Table of Contents

Name

etdc - decode Apple EtherTalk packets from tcpdump

Syntax

etdc [ -a | -p | -w ] [ -h ] [ -v ] [ -n | -N ] [ -r | -R ] [ -g | -G ] [ -z | -Z ] [ -e | -E ] [ -t | -T ] [ -d | -D ] [ -m | -m ] [ -x AppleTalk-src-address ] [ -y AppleTalk-dst-address ]

Description

The etdc perl script decodes EtherTalk packets from tcpdump(8) hex dump output.

Availability

etdc is a product of the Network Systems Group at Princeton University's Office of Information Technology, and is available from http://www.net.princeton.edu/software/etdc/

The script relies on perl 5.6.0 or later, and tcpdump(8).

Options

-a
Attempt to decode ATP packets as ASP packets (default).
-p
Attempt to decode ATP packets as PAP packets. Note that the data content of typical PAP Data packets often includes non-printing characters that will make the ASCII dump of the data field of limited value; parts of it may be truncated or overwritten as a result of these non-printing characters.
-w
Attempt to decode ATP packets as IPGP packets.
-h
Display a help message then exit.
-r
Filter to include RTMP packets.
-R
Filter to exclude RTMP packets.
-n
Filter to include NBP packets.
-N
Filter to exclude NBP packets.
-z
Filter to include ZIP packets, as well as those sent over ATP.
-Z
Filter to exclude ZIP packets, as well as those sent over ATP.
-e
Filter to include AEP packets.
-E
Filter to exclude AEP packets.
-g
Filter to include AARP packets.
-G
Filter to exclude AARP packets.
-h
Display the version number then exit.
-t
Filter to include ATP packets (including higher protocols, such as PAP, ASP, IGPG, some ZIP.)
-T
Filter to exclude ATP packets (including higher protocols, such as PAP, ASP, IGPG, some ZIP.)
-m
Filter to include MacIP packets.
-M
Filter to exclude MacIP packets.
-x
Filter to include only packets from AppleTalk-src-address. Specify the address in the form 29248.165.
-y
Filter to include only packets to AppleTalk-dst-address. Specify the address in the form 29248.165.

Usage

The meaning of most ATP packets is context-dependent, so you may specify how they should be decoded: as ASP, PAP, or IPGP. If you do not specify, by default they will be decoded as ASP. (ZIP ATP packets will always be decoded properly, as their meaning is not context-dependent.)

By default, all packets are displayed. If you specify an include filter, only packets that match that filter will be shown. You may specify a combination of include filters to include packets that match any of the filters (include filters are logically or'd).

If you specify an exclude filter, all packets that match that filter will be excluded from the display. You may specify a combination of exclude filters to exclude packets that match any of the filters (exclude filters are logically or'd).

It usually is not meaningful to specify both include and exclude filters, except when you are trying to see only certain kinds of ATP packets. etdc will refuse to do anything too silly (e.g. both -R and -r).

If you specify an address filter, only packets that match that filter will be shown. You may not specify more than one AppleTalk source address; you may not specify more than one AppleTalk destination address. If you specify both source and destination address filters, the two filters will be OR'd together. Thus, to capture all traffic coming to and from an AppleTalk address, specify it in both source and a destination address filters.

Examples

The simplest way to use etdc is in a pipeline with tcpdump(8), e.g. on Ethernet use:


tcpdump -l -s 621 -q -x -e
    ('ether[14:4]=0xaaaa0300' and 'ether[18:4]=0x000080f3') or
    ('ether[14:4]=0xaaaa0308' and 'ether[18:4]=0x0007809b')
| etdc

The command above has been split across multiple lines for clarity; it should be entered as a single line. The quotes around the filter's subexpressions are not actually part of the command, but are necessary if the square brackets are special characters in your shell. If your shell treats parentheses as special characters, you'll need to escape or quote them as well.

Note that etdc does not read the raw packet capture files that are produced with tcpdump's -w option. Instead, etdc reads the hex dump (textual) output produced by tcpdump's -x option.

You must specify tcpdump's -x option, to produce the hex dump that etdc expects to read. etdc expects that each packet it reads will consist of a single packet header line followed by hex dump lines. Therefore, you should not specify tcpdump's -X option; it causes newer versions of tcpdump to also print the packet's contents in ASCII. And it's a good idea to include tcpdump's -q option, which inhibits some additional decoding which tcpdump might decide to perform when it believes it knows how to decode the packet.

