RIP Packet Format Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30 pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?RIP routing is broken between two routersWhy is RIP not scalable?Why we can not ping to multicast address 224.0.0.9 of RIPRouters are not learning routes when using RIPHow does OSPF understand its directly connected networks if you're configuring interfaces?How do you define cost in Quagga for BGP and RIP?Does RIP stores information about entire AS?Why is RIP sending classless updates?Clarifications about RIP and OSPFthe difference between RIP and OSPF
Writing a T-SQL stored procedure to receive 4 numbers and insert them into a table
Is a self contained air-bullet cartridge feasible?
What is the purpose of the side handle on a hand ("eggbeater") drill?
How would it unbalance gameplay to rule that Weapon Master allows for picking a fighting style?
What to do with someone that cheated their way though university and a PhD program?
Is it accepted to use working hours to read general interest books?
What was Apollo 13's "Little Jolt" after MECO?
All ASCII characters with a given bit count
Is there a verb for listening stealthily?
My admission is revoked after accepting the admission offer
What does こした mean?
Was there ever a LEGO store in Miami International Airport?
Is there a possibility to generate a list dynamically in Latex?
Married in secret, can marital status in passport be changed at a later date?
Like totally amazing interchangeable sister outfit accessory swapping or whatever
When does Bran Stark remember Jamie pushing him?
When speaking, how do you change your mind mid-sentence?
Eigenvalues of the Laplacian of the directed De Bruijn graph
/bin/ls sorts differently than just ls
How did Elite on the NES work?
Could a cockatrice have parasitic embryos?
Was Objective-C really a hindrance to Apple software development?
Will I lose my paid in full property
Is there an efficient way for synchronising audio events real-time with LEDs using an MCU?
RIP Packet Format
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30 pm US/Eastern)
Announcing the arrival of Valued Associate #679: Cesar Manara
Unicorn Meta Zoo #1: Why another podcast?RIP routing is broken between two routersWhy is RIP not scalable?Why we can not ping to multicast address 224.0.0.9 of RIPRouters are not learning routes when using RIPHow does OSPF understand its directly connected networks if you're configuring interfaces?How do you define cost in Quagga for BGP and RIP?Does RIP stores information about entire AS?Why is RIP sending classless updates?Clarifications about RIP and OSPFthe difference between RIP and OSPF
I am trying to investigate a RIP packet. It clearly states that the packet is RIP v1. But its format does not match with the either RIP v1 or v2. Any ideas what this packet actually is?
routing packet-analysis rip
New contributor
add a comment |
I am trying to investigate a RIP packet. It clearly states that the packet is RIP v1. But its format does not match with the either RIP v1 or v2. Any ideas what this packet actually is?
routing packet-analysis rip
New contributor
You should use the verbose output (-vv
) to get more information with the full protocol decode.
– Ron Maupin♦
4 hours ago
I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin
– Bat
4 hours ago
add a comment |
I am trying to investigate a RIP packet. It clearly states that the packet is RIP v1. But its format does not match with the either RIP v1 or v2. Any ideas what this packet actually is?
routing packet-analysis rip
New contributor
I am trying to investigate a RIP packet. It clearly states that the packet is RIP v1. But its format does not match with the either RIP v1 or v2. Any ideas what this packet actually is?
routing packet-analysis rip
routing packet-analysis rip
New contributor
New contributor
New contributor
asked 4 hours ago
BatBat
1083
1083
New contributor
New contributor
You should use the verbose output (-vv
) to get more information with the full protocol decode.
– Ron Maupin♦
4 hours ago
I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin
– Bat
4 hours ago
add a comment |
You should use the verbose output (-vv
) to get more information with the full protocol decode.
– Ron Maupin♦
4 hours ago
I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin
– Bat
4 hours ago
You should use the verbose output (
-vv
) to get more information with the full protocol decode.– Ron Maupin♦
4 hours ago
You should use the verbose output (
-vv
) to get more information with the full protocol decode.– Ron Maupin♦
4 hours ago
I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin
– Bat
4 hours ago
I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin
– Bat
4 hours ago
add a comment |
3 Answers
3
active
oldest
votes
It's a RIPv1 packet. You're looking at the full IP packet. RIP starts at 0x0016.
The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.
– Bat
3 hours ago
3
That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x0016.
– Ron Trunk
3 hours ago
@RonTrunk ... IP starts at 0x0, UDP starts at 0x14 (port, port, length, checksum), surely RIP starts at 0x1c with bytes 0x0201: 0x02 = Response, 0x01 = RIP1.
– jonathanjo
16 mins ago
add a comment |
This is a response header. Response means ' A message containing all or part of the sender's routing table. This message may be sent in response to a request or poll, or it may be an update message generated by the sender.'
In addition to that you can see sender ip address and subnet.
If you want to see more details you can use -vv
add a comment |
One way to solve this kind of problem is to make a PCAP file from the data (with a tool or just a programming language such as python), and then use standard tools to examine it.
