SCOUG Logo


Next Meeting: Sat, TBD
Meeting Directions

Be a Member
Join SCOUG

Navigation:


Help with Searching

20 Most Recent Documents
Search Archives
Index by date, title, author, category.

Features:

Mr. Know-It-All
Ink
Download!




SCOUG:

Home

Email Lists

SIGs (Internet, General Interest, Programming, Network, more..)

Online Chats

Business

Past Presentations

Credits

Submissions

Contact SCOUG

Copyright SCOUG


warp expowest
Pictures from Sept. 1999
The views expressed in articles on this site are those of their authors.

warptech
SCOUG was there!

Copyright 1998-2024, Southern California OS/2 User Group. ALL RIGHTS RESERVED.

SCOUG, Warp Expo West, and Warpfest are trademarks of the Southern California OS/2 User Group. OS/2, Workplace Shell, and IBM are registered trademarks of International Business Machines Corporation. All other trademarks remain the property of their respective owners.

The Southern California OS/2 User Group
USA

April 2003


 Dear Mr. Know-It-All 

Mr. Know-It-All has the answers to even the really tough questions.

Question:

I often see recommendations to use iptrace and ipformat to diagnose TCP/IP problems. I read the online help, but I don't really understand what it's telling me to do. Can you help?

Answer:

Iptrace is an IBM tool that captures TCP/IP packets and writes them to a binary file. Ipformat is the tool that reads this file, decodes the output and writes the results to the standard output.

For those that have not read the online help, use: 

  tcphelp iptrace
and 
  tcphelp ipformat
to get a feel for the features and options.

Perhaps, the best way to learn how to use these tools is to start with a simple example. Let's say your ISP is not accepting your e-mail login and as best you can tell you are using the correct userid and password.

To capture the trace data:

  • If you are using Injoy, open Injoy settings dialog and tell Injoy to expose TCP/IP packets to iptrace. Injoy does not do this by default.
  • Open a command line window.
  • Start iptrace with the command: 
      iptrace
    As packets are sent and received, iptrace will display summary messages in the window: 
    [d:\tmp]iptrace
lo: tracing enabled
ppp0: tracing enabled
   lo:[  0.000]:  Dest: 127.0.0.1    Source: 127.0.0.1
   lo:[  0.000]:  Dest: 127.0.0.1    Source: 127.0.0.1
   lo:[  0.104]:  Dest: 127.0.0.1    Source: 127.0.0.1
   lo:[  0.000]:  Dest: 127.0.0.1    Source: 127.0.0.1
 ppp0:[  0.885]: process_pkt: len=53, type=24
 ppp0:[  0.166]: process_pkt: len=53, type=24
 ppp0:[  0.000]: process_pkt: len=44, type=24
 ppp0:[  0.180]: process_pkt: len=117, type=24
    The summary messages identify the interface and the time since the last packet. The summary messages are usually not as important as the fact that they occur. If you don't see packets coming and going from the expected sources and destinations, it may be time to look for NIC set problems or similar issues.

    iptrace writes the packets will be written to the file iptrace.dmp, in the current directory. This cannot be changed. Don't try to run iptrace when logged to a read-only file system like a CD.

  • Switch to the e-mail program window. Try to login. Wait for the login to fail and for the packet activity to stop.
  • Switch back to the iptrace window.
  • Press the Enter key to stop iptrace.
  • Enter the command: 
      ipformat >iptrace.txt
    to write the decoded trace output to the text file iptrace.txt. The file name can be whatever you want.

It should be obvious, but it's a good idea to shutdown as many Internet applications as possible before starting to capture the trace data. If you don't do this, the trace might contain lots of not very helpful data.

Now comes what can be the hard part. Interpreting the decoded trace data. Much of the art of interpreting trace data is knowing what to ignore. The output is verbose and repetitive.

What follows is the decoded output of our failed login attempt along with some commentary describing the elements. 