You must specify tcpdump's -s option to increase the snarflen high enough to capture complete EtherTalk packets. A value of 621 is adequate.

When used in a pipe, specify tcpdump's -l option, so its output is line-buffered. (This isn't necessary if you first write the tcpdump output to a file, then later process the file with etdc.)

AppleTalk AARP packets begin with the 802.2 header 0xaaaa03 followed by the SNAP protocol discriminator 0x00000080f3. AppleTalk data packets begin with the 802.2 header 0xaaaa03 followed by the SNAP protocol discriminator 0x080007809b. (These fields immediately follow the link encapsulation (e.g. Ethernet), and are followed in turn by the actual AARP or DDP packet.) Therefore, an appropriate tcpdump(8) filter should include packets beginning with either 8-byte values: 0xaaaa0300000080f3 or 0xaaaa03080007809b following the link's own encapsulation. As of this writing, tcpdump(8) only permits filters to test 1, 2 or 4 bytes at a time; this is why the filter expression suggested above doesn't test the entire 8-byte value all at once.

Sample Output


17:40:57.348848 plaid 9:0:7:ff:ff:ff
  AARP function=Probe htype=0001  prototype=809b  hlen=06  protolen=04
    Src hardware: 00:01:02:03:04:05  Tentative AppleTalk: 29416.80
          Unused: 00:00:00:00:00:00  Tentative Appletalk: 29416.80


17:40:57.378932 plaid 9:0:7:ff:ff:ff
  DDP HEADER:  Src: 29416.80.6	Dest: 0.255.6
               Hops: 0	Length: 31	ChkSum: 0x0000	DDPType: ZIP
    ZIP HEADER:  Function: GetNetInfo Request
      Zone: 87_Prospect


17:40:57.389889 wormhole 9:0:7:ff:ff:ff
  AARP function=Request htype=0001  prototype=809b  hlen=06  protolen=04
    Src hardware: 00:22:44:66:88:aa        Src AppleTalk: 29418.131
          Unused: 00:00:00:00:00:00    Desired Appletalk: 29416.80


17:40:57.390009 plaid wormhole
  AARP function=Response htype=0001  prototype=809b  hlen=06  protolen=04
    Src hardware: 00:01:02:03:04:05        Src AppleTalk: 29416.80
    Dst hardware: 00:22:44:66:88:aa        Dst AppleTalk: 29418.131


17:40:57.391144 wormhole plaid
  DDP HEADER:  Src: 29418.131.6	Dest: 29416.80.6
               Hops: 0	Length: 38	ChkSum: 0x908f	DDPType: ZIP
    ZIP HEADER:  Function: GetNetInfo Reply	FLAGS:
      Range Start: 29416  Range End: 29419
      Zone: 87_Prospect
      Mcast Addr: 0x0900070000f3


17:40:57.392543 plaid wormhole
  DDP HEADER:  Src: 29416.80.64	Dest: 29418.131.6
               Hops: 0	Length: 21	ChkSum: 0x0000	DDPType: ATP
    ATP HEADER:  Function: TReq	TID: 1	Bitmap: 01
    ZIP GetLocalZones Request:
      Start Index: 1


17:40:57.399712 wormhole plaid
  DDP HEADER:  Src: 29418.131.6	Dest: 29416.80.64
               Hops: 0	Length: 92	ChkSum: 0x68d1	DDPType: ATP
    ATP HEADER:  Function: TResp EOM	TID: 1	Seqnum: 00
    ZIP GetZoneList/GetLocalZones/GetMyZone Reply:	5 zones (LAST)
      Name: Unconfigured
      Name: 116_Prospect
      Name: 171_Broadmead
      Name: 87_Prospect
      Name: PU_Cluster_87P_108


17:43:54.186754 wormhole 9:0:7:0:0:f3
  DDP HEADER:  Src: 29312.85.131	Dest: 0.255.2
               Hops: 0	Length: 36	ChkSum: 0x7ddc	DDPType: NBP
    NBP HEADER:  Function: LkUp		Tuples: 1	NBP ID: 1
       Addr: 29312.85.131   Enum: 0    Entity: "=:=@87_Prospect"


