80:27:ac), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Address: Broadcast (ff:ff:ff:ff:ff:ff)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Source: Dell_80:27:ac (00:22:19:80:27:ac)
Address: Dell_80:27:ac (00:22:19:80:27:ac)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 288
Identification: 0xad7a (44410)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xcc53 [correct]
[Good: True]
[Bad : False]
Source: 0.0.0.0 (0.0.0.0)
Destination: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
Source port: bootpc (68)
Destination port: bootps (67)
Length: 268
Checksum: 0x8551 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Bootstrap Protocol
Message type: Boot Request (1)
Hardware type: Ethernet
Hardware address length: 6
Hops: 0
Transaction ID: 0xae660a1b
Seconds elapsed: 4 (little endian bug?)
Bootp flags: 0x8000 (Broadcast)
1... .... .... .... = Broadcast flag: Broadcast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 0.0.0.0 (0.0.0.0)
Client MAC address: Dell_80:27:ac (00:22:19:80:27:ac)
Server host name not given
Boot file name not given
Magic cookie: (OK)
Option: (t=53,l=1) DHCP Message Type = DHCP Discover
Option: (53) DHCP Message Type
Length: 1
Value: 01
Option: (t=55,l=4) Parameter Request List
Option: (55) Parameter Request List
Length: 4
Value: 01033336
1 = Subnet Mask
3 = Router
51 = IP Address Lease Time
54 = Server Identifier
Option: (t=60,l=8) Vendor class identifier = "brcmftsk"
Option: (60) Vendor class identifier
Length: 8
Value: 6272636D6674736B
End Option
0000 ff ff ff ff ff ff 00 22 19 80 27 ac 08 00 45 00 ......."..'...E.
0010 01 20 ad 7a 00 00 40 11 cc 53 00 00 00 00 ff ff . .z..@..S......
0020 ff ff 00 44 00 43 01 0c 85 51 01 01 06 00 ae 66 ...D.C...Q.....f
0030 0a 1b 04 00 80 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 22 19 80 27 ac 00 00 00 00 ......."..'.....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 63 82 53 63 35 01 01 37 04 01 ......c.Sc5..7..
0120 03 33 36 3c 08 62 72 63 6d 66 74 73 6b ff .36<.brcmftsk.
No. Time Source Destination Protocol Info
6 18.186609 0.0.0.0 255.255.255.255 DHCP DHCP Discover - Transaction ID 0xaf660a1b
Frame 6 (302 bytes on wire, 302 bytes captured)
Arrival Time: Jun 18, 2009 09:28:13.685432000
[Time delta from previous captured frame: 7.999637000 seconds]
[Time delta from previous displayed frame: 7.999637000 seconds]
[Time since reference or first frame: 18.186609000 seconds]
Frame Number: 6
Frame Length: 302 bytes
Capture Length: 302 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:bootp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_80:27:ac (00:22:19:80:27:ac), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Address: Broadcast (ff:ff:ff:ff:ff:ff)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Source: Dell_80:27:ac (00:22:19:80:27:ac)
Address: Dell_80:27:ac (00:22:19:80:27:ac)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 288
Identification: 0xad7b (44411)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xcc52 [correct]
[Good: True]
[Bad : False]
Source: 0.0.0.0 (0.0.0.0)
Destination: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
Source port: bootpc (68)
Destination port: bootps (67)
Length: 268
Checksum: 0x7c51 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Bootstrap Protocol
Message type: Boot Request (1)
Hardware type: Ethernet
Hardware address length: 6
Hops: 0
Transaction ID: 0xaf660a1b
Seconds elapsed: 12 (little endian bug?)