Your packet analysed with tshark is:
Internet Protocol Version 4, Src: 128.238.62.2, Dst: 255.255.255.255
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 72
Identification: 0x0000 (0)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 2
[Expert Info (Note/Sequence): "Time To Live" only 2]
["Time To Live" only 2]
[Severity level: Note]
[Group: Sequence]
Protocol: UDP (17)
Header checksum: 0xf8f5 [validation disabled]
[Header checksum status: Unverified]
Source: 128.238.62.2
Destination: 255.255.255.255
User Datagram Protocol, Src Port: 520, Dst Port: 520
Source Port: 520
Destination Port: 520
Length: 52
Checksum: 0xb9a0 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
Routing Information Protocol
Command: Response (2)
Version: RIPv1 (1)
IP Address: 128.238.63.0, Metric: 1
Address Family: IP (2)
IP Address: 128.238.63.0
Metric: 1
IP Address: 128.238.64.0, Metric: 2
Address Family: IP (2)
IP Address: 128.238.64.0
Metric: 2
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "496"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Bat is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f58674%2frip-packet-format%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
It's a RIPv1 packet. You're looking at the full IP packet. RIP starts at 0x0016.
The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.
– Bat
3 hours ago
3
That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x0016.
– Ron Trunk
3 hours ago
@RonTrunk ... IP starts at 0x0, UDP starts at 0x14 (port, port, length, checksum), surely RIP starts at 0x1c with bytes 0x0201: 0x02 = Response, 0x01 = RIP1.
– jonathanjo
16 mins ago
add a comment |
It's a RIPv1 packet. You're looking at the full IP packet. RIP starts at 0x0016.
The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.
– Bat
3 hours ago
3
That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x0016.
– Ron Trunk
3 hours ago
@RonTrunk ... IP starts at 0x0, UDP starts at 0x14 (port, port, length, checksum), surely RIP starts at 0x1c with bytes 0x0201: 0x02 = Response, 0x01 = RIP1.
– jonathanjo
16 mins ago
add a comment |
It's a RIPv1 packet. You're looking at the full IP packet. RIP starts at 0x0016.
It's a RIPv1 packet. You're looking at the full IP packet. RIP starts at 0x0016.
answered 4 hours ago
Ron TrunkRon Trunk
40.1k33781
40.1k33781
The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.
– Bat
3 hours ago
3
That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x0016.
– Ron Trunk
3 hours ago
@RonTrunk ... IP starts at 0x0, UDP starts at 0x14 (port, port, length, checksum), surely RIP starts at 0x1c with bytes 0x0201: 0x02 = Response, 0x01 = RIP1.
– jonathanjo
16 mins ago
add a comment |
The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.
– Bat
3 hours ago
3
That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x0016.
– Ron Trunk
3 hours ago
@RonTrunk ... IP starts at 0x0, UDP starts at 0x14 (port, port, length, checksum), surely RIP starts at 0x1c with bytes 0x0201: 0x02 = Response, 0x01 = RIP1.
– jonathanjo
16 mins ago
The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.
– Bat
3 hours ago
The problem is that IP 128.238.62.2 (80ee 3e02) appears at the end of the first line. According to the rip v1, the previous 2 bytes should be zero but they have a value of f8f5.
– Bat
3 hours ago
3
3
That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x0016.
– Ron Trunk
3 hours ago
That's the source IP in the IP header. Then you have the UDP header, then you have the RIP packet starting at 0x0016.
– Ron Trunk
3 hours ago
@RonTrunk ... IP starts at 0x0, UDP starts at 0x14 (port, port, length, checksum), surely RIP starts at 0x1c with bytes 0x0201: 0x02 = Response, 0x01 = RIP1.
– jonathanjo
16 mins ago
@RonTrunk ... IP starts at 0x0, UDP starts at 0x14 (port, port, length, checksum), surely RIP starts at 0x1c with bytes 0x0201: 0x02 = Response, 0x01 = RIP1.
– jonathanjo
16 mins ago
add a comment |
This is a response header. Response means ' A message containing all or part of the sender's routing table. This message may be sent in response to a request or poll, or it may be an update message generated by the sender.'
In addition to that you can see sender ip address and subnet.
If you want to see more details you can use -vv
add a comment |
This is a response header. Response means ' A message containing all or part of the sender's routing table. This message may be sent in response to a request or poll, or it may be an update message generated by the sender.'
In addition to that you can see sender ip address and subnet.
If you want to see more details you can use -vv
add a comment |
This is a response header. Response means ' A message containing all or part of the sender's routing table. This message may be sent in response to a request or poll, or it may be an update message generated by the sender.'
In addition to that you can see sender ip address and subnet.
If you want to see more details you can use -vv
This is a response header. Response means ' A message containing all or part of the sender's routing table. This message may be sent in response to a request or poll, or it may be an update message generated by the sender.'
In addition to that you can see sender ip address and subnet.
If you want to see more details you can use -vv
answered 4 hours ago
serverAdmin123serverAdmin123
39717
39717
add a comment |
add a comment |
One way to solve this kind of problem is to make a PCAP file from the data (with a tool or just a programming language such as python), and then use standard tools to examine it.