 Opening IPTRACE.DMP ...  Sucessful
 Reading packet headers ...  18 headers read.
 PreProcess packet info
This tells us that iptrace.dmp recorded 18 packets. 
-------------------------- #:1 --------------------------
This is the packet number. There should be no missing packet numbers in the output. 
 Delta Time:  0.000sec   Packet Length: 41 bytes (29 hex)
The Delta Time is the time since the last packet was sent or received. This is not too relevant in this example. It is often very important when working on response timeouts and throughput problems. 
 IP:    Dest: 127.000.000.001    Source:  127.000.000.001
----------------------- IP HEADER -----------------------
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 41 (x29) bytes          Id: 5C36
 IP:  Flags: 2
 IP:     .1..       Don't Fragment
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
 IP:  Time To Live: 64 sec    Protocol: 6  TCP
 IP:  Header Checksum: E096    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
 TCP:  Source Port: 51519  (Unassigned port)       Dest Port: 51520  (Unassigned port)
 TCP:  Sequence #: 2276667649 
 TCP:  Ack #: 2276570671 
 TCP:  Offset: 20 bytes
 TCP:  Flags: 18
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...1 ....   Ack bit On
 TCP:     .... 1...  Push bit On
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..0.        Synchronize bit Off
 TCP:     .... ...0        Finish bit Off
 TCP:  Window: 32912      Checksum: 7022   (Correct)
 TCP:  No Options
--------------------------------- DATA -----------------------------------
0000 38                                                   8


-------------------------- #:2 --------------------------
 Delta Time:  0.000sec   Packet Length: 41 bytes (29 hex)
 IP:    Dest: 127.000.000.001    Source:  127.000.000.001
----------------------- IP HEADER -----------------------
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 41 (x29) bytes          Id: 5C36
 IP:  Flags: 2
 IP:     .1..       Don't Fragment
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
 IP:  Time To Live: 64 sec    Protocol: 6  TCP
 IP:  Header Checksum: E096    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
 TCP:  Source Port: 51519  (Unassigned port)       Dest Port: 51520  (Unassigned port)
 TCP:  Sequence #: 2276667649 
 TCP:  Ack #: 2276570671 
 TCP:  Offset: 20 bytes
 TCP:  Flags: 18
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...1 ....   Ack bit On
 TCP:     .... 1...  Push bit On
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..0.        Synchronize bit Off
 TCP:     .... ...0        Finish bit Off
 TCP:  Window: 32912      Checksum: 7022   (Correct)
 TCP:  No Options
--------------------------------- DATA -----------------------------------
0000 38                                                   8


-------------------------- #:3 --------------------------
 Delta Time:  0.049sec   Packet Length: 40 bytes (28 hex)
 IP:    Dest: 127.000.000.001    Source:  127.000.000.001
----------------------- IP HEADER -----------------------
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 40 (x28) bytes          Id: 5C37
 IP:  Flags: 2
 IP:     .1..       Don't Fragment
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
 IP:  Time To Live: 64 sec    Protocol: 6  TCP
 IP:  Header Checksum: E096    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
 TCP:  Source Port: 51520  (Unassigned port)       Dest Port: 51519  (Unassigned port)
 TCP:  Sequence #: 2276570671 
 TCP:  Ack #: 2276667650 
 TCP:  Offset: 20 bytes
 TCP:  Flags: 10
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...1 ....   Ack bit On
 TCP:     .... 0...        Push bit Off
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..0.        Synchronize bit Off
 TCP:     .... ...0        Finish bit Off
 TCP:  Window: 32912      Checksum: A82A   (Correct)
 TCP:  No Options
 TCP:  No data or not output.

-------------------------- #:4 --------------------------
 Delta Time:  0.000sec   Packet Length: 40 bytes (28 hex)
 IP:    Dest: 127.000.000.001    Source:  127.000.000.001
----------------------- IP HEADER -----------------------
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 40 (x28) bytes          Id: 5C37
 IP:  Flags: 2
 IP:     .1..       Don't Fragment
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
 IP:  Time To Live: 64 sec    Protocol: 6  TCP
 IP:  Header Checksum: E096    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
 TCP:  Source Port: 51520  (Unassigned port)       Dest Port: 51519  (Unassigned port)
 TCP:  Sequence #: 2276570671 
 TCP:  Ack #: 2276667650 
 TCP:  Offset: 20 bytes
 TCP:  Flags: 10
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...1 ....   Ack bit On
 TCP:     .... 0...        Push bit Off
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..0.        Synchronize bit Off
 TCP:     .... ...0        Finish bit Off
 TCP:  Window: 32912      Checksum: A82A   (Correct)
 TCP:  No Options
 TCP:  No data or not output.
This is where the output starts to get interesting. For our purposes, the previous packets are noise, although they do illustrate why it's a good idea to shut down as much TCP/IP traffic as possible before capturing trace data.