Bootp flags: 0x8000 (Broadcast)
1... .... .... .... = Broadcast flag: Broadcast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 0.0.0.0 (0.0.0.0)
Client MAC address: Dell_80:27:ac (00:22:19:80:27:ac)
Server host name not given
Boot file name not given
Magic cookie: (OK)
Option: (t=53,l=1) DHCP Message Type = DHCP Discover
Option: (53) DHCP Message Type
Length: 1
Value: 01
Option: (t=55,l=4) Parameter Request List
Option: (55) Parameter Request List
Length: 4
Value: 01033336
1 = Subnet Mask
3 = Router
51 = IP Address Lease Time
54 = Server Identifier
Option: (t=60,l=8) Vendor class identifier = "brcmftsk"
Option: (60) Vendor class identifier
Length: 8
Value: 6272636D6674736B
End Option
0000 ff ff ff ff ff ff 00 22 19 80 27 ac 08 00 45 00 ......."..'...E.
0010 01 20 ad 7b 00 00 40 11 cc 52 00 00 00 00 ff ff . .{..@..R......
0020 ff ff 00 44 00 43 01 0c 7c 51 01 01 06 00 af 66 ...D.C..|Q.....f
0030 0a 1b 0c 00 80 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 22 19 80 27 ac 00 00 00 00 ......."..'.....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 63 82 53 63 35 01 01 37 04 01 ......c.Sc5..7..
0120 03 33 36 3c 08 62 72 63 6d 66 74 73 6b ff .36<.brcmftsk.
No. Time Source Destination Protocol Info
7 23.998928 192.168.15.3 192.168.40.219 ISAKMP Identity Protection (Main Mode)
Frame 7 (318 bytes on wire, 318 bytes captured)
Arrival Time: Jun 18, 2009 09:28:19.497751000
[Time delta from previous captured frame: 5.812319000 seconds]
[Time delta from previous displayed frame: 5.812319000 seconds]
[Time since reference or first frame: 23.998928000 seconds]
Frame Number: 7
Frame Length: 318 bytes
Capture Length: 318 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_80:27:ab (00:11:20:80:30:cd), Dst: Cisco_bb:96:6e (00:14:77:cc:96:6e)
Destination: Cisco_bb:96:6e (00:14:77:cc:96:6e)
Address: Cisco_bb:96:6e (00:14:77:cc:96:6e)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Dell_80:27:ab (00:11:20:80:30:cd)
Address: Dell_80:27:ab (00:11:20:80:30:cd)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.15.3 (192.168.15.3), Dst: 192.168.40.219 (192.168.40.219)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 304
Identification: 0x1122 (4386)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x886c [correct]
[Good: True]
[Bad : False]
Source: 192.168.15.3 (192.168.15.3)
Destination: 192.168.40.219 (192.168.40.219)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 284
Checksum: 0x56c5 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 2C69207A4FB353E8
Responder cookie: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 276
Security Association payload
Next payload: Vendor ID (13)
Payload length: 164
Domain of interpretation: IPSEC (1)
Situation: IDENTITY (1)
Proposal payload # 1
Next payload: NONE (0)
Payload length: 152
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 4
Transform payload # 1
Next payload: Transform (3)
Payload length: 36
Transform number: 1
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Alternate 1024-bit MODP group (2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 2
Next payload: Transform (3)
Payload length: 36
Transform number: 2
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Alternate 1024-bit MODP group (2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 3
Next payload: Transform (3)
Payload length: 36
Transform number: 3
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 4
Next payload: NONE (0)
Payload length: 36
Transform number: 4
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Vendor ID: MS NT5 ISAKMPOAKLEY
Next payload: Vendor ID (13)
Payload length: 24
Vendor ID: MS NT5 ISAKMPOAKLEY
Vendor ID: Microsoft L2TP/IPSec VPN Client
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: Microsoft L2TP/IPSec VPN Client
Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
Vendor ID: 26244D38EDDB61B3172A36E3D0CFB819
Next payload: NONE (0)
Payload length: 20
Vendor ID: 26244D38EDDB61B3172A36E3D0CFB819
0000 00 23 33 bb 96 6e 00 22 19 80 27 ab 08 00 45 00 .#3..n."..'...E.
