For system and network adminstrator who put loopback interface for good use(local proxy and so forth), have you ever thought of looking at the network traffics that pass through it? I took a closer look at the packet capture lately and it looks interesting though on different OS platform. Here's the result that I get by capturing it from Ubuntu linux box -
shell>sudo tcpdump -c 1 -XXttttnni lo
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
2008-01-28 15:39:37.190524 IP 127.0.0.1.55555 > 127.0.0.1.33108: P 1689457265:1689461100(3835) ack 1687382572 win 283
0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.
0x0010: 0f2f 9c2f 4000 4006 9197 7f00 0001 7f00 ././@.@.........
0x0020: 0001 d903 8154 64b3 1271 6493 6a2c 8018 .....Td..qd.j,..
0x0030: 011b 0d24 0000 0101 080a 01ef 6ceb 01ef ...$........l...
0x0040: 6c47 e938 36b7 4cc3 c0dd d673 2e3a cc65 lG.86.L....s.:.e
0x0050: c257 5cd0 7a0f dc7a d2d7 066d eee3 deb8 .W\.z..z...m....
lo is the loopback interface on my Ubuntu box, and you may notice the link type is ethernet which is 14 bytes.
0000 0000 0000 0000 0000 0000 0800
Since there's no source and destination mac address for loopback interface, they are just padded with 0000 0000 0000 0000 0000 0000(12 bytes) and with another 2 bytes(0800) as next layer protocol) so total up 14 bytes. I think that way it is much easier to read and decode.
However when I capture the packet through the loopback interface on FreeBSD, I got this result -
shell>sudo tcpdump -c 1 -XXttttnni lo0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
2008-01-28 15:40:50.695859 IP 127.0.0.1.65304 > 127.0.0.1.6343: UDP, length 304
0x0000: 0200 0000 4500 014c 73f0 0000 4011 07af ....E..Ls...@...
0x0010: 7f00 0001 7f00 0001 ff18 18c7 0138 7937 .............8y7
0x0020: 0000 0005 0000 0001 7f00 0001 0000 0000 ................
0x0030: 0000 2369 09e4 5558 0000 0002 0000 0001 ..#i..UX........
0x0040: 0000 0090 0000 0c8c 0000 0001 0000 0001 ................
0x0050: 0000 0000 0000 0000 0000 0001 3fff ffff ............?...
The loopback interface is lo0 and the link type is null? If you are familiar with IPv4 header(usually it starts with 45 if the header length is 20 bytes(no ip options enabled)). So you can identify that the loopback has the header of 4 bytes -
0200 0000
This tells us that the implementation of both operating system for loopback interface are different. I'm wondering if other packet analysis tools will have problem parsing the packets that are captured from FreeBSD loopback interface. I haven't taken look on other OS yet and maybe you can tell me more about this. Any thoughts?
Enjoy (;])
1 comment:
hey dude! loop back header? are you sure with that.
Post a Comment