For the curious, the traffic was generated by Mozilla talking to itself. 

-------------------------- #:5 --------------------------
 Delta Time:  0.885sec   Packet Length: 53 bytes (35 hex)
 PPP: Protocol 0x0021  (IP)
 PPP:   Dest: 207.217.121.215    Source:  209.179.045.140
This identifies the start of a Point-to-Point Protocol packet. This usually means that the packet is going through a dial-up connection. If you are connected via DSL or cable, you would not see this. Internet packets are layered like an onion. The TCP packet is wrapped in an IP packet. The IP packet is wrapped in a PPP packet.

Which layers exist depends on the application and the network connection.

The most interesting elements of the PPP packet are the source and destination addresses. In the case of DSL or cable, these addresses will be reported in the IP packets. See packet #1 for an example of this. 

----------------------- IP HEADER -----------------------
This identifies the start of an Internet Protocol packet. 
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 48 (x30) bytes          Id: 5C38
 IP:  Flags: 2
 IP:     .1..       Don't Fragment
The Don't Fragment flag says this IP packet may not be broken into multiple IP packets as it travels though the Internet. If for some reason this request can not be honored, the packet will be discarded. 
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
The Fragment Offset is used to reassemble IP packets that have been broken into multiple IP packets. Use the 000 offset is a reference point to find the first (or only) fragment of a set of IP packets.

There's nothing bad about fragmented packets, per se, but not all TCP/IP implementations handle fragmentation well for all MTU (maximum transmission unit) sizes. The MTU defines the largest IP packet a host will transmit. The MTU size and the Don't Fragment flag are elements to look at if you are experiencing timeouts and such. Often changing the MTU value will resolve problems caused by fragmentation. Usually the MTU needs to be lowered, but there are cases where it will need to be increased. 

 IP:  Time To Live: 64 sec    Protocol: 6  TCP
 IP:  Header Checksum: 959F    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
This identifies the start of a Transmission Control Protocol packet. These are the packets we need to look at most often because TCP packets carry the data that many client and server applications use to communicate at the application level. This includes our e-mail client and server. 
 TCP:  Source Port: 51690  (Unassigned port)       Dest Port: 110  (Unassigned port)
Port 110 is the well known port of the POP mail server. This packet is going from our e-mail client to the mail server.

Other useful port numbers are 25 for SMTP mail, 80 for web pages and 119 for news. 

 TCP:  Sequence #: 2383959362 
 TCP:  Ack #: 0 
 TCP:  Offset: 28 bytes
 TCP:  Flags: 02
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...0 ....        Ack bit Off
 TCP:     .... 0...        Push bit Off
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..1.   Synchronize bit On
This SYN flag says this is the first TCP packet of this connection. It is a useful reference point. 
 TCP:     .... ...0        Finish bit Off
 TCP:  Window: 32768      Checksum: D7B   (Correct)
 TCP:  Option Code: 02     Length: 4 bytes     [MSS]
 TCP:    Max Segment Size 1460 (x5B4)
 TCP:  Option Code: 01     Length: 1 bytes     [NOP]
 TCP:    No Operation
 TCP:  Option Code: 03     Length: 3 bytes     [WIN_SCALE]
 TCP:    Window scale factor 0 (x0)
 TCP:  No data or not output.