0010 01 30 11 22 00 00 80 11 88 6c c0 a8 14 03 c0 a8 .0.".....l......
0020 0a db 01 f4 01 f4 01 1c 56 c5 2c 69 20 7a 4f b3 ........V.,i zO.
0030 53 e8 00 00 00 00 00 00 00 00 01 10 02 00 00 00 S...............
0040 00 00 00 00 01 14 0d 00 00 a4 00 00 00 01 00 00 ................
0050 00 01 00 00 00 98 01 01 00 04 03 00 00 24 01 01 .............$..
0060 00 00 80 01 00 05 80 02 00 02 80 04 00 02 80 03 ................
0070 00 03 80 0b 00 01 00 0c 00 04 00 00 70 80 03 00 ............p...
0080 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 04 .$..............
0090 00 02 80 03 00 03 80 0b 00 01 00 0c 00 04 00 00 ................
00a0 70 80 03 00 00 24 03 01 00 00 80 01 00 01 80 02 p....$..........
00b0 00 02 80 04 00 01 80 03 00 03 80 0b 00 01 00 0c ................
00c0 00 04 00 00 70 80 00 00 00 24 04 01 00 00 80 01 ....p....$......
00d0 00 01 80 02 00 01 80 04 00 01 80 03 00 03 80 0b ................
00e0 00 01 00 0c 00 04 00 00 70 80 0d 00 00 18 1e 2b ........p......+
00f0 51 69 05 99 1c 7d 7c 96 fc bf b5 87 e4 61 00 00 Qi...}|......a..
0100 00 04 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 ......@H..n...%.
0110 de 7f 00 d6 c2 d3 0d 00 00 14 90 cb 80 91 3e bb ..............>.
0120 69 6e 08 63 81 b5 ec 42 7b 1f 00 00 00 14 26 24 in.c...B{.....&$
0130 4d 38 ed db 61 b3 17 2a 36 e3 d0 cf b8 19 M8..a..*6.....
No. Time Source Destination Protocol Info
8 34.185893 0.0.0.0 255.255.255.255 DHCP DHCP Discover - Transaction ID 0xb0660a1b
Frame 8 (302 bytes on wire, 302 bytes captured)
Arrival Time: Jun 18, 2009 09:28:29.684716000
[Time delta from previous captured frame: 10.186965000 seconds]
[Time delta from previous displayed frame: 10.186965000 seconds]
[Time since reference or first frame: 34.185893000 seconds]
Frame Number: 8
Frame Length: 302 bytes
Capture Length: 302 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:bootp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_80:27:ac (00:22:19:80:27:ac), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Address: Broadcast (ff:ff:ff:ff:ff:ff)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Source: Dell_80:27:ac (00:22:19:80:27:ac)
Address: Dell_80:27:ac (00:22:19:80:27:ac)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 288
Identification: 0xad7c (44412)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xcc51 [correct]
[Good: True]
[Bad : False]
Source: 0.0.0.0 (0.0.0.0)
Destination: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
Source port: bootpc (68)
Destination port: bootps (67)
Length: 268
Checksum: 0x6b51 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Bootstrap Protocol
Message type: Boot Request (1)
Hardware type: Ethernet
Hardware address length: 6
Hops: 0
Transaction ID: 0xb0660a1b
Seconds elapsed: 28 (little endian bug?)
Bootp flags: 0x8000 (Broadcast)
1... .... .... .... = Broadcast flag: Broadcast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 0.0.0.0 (0.0.0.0)
Client MAC address: Dell_80:27:ac (00:22:19:80:27:ac)
Server host name not given
Boot file name not given
Magic cookie: (OK)
Option: (t=53,l=1) DHCP Message Type = DHCP Discover
Option: (53) DHCP Message Type
Length: 1
Value: 01
Option: (t=55,l=4) Parameter Request List
Option: (55) Parameter Request List
Length: 4
Value: 01033336
1 = Subnet Mask
3 = Router
51 = IP Address Lease Time
54 = Server Identifier
Option: (t=60,l=8) Vendor class identifier = "brcmftsk"
Option: (60) Vendor class identifier
Length: 8
Value: 6272636D6674736B
End Option
0000 ff ff ff ff ff ff 00 22 19 80 27 ac 08 00 45 00 ......."..'...E.