Your packet analysed with tshark is:
Internet Protocol Version 4, Src: 128.238.62.2, Dst: 255.255.255.255
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 72
Identification: 0x0000 (0)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 2
[Expert Info (Note/Sequence): "Time To Live" only 2]
["Time To Live" only 2]
[Severity level: Note]
[Group: Sequence]
Protocol: UDP (17)
Header checksum: 0xf8f5 [validation disabled]
[Header checksum status: Unverified]
Source: 128.238.62.2
Destination: 255.255.255.255
User Datagram Protocol, Src Port: 520, Dst Port: 520
Source Port: 520
Destination Port: 520
Length: 52
Checksum: 0xb9a0 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
Routing Information Protocol
Command: Response (2)
Version: RIPv1 (1)
IP Address: 128.238.63.0, Metric: 1
Address Family: IP (2)
IP Address: 128.238.63.0
Metric: 1
IP Address: 128.238.64.0, Metric: 2
Address Family: IP (2)
IP Address: 128.238.64.0
Metric: 2
add a comment |
One way to solve this kind of problem is to make a PCAP file from the data (with a tool or just a programming language such as python), and then use standard tools to examine it.
Your packet analysed with tshark is:
Internet Protocol Version 4, Src: 128.238.62.2, Dst: 255.255.255.255
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 72
Identification: 0x0000 (0)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 2
[Expert Info (Note/Sequence): "Time To Live" only 2]
["Time To Live" only 2]
[Severity level: Note]
[Group: Sequence]
Protocol: UDP (17)
Header checksum: 0xf8f5 [validation disabled]
[Header checksum status: Unverified]
Source: 128.238.62.2
Destination: 255.255.255.255
User Datagram Protocol, Src Port: 520, Dst Port: 520
Source Port: 520
Destination Port: 520
Length: 52
Checksum: 0xb9a0 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
Routing Information Protocol
Command: Response (2)
Version: RIPv1 (1)
IP Address: 128.238.63.0, Metric: 1
Address Family: IP (2)
IP Address: 128.238.63.0
Metric: 1
IP Address: 128.238.64.0, Metric: 2
Address Family: IP (2)
IP Address: 128.238.64.0
Metric: 2
add a comment |
One way to solve this kind of problem is to make a PCAP file from the data (with a tool or just a programming language such as python), and then use standard tools to examine it.
Your packet analysed with tshark is:
Internet Protocol Version 4, Src: 128.238.62.2, Dst: 255.255.255.255
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 72
Identification: 0x0000 (0)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 2
[Expert Info (Note/Sequence): "Time To Live" only 2]
["Time To Live" only 2]
[Severity level: Note]
[Group: Sequence]
Protocol: UDP (17)
Header checksum: 0xf8f5 [validation disabled]
[Header checksum status: Unverified]
Source: 128.238.62.2
Destination: 255.255.255.255
User Datagram Protocol, Src Port: 520, Dst Port: 520
Source Port: 520
Destination Port: 520
Length: 52
Checksum: 0xb9a0 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
Routing Information Protocol
Command: Response (2)
Version: RIPv1 (1)
IP Address: 128.238.63.0, Metric: 1
Address Family: IP (2)
IP Address: 128.238.63.0
Metric: 1
IP Address: 128.238.64.0, Metric: 2
Address Family: IP (2)
IP Address: 128.238.64.0
Metric: 2
One way to solve this kind of problem is to make a PCAP file from the data (with a tool or just a programming language such as python), and then use standard tools to examine it.
Your packet analysed with tshark is:
Internet Protocol Version 4, Src: 128.238.62.2, Dst: 255.255.255.255
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 72
Identification: 0x0000 (0)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 2
[Expert Info (Note/Sequence): "Time To Live" only 2]
["Time To Live" only 2]
[Severity level: Note]
[Group: Sequence]
Protocol: UDP (17)
Header checksum: 0xf8f5 [validation disabled]
[Header checksum status: Unverified]
Source: 128.238.62.2
Destination: 255.255.255.255
User Datagram Protocol, Src Port: 520, Dst Port: 520
Source Port: 520
Destination Port: 520
Length: 52
Checksum: 0xb9a0 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
Routing Information Protocol
Command: Response (2)
Version: RIPv1 (1)
IP Address: 128.238.63.0, Metric: 1
Address Family: IP (2)
IP Address: 128.238.63.0
Metric: 1
IP Address: 128.238.64.0, Metric: 2
Address Family: IP (2)
IP Address: 128.238.64.0
Metric: 2
answered 21 mins ago
jonathanjojonathanjo
12.4k1938
12.4k1938
add a comment |
add a comment |
Bat is a new contributor. Be nice, and check out our Code of Conduct.
Bat is a new contributor. Be nice, and check out our Code of Conduct.
Bat is a new contributor. Be nice, and check out our Code of Conduct.
Bat is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Network Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f58674%2frip-packet-format%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
You should use the verbose output (
-vv
) to get more information with the full protocol decode.– Ron Maupin♦
4 hours ago
I don't have further access to the system. Is it possible to decode via only this packet? @RonMaupin
– Bat
4 hours ago