Friday, May 31, 2013

Debugging IP packets to the bones

I come across some hidden commands that sometimes seems useful and sometimes they're utterly useless or disastrous! well i decided to blog every single hidden command i found, beginning with this one.

debug ip packet detail dump

For the people who use Linux, they might find this command familiar to an extent, because actually, it is the command tcpdump which has been customized to work under IOS

lets see the output of this command when another router is pinging

R1#*Mar  1 01:06:48.815: IP: tableid=0, s=10.1.123.2 (FastEthernet0/0), d=10.1.123.1 (FastEthernet0/0), routed via RIB*Mar  1 01:06:48.815: IP: s=10.1.123.2 (FastEthernet0/0), d=10.1.123.1 (FastEthernet0/0), len 100, rcvd 3*Mar  1 01:06:48.819:     ICMP type=8, code=00F402000:                       C200 1E640000            B..d..0F402010: C2011E64 00000800 45000064 00130000  B..d....E..d....0F402020: FE01B280 0A017B02 0A017B01 080053D9  ~.2...{...{...SY0F402030: 00040000 00000000 003D2A30 ABCDABCD  .........=*0+M+M0F402040: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M0F402050: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M0F402060: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M0F402070: ABCDABCD ABCDABCD ABCDABCD           +M+M+M+M+M+M  
*Mar  1 01:06:48.835: IP: tableid=0, s=10.1.123.1 (local), d=10.1.123.2 (FastEthernet0/0), routed via FIB*Mar  1 01:06:48.835: IP: s=10.1.123.1 (local), d=10.1.123.2 (FastEthernet0/0), len 100, sending*Mar  1 01:06:48.839:     ICMP type=0, code=00F402000:                       C200 1E640000            B..d..0F402010: C2011E64 00000800 45000064 00130000  B..d....E..d....0F402020: FF01B180 0A017B01 0A017B02 00005BD9  ..1...{...{...[Y0F402030: 00040000 00000000 003D2A30 ABCDABCD  .........=*0+M+M0F402040: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M0F402050: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M0F402060: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M0F402070: ABCDABCD ABCDABCD ABCDABCD           +M+M+M+M+M+M  

Here's another telnet packet showing the TCP source/destination ports, packet sequence number, ACKs and TCP window size

*Mar  1 01:19:28.059: IP: tableid=0, s=10.1.123.2 (FastEthernet0/0), d=10.1.123.1 (FastEthernet0/0), routed via RIB
*Mar  1 01:19:28.059: IP: s=10.1.123.2 (FastEthernet0/0), d=10.1.123.1 (FastEthernet0/0), len 40, rcvd 3
*Mar  1 01:19:28.063:     TCP src=38274, dst=23, seq=3865343855, ack=3109086096, win=4128 ACK
0F7CBB60:                       C200 1E640000            B..d..
0F7CBB70: C2011E64 00000800 45C00028 D9400000  B..d....E@.(Y@..
0F7CBB80: FE06D8C9 0A017B02 0A017B01 95820017  ~.XI..{...{.....
0F7CBB90: E664776F B950E390 50101020 05600000  fdwo9Pc.P.. .`..
0F7CBBA0:                                                      
*Mar  1 01:19:28.067: IP: tableid=0, s=10.1.123.1 (local), d=10.1.123.2 (FastEthernet0/0), routed via FIB
*Mar  1 01:19:28.071: IP: s=10.1.123.1 (local), d=10.1.123.2 (FastEthernet0/0), len 52, sending
*Mar  1 01:19:28.071:     TCP src=23, dst=38274, seq=3109086096, ack=3865343855, win=4119 ACK PSH
  

As shown above, the output merges the normal debugging the IOS prints which is the table id ( global routing table) source and destination IPs, the packet length and the ICMP type.

The catch here is that the hidden DUMP attribute at the end of the command makes the router print the payload of the packet in HexaDecimal format instead of just showing the headers, which is pretty neat if you really really need to know the content of the packet without using wireshark or any external tools.

I need to digress that debugging IP packets on a router is very dangerous in live networks ( as we all know, don't we ) and i highly suggest the you try it out in a lab environment.

hopefully this would come handy in case you really needed to debug some packets