TCP or IP Packet???

bird66 · Jan 25, 2002

Hi,
I have a question about the Data I collected using Windump (TCPdump). I ran the program under Win98 and Win2000 in a school network.

The command I used to launch Windump (TCP dump) are as follows:

windump -n -q -tt ip and port 80

A sample of the data I collected under Win98 are:

1011898765.465003 130.215.24.173.1131 > 130.215.25.52.80: tcp 0 (DF)
1011898765.472396 130.215.24.173.1131 > 130.215.25.52.80: tcp 276 (DF)
1011898765.497211 130.215.25.52.80 > 130.215.24.173.1131: tcp 1460 (DF)
1011898765.498303 130.215.25.52.80 > 130.215.24.173.1131: tcp 1433 (DF)
1011898765.498378 130.215.24.173.1131 > 130.215.25.52.80: tcp 0 (DF)
1011898765.498663 130.215.25.52.80 > 130.215.24.173.1132: tcp 388 (DF)
1011898765.520735 130.215.24.173.1132 > 130.215.25.52.80: tcp 277 (DF)
1011898765.525439 130.215.24.173.1131 > 130.215.25.52.80: tcp 274 (DF)
1011898765.557582 130.215.25.52.80 > 130.215.24.173.1132: tcp 1460 (DF)
1011898765.558796 130.215.25.52.80 > 130.215.24.173.1132: tcp 1460 (DF)
1011898765.558867 130.215.24.173.1132 > 130.215.25.52.80: tcp 0 (DF)
1011898765.559783 130.215.25.52.80 > 130.215.24.173.1132: tcp 1176 (DF)
1011898765.560496 130.215.25.52.80 > 130.215.24.173.1132: tcp 663 (DF)
1011898765.560572 130.215.24.173.1132 > 130.215.25.52.80: tcp 0 (DF)
1011898765.561769 130.215.25.52.80 > 130.215.24.173.1131: tcp 1460 (DF)

And A sample of the data I collected Under Win2000 using the same command to launch the WinDump(TCPDump) are:

1008817347.180581 129.86.240.203.80 129.86.163.79.1698: 0
1008817347.180782 129.86.163.79.1698 129.86.240.203.80: 0
1008817347.185096 129.86.240.203.80 129.86.163.79.1698: 0
1008817347.185182 129.86.163.79.1698 129.86.240.203.80: 359
1008817347.672485 129.86.240.203.80 129.86.163.79.1698: 182
1008817347.833109 129.86.163.79.1698 129.86.240.203.80: 0
1008817347.833861 129.86.240.203.80 129.86.163.79.1698: 1278
1008817347.835088 129.86.240.203.80 129.86.163.79.1698: 1460
1008817347.835240 129.86.163.79.1698 129.86.240.203.80: 0
1008817347.838639 129.86.240.203.80 129.86.163.79.1698: 1460
1008817347.839007 129.86.163.79.1698 129.86.240.203.80: 0
1008817347.839811 129.86.240.203.80 129.86.163.79.1698: 1460
1008817347.841220 129.86.240.203.80 129.86.163.79.1698: 1460

My question iis: Are the Data I collected IP Packets or TCP Packet?? It seems to me that they are TCP Packets since the data from Win98 has TCP in every line.
I am collecting those data as a research on Wireless internet traffic. And I need to Collect IP Packets. If I am collecting TCP data using the command "windump -n -q -tt ip and port 80" What do I need to do to collect IP Packet instead?

Thank you very much for any help you can give me.

Looking forward to hear from you.

Bird66

jimbopalmer · Jan 25, 2002

all TCP packets are IP Packets, but not all IP packets are TCP Packets (the other major type are UDP packets) I tried to remain child-like, all I acheived was childish.

Guest_imported · Jan 27, 2002

To answer your question, TCP and IP are part of the TCP/IP protocol suite. IP is the OSI Layer 3 portion and TCP is the layer 4 portion. Essentially if you look at your example below:

1011898765.561769 130.215.25.52.80 > 130.215.24.173.1131: tcp 1460 (DF)

130.215.25.52 represents the source IP address (layer 3) and .80 immediately following represents TCP port 80 (layer 4). Just FYI TCP port 80 is for HTTP or webpages. Further the 130.215.24.173 is the destination IP and .1131 is the destination TCP port. I'm not sure what the 1460 represents.

The same holds true for the Win2000 version of your TCPDump.

benzito · Jan 28, 2002

1460 is the maximum segment size in bytes and (DF) stands for "don't fragment"

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

TCP or IP Packet???

bird66

Technical User

jimbopalmer

Programmer

Guest_imported

New member

benzito

ISP

Similar threads

Part and Inventory Search

Sponsor