-------------------------- #:6 --------------------------
 Delta Time:  0.166sec   Packet Length: 53 bytes (35 hex)
 PPP: Protocol 0x0021  (IP)
 PPP:   Dest: 209.179.045.140    Source:  207.217.121.215
----------------------- IP HEADER -----------------------
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 48 (x30) bytes          Id: 1C73
 IP:  Flags: 0
 IP:     .0..       May Fragment
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
 IP:  Time To Live: 251 sec    Protocol: 6  TCP
 IP:  Header Checksum: 5A64    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
 TCP:  Source Port: 110  (Unassigned port)       Dest Port: 51690  (Unassigned port)
 TCP:  Sequence #: 1959031622 
 TCP:  Ack #: 2383959363 
 TCP:  Offset: 28 bytes
 TCP:  Flags: 12
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...1 ....   Ack bit On
The ACK flag says the mail server has heard the client's call and is willing to continue. 
 TCP:     .... 0...        Push bit Off
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..1.   Synchronize bit On
This SYN flag says the server agrees that a new connection is starting. 
 TCP:     .... ...0        Finish bit Off
 TCP:  Window: 65535      Checksum: A55E   (Correct)
 TCP:  Option Code: 01     Length: 1 bytes     [NOP]
 TCP:    No Operation
 TCP:  Option Code: 03     Length: 3 bytes     [WIN_SCALE]
 TCP:    Window scale factor 1 (x1)
 TCP:  Option Code: 02     Length: 4 bytes     [MSS]
 TCP:    Max Segment Size 1460 (x5B4)
 TCP:  No data or not output.