0010 01 20 ad 7c 00 00 40 11 cc 51 00 00 00 00 ff ff . .|..@..Q......
0020 ff ff 00 44 00 43 01 0c 6b 51 01 01 06 00 b0 66 ...D.C..kQ.....f
0030 0a 1b 1c 00 80 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 22 19 80 27 ac 00 00 00 00 ......."..'.....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 63 82 53 63 35 01 01 37 04 01 ......c.Sc5..7..
0120 03 33 36 3c 08 62 72 63 6d 66 74 73 6b ff .36<.brcmftsk.
No. Time Source Destination Protocol Info
9 36.795588 0.0.0.0 255.255.255.255 DHCP DHCP Discover - Transaction ID 0x2d9c6e2d
Frame 9 (302 bytes on wire, 302 bytes captured)
Arrival Time: Jun 18, 2009 09:28:32.294411000
[Time delta from previous captured frame: 2.609695000 seconds]
[Time delta from previous displayed frame: 2.609695000 seconds]
[Time since reference or first frame: 36.795588000 seconds]
Frame Number: 9
Frame Length: 302 bytes
Capture Length: 302 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:bootp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_80:27:ac (00:22:19:80:27:ac), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Address: Broadcast (ff:ff:ff:ff:ff:ff)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Source: Dell_80:27:ac (00:22:19:80:27:ac)
Address: Dell_80:27:ac (00:22:19:80:27:ac)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 288
Identification: 0xad7d (44413)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xcc50 [correct]
[Good: True]
[Bad : False]
Source: 0.0.0.0 (0.0.0.0)
Destination: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
Source port: bootpc (68)
Destination port: bootps (67)
Length: 268
Checksum: 0xa609 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Bootstrap Protocol
Message type: Boot Request (1)
Hardware type: Ethernet
Hardware address length: 6
Hops: 0
Transaction ID: 0x2d9c6e2d
Seconds elapsed: 0
Bootp flags: 0x8000 (Broadcast)
1... .... .... .... = Broadcast flag: Broadcast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 0.0.0.0 (0.0.0.0)
Client MAC address: Dell_80:27:ac (00:22:19:80:27:ac)
Server host name not given
Boot file name not given
Magic cookie: (OK)
Option: (t=53,l=1) DHCP Message Type = DHCP Discover
Option: (53) DHCP Message Type
Length: 1
Value: 01
Option: (t=55,l=4) Parameter Request List
Option: (55) Parameter Request List
Length: 4
Value: 01033336
1 = Subnet Mask
3 = Router
51 = IP Address Lease Time
54 = Server Identifier
Option: (t=60,l=8) Vendor class identifier = "brcmftsk"
Option: (60) Vendor class identifier
Length: 8
Value: 6272636D6674736B
End Option
0000 ff ff ff ff ff ff 00 22 19 80 27 ac 08 00 45 00 ......."..'...E.
0010 01 20 ad 7d 00 00 40 11 cc 50 00 00 00 00 ff ff . .}..@..P......
0020 ff ff 00 44 00 43 01 0c a6 09 01 01 06 00 2d 9c ...D.C........-.
0030 6e 2d 00 00 80 00 00 00 00 00 00 00 00 00 00 00 n-..............
0040 00 00 00 00 00 00 00 22 19 80 27 ac 00 00 00 00 ......."..'.....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 63 82 53 63 35 01 01 37 04 01 ......c.Sc5..7..