17:43:54.186936 scramble wormhole
  DDP HEADER:  Src: 29416.83.2	Dest: 29312.85.131
               Hops: 0	Length: 86	ChkSum: 0xe57d	DDPType: NBP
    NBP HEADER:  Function: LkUp-Reply		Tuples: 2	NBP ID: 1
       Addr: 29416.83.130   Enum: 0    Entity: "scramble:UNIX/CAP@87_Prospect"
       Addr: 29416.83.132   Enum: 1    Entity: "scramble:AFPServer@87_Prospect"


17:48:13.174344 scramble psnt
  DDP HEADER:  Src: 29416.83.135	Dest: 29416.4.157
               Hops: 0	Length: 25	ChkSum: 0x54e7	DDPType: ATP
    ATP HEADER:  Function: TReq XO	TID: 26087	Bitmap: 01	TRel timeout: 30 sec
      PAP HEADER:  ConnID: 41      CMD: OpenConn
      ATPRSSN: 134	FlowQuantum: 8	WaitTime: 1

17:48:15.183992 scramble psnt
  DDP HEADER:  Src: 29416.83.135	Dest: 29416.4.157
               Hops: 0	Length: 25	ChkSum: 0x54e7	DDPType: ATP
    ATP HEADER:  Function: TReq XO	TID: 26087	Bitmap: 01	TRel timeout: 30 sec
      PAP HEADER:  ConnID: 41      CMD: OpenConn
      ATPRSSN: 134	FlowQuantum: 8	WaitTime: 1


17:48:15.259261 psnt scramble
  DDP HEADER:  Src: 29416.4.157	Dest: 29416.83.135
               Hops: 0	Length: 61	ChkSum: 0x0000	DDPType: ATP
    ATP HEADER:  Function: TResp XO	TID: 26087	Seqnum: 00
      PAP HEADER:  ConnID: 41      CMD: OpenConnReply
      ATPRSSN: 186	FlowQuantum: 8	Result: No error - connection opened
      Status: status: busy; source: EIO 1 (ATALK)


17:48:15.259406 scramble psnt
  DDP HEADER:  Src: 29416.83.135	Dest: 29416.4.157
               Hops: 0	Length: 21	ChkSum: 0xb444	DDPType: ATP
    ATP HEADER:  Function: TRel	TID: 26087


17:48:15.259464 scramble psnt
  DDP HEADER:  Src: 29416.83.135	Dest: 29416.4.186
               Hops: 0	Length: 21	ChkSum: 0x1d05	DDPType: ATP
    ATP HEADER:  Function: TReq	TID: 26088	Bitmap: 01
      PAP HEADER:  ConnID: 41      CMD: Tickle


17:48:15.260252 scramble psnt
  DDP HEADER:  Src: 29416.83.135	Dest: 29416.4.186
               Hops: 0	Length: 21	ChkSum: 0xbc17	DDPType: ATP
    ATP HEADER:  Function: TReq XO	TID: 26089	Bitmap: ff	TRel timeout: 30 sec
      PAP HEADER:  ConnID: 41      CMD: SendData	 PAP Seq Num: 1

Author

The program was written by Bill Sproule and Chris Tengi of the Network Systems Group at Princeton University's Office of Information Technology. It was enhanced by Irwin Tillman of the same organization.

Bugs

The program does not attempt to decode a packet until it is certain it has read the entire packet's hex dump. The end of the packet is detected by looking for the next packet's "tcpdump packet header" line, a short hex dump line, or EOF. As a result, if the hex dump of a packet we are reading from STDIN ends in a full line (a multiple of 16 bytes), we will not print the packet until the next packet arrives. If you kill etdc before that happens, that packet will never be printed. This can be avoided by reading the packet dump from a file and allowing the program run to completion.

We don't allow you to decode ATP as AFP yet.

We don't know how to decode AURP yet.

When decoding ATP as IPGP, when we come across an ATP packet that is not IPGP, we can usually figure it out and avoid showing IPGP fields, but only after we've displayed the packet up through its ATP header.

See Also

perl(1)
available from http://www.perl.com
tcpdump(8)
available from http://www.tcpdump.org


Table of Contents