Technical data

ManualsBrandsCompaq ManualsComputer equipmentCompaq TCP/IP Services for OpenVMS

Troubleshooting Techniques and Tools

1.2 Isolating Problems

For property list calls, you can request the mask value and the number of

property list entries. Property list replies return the status, the number of

bytes in the property list and the number of entries in property list.

Note that NFS requests are very large and much of the detail is not displayed

unless the value of snaplen is increased. Use

-s 192

to watch RPC trafﬁc.

RPC reply packets do not explicitly identify the RPC operation. Instead,

tcpdump

keeps track of recent requests, and matches them to the replies using the

transaction ID. If a reply does not closely follow the corresponding request, it

might not be parsable.

1.2.5.3.8 IP Fragmentation Fragmented Internet datagrams are printed as

follows:

(frag id:size@offset+)

(frag id:size@offset)

The ﬁrst line indicates there are more fragments. The second indicates this is the

last fragment.

The following list explains the ﬁelds:

• id is the fragment ID.

• size is the fragment size (in bytes), excluding the IP header.

• offset is the fragment’s offset (in bytes) in the original datagram.

The fragment information is output for each fragment. The ﬁrst fragment

contains the higher level protocol header and the fragment information is

displayed after the protocol information. Fragments after the ﬁrst contain no

higher level protocol header and the fragment information is printed after the

source and destination addresses. The following example shows part of an FTP

session from arizona.edu to lbl-rtsg.arpa over a CSNET connection that does not

appear to handle 576 byte datagrams:

arizona.ftp-data > rtsg.1170: . 1024:1332(308) ack 1 win 4096

(frag 595a:328@0+)

arizona > rtsg: (frag 595a:204@328)

rtsg.1170 > arizona.ftp-data: . ack 1536 win 2560

Note the following:

• Addresses in the second line do not include port numbers. This is because the

TCP protocol information is in the ﬁrst fragment and

tcpdump

does not know

what the port or sequence numbers are when it displays the later fragments.

• TCP sequence information in the ﬁrst line is displayed as if there were 308

bytes of user data; however, there are 512 bytes (308 in the ﬁrst fragment

and 204 in the second). If you are looking for holes in the sequence space or

trying to match up acknowledgements with packets, this can be misleading.

A packet with the IP ‘‘do not fragment’’ ﬂag is marked with a trailing (DF).

1.2.5.3.9 Timestamps By default, all output lines are preceded by a timestamp.

The timestamp is the current clock time in the following form:

hh:mm:ss.frac

It is as accurate as the kernel’s clock. The timestamp reﬂects the time the kernel

ﬁrst saw the packet. No attempt is made to account for the time difference

between when the Ethernet interface removed the packet from the wire and when

the kernel serviced the new packet interrupt.

Troubleshooting Techniques and Tools 1–21