0120 03 33 36 3c 08 62 72 63 6d 66 74 73 6b ff .36<.brcmftsk.
No. Time Source Destination Protocol Info
10 40.185615 0.0.0.0 255.255.255.255 DHCP DHCP Discover - Transaction ID 0x2e9c6e2d
Frame 10 (302 bytes on wire, 302 bytes captured)
Arrival Time: Jun 18, 2009 09:28:35.684438000
[Time delta from previous captured frame: 3.390027000 seconds]
[Time delta from previous displayed frame: 3.390027000 seconds]
[Time since reference or first frame: 40.185615000 seconds]
Frame Number: 10
Frame Length: 302 bytes
Capture Length: 302 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:bootp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_80:27:ac (00:22:19:80:27:ac), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Address: Broadcast (ff:ff:ff:ff:ff:ff)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Source: Dell_80:27:ac (00:22:19:80:27:ac)
Address: Dell_80:27:ac (00:22:19:80:27:ac)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 288
Identification: 0xad7e (44414)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xcc4f [correct]
[Good: True]
[Bad : False]
Source: 0.0.0.0 (0.0.0.0)
Destination: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
Source port: bootpc (68)
Destination port: bootps (67)
Length: 268
Checksum: 0xa109 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Bootstrap Protocol
Message type: Boot Request (1)
Hardware type: Ethernet
Hardware address length: 6
Hops: 0
Transaction ID: 0x2e9c6e2d
Seconds elapsed: 4 (little endian bug?)
Bootp flags: 0x8000 (Broadcast)
1... .... .... .... = Broadcast flag: Broadcast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 0.0.0.0 (0.0.0.0)
Client MAC address: Dell_80:27:ac (00:22:19:80:27:ac)
Server host name not given
Boot file name not given
Magic cookie: (OK)
Option: (t=53,l=1) DHCP Message Type = DHCP Discover
Option: (53) DHCP Message Type
Length: 1
Value: 01
Option: (t=55,l=4) Parameter Request List
Option: (55) Parameter Request List
Length: 4
Value: 01033336
1 = Subnet Mask
3 = Router
51 = IP Address Lease Time
54 = Server Identifier
Option: (t=60,l=8) Vendor class identifier = "brcmftsk"
Option: (60) Vendor class identifier
Length: 8
Value: 6272636D6674736B
End Option
0000 ff ff ff ff ff ff 00 22 19 80 27 ac 08 00 45 00 ......."..'...E.
0010 01 20 ad 7e 00 00 40 11 cc 4f 00 00 00 00 ff ff . .~..@..O......
0020 ff ff 00 44 00 43 01 0c a1 09 01 01 06 00 2e 9c ...D.C..........
0030 6e 2d 04 00 80 00 00 00 00 00 00 00 00 00 00 00 n-..............
0040 00 00 00 00 00 00 00 22 19 80 27 ac 00 00 00 00 ......."..'.....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 63 82 53 63 35 01 01 37 04 01 ......c.Sc5..7..
0120 03 33 36 3c 08 62 72 63 6d 66 74 73 6b ff .36<.brcmftsk.
- Follow-Ups:
- Re: [Wireshark-users] Help With EPS/ISAKMP
- From: Martin Visser
- Re: [Wireshark-users] Help With EPS/ISAKMP
- References:
- Re: [Wireshark-users] Help With EPS/ISAKMP
- From: Robert D. Scott
- Re: [Wireshark-users] Help With EPS/ISAKMP
- From: Alex Nedelcu
- Re: [Wireshark-users] Help With EPS/ISAKMP
- Prev by Date: [Wireshark-users] Wireshark protocol stack
- Next by Date: Re: [Wireshark-users] Huge VoIP Problem :(
- Previous by thread: Re: [Wireshark-users] Help With EPS/ISAKMP
- Next by thread: Re: [Wireshark-users] Help With EPS/ISAKMP
- Index(es):