-------------------------- #:7 --------------------------
 Delta Time:  0.000sec   Packet Length: 41 bytes (29 hex)
 Compressed and Unfiltered Packet Length: 44 bytes (2C hex)
 PPP: Protocol 0x002F  (VJ Un-Compressed)
 PPP:   Dest: 207.217.121.215    Source:  209.179.045.140
----------------------- IP HEADER -----------------------
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 40 (x28) bytes          Id: 5C39
 IP:  Flags: 2
 IP:     .1..       Don't Fragment
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
 IP:  Time To Live: 64 sec    Protocol: 6  TCP
 IP:  Header Checksum: 95A6    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
 TCP:  Source Port: 51690  (Unassigned port)       Dest Port: 110  (Unassigned port)
 TCP:  Sequence #: 2383959363 
 TCP:  Ack #: 1959031623 
 TCP:  Offset: 20 bytes
 TCP:  Flags: 10
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...1 ....   Ack bit On
This ACK flag is the client telling the server it has seen the server's ACK. At this point, the server and the client have agreed on Sequence # and Ack # values and are ready to transfer data. 
 TCP:     .... 0...        Push bit Off
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..0.        Synchronize bit Off
 TCP:     .... ...0        Finish bit Off
 TCP:  Window: 33580      Checksum: 4DF7   (Correct)
 TCP:  No Options
 TCP:  No data or not output.
This packet contains no data, but it might for other applications. 
-------------------------- #:8 --------------------------
 Delta Time:  0.180sec   Packet Length: 114 bytes (72 hex)
 Compressed and Unfiltered Packet Length: 117 bytes (75 hex)
 PPP: Protocol 0x002F  (VJ Un-Compressed)
 PPP:   Dest: 209.179.045.140    Source:  207.217.121.215
----------------------- IP HEADER -----------------------
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 112 (x70) bytes          Id: 1C74
 IP:  Flags: 0
 IP:     .0..       May Fragment
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
 IP:  Time To Live: 251 sec    Protocol: 6  TCP
 IP:  Header Checksum: 5A23    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
 TCP:  Source Port: 110  (Unassigned port)       Dest Port: 51690  (Unassigned port)
 TCP:  Sequence #: 1959031623 
 TCP:  Ack #: 2383959363 
 TCP:  Offset: 20 bytes
 TCP:  Flags: 18
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...1 ....   Ack bit On
This ACK is the server telling the client that it received the client's ACK. 
 TCP:     .... 1...  Push bit On
The PUSH bit tells the world to send this packet to its destination with minimal buffering. This is almost always set in the last TCP packet when the data is spread over multiple TCP packets. When honored, this helps the data get to the final destination quicker. 
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..0.        Synchronize bit Off
 TCP:     .... ...0        Finish bit Off
 TCP:  Window: 32850      Checksum: 418   (Correct)
 TCP:  No Options
--------------------------------- DATA -----------------------------------
0000 2B 4F 4B 20 4E 47 50 6F    70 70 65 72 20 76 45 4C   +OK NGPopper vEL
0010 5F 34 5F 32 39 20 61 74    20 65 61 72 74 68 6C 69   _4_29 at earthli
0020 6E 6B 2E 6E 65 74 20 72    65 61 64 79 20 3C 31 38   nk.net ready <18
0030 36 37 31 2E 31 30 34 38    35 33 32 34 32 36 40 61   671.1048532426@a
0040 76 6F 63 65 74 3E 0D 0A                              vocet>..
Finally, some data. This is the mail server saying hello to the client. 
-------------------------- #:9 --------------------------
 Delta Time:  0.000sec   Packet Length: 55 bytes (37 hex)
 Compressed and Unfiltered Packet Length: 23 bytes (17 hex)
 PPP: Protocol 0x002D  (VJ Compressed)
 PPP:   Dest: 207.217.121.215    Source:  209.179.045.140
----------------------- IP HEADER -----------------------
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 54 (x36) bytes          Id: 5C3A
 IP:  Flags: 2
 IP:     .1..       Don't Fragment
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
 IP:  Time To Live: 64 sec    Protocol: 6  TCP
 IP:  Header Checksum: 9597    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
 TCP:  Source Port: 51690  (Unassigned port)       Dest Port: 110  (Unassigned port)
 TCP:  Sequence #: 2383959363 
 TCP:  Ack #: 1959031695 
 TCP:  Offset: 20 bytes
 TCP:  Flags: 18
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...1 ....   Ack bit On
This ACK flag is the client telling the server, it received the hello message. 
 TCP:     .... 1...  Push bit On
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..0.        Synchronize bit Off
 TCP:     .... ...0        Finish bit Off
 TCP:  Window: 33580      Checksum: 6776   (Correct)
 TCP:  No Options
--------------------------------- DATA -----------------------------------
0000 55 53 45 52 20 73 74 65    76 65 33 35 0D 0A         USER steve35..
Finally, the client has something to say. This is the start of the login attempt. 
-------------------------- #:10 --------------------------
 Delta Time:  0.127sec   Packet Length: 42 bytes (2A hex)
 Compressed and Unfiltered Packet Length: 11 bytes (B hex)
 PPP: Protocol 0x002D  (VJ Compressed)
 PPP:   Dest: 209.179.045.140    Source:  207.217.121.215
----------------------- IP HEADER -----------------------
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 40 (x28) bytes          Id: 1C75
 IP:  Flags: 0
 IP:     .0..       May Fragment
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
 IP:  Time To Live: 251 sec    Protocol: 6  TCP
 IP:  Header Checksum: 5A6A    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
 TCP:  Source Port: 110  (Unassigned port)       Dest Port: 51690  (Unassigned port)
 TCP:  Sequence #: 1959031695 
 TCP:  Ack #: 2383959377 
 TCP:  Offset: 20 bytes
 TCP:  Flags: 10
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...1 ....   Ack bit On
 TCP:     .... 0...        Push bit Off
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..0.        Synchronize bit Off
 TCP:     .... ...0        Finish bit Off
 TCP:  Window: 32850      Checksum: 507B   (Correct)
 TCP:  No Options
 TCP:  No data or not output.

-------------------------- #:11 --------------------------
 Delta Time:  0.000sec   Packet Length: 47 bytes (2F hex)
 Compressed and Unfiltered Packet Length: 15 bytes (F hex)
 PPP: Protocol 0x002D  (VJ Compressed)
 PPP:   Dest: 209.179.045.140    Source:  207.217.121.215
----------------------- IP HEADER -----------------------
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 45 (x2D) bytes          Id: 1C76
 IP:  Flags: 0
 IP:     .0..       May Fragment
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
 IP:  Time To Live: 251 sec    Protocol: 6  TCP
 IP:  Header Checksum: 5A64    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
 TCP:  Source Port: 110  (Unassigned port)       Dest Port: 51690  (Unassigned port)
 TCP:  Sequence #: 1959031695 
 TCP:  Ack #: 2383959377 
 TCP:  Offset: 20 bytes
 TCP:  Flags: 18
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...1 ....   Ack bit On
 TCP:     .... 1...  Push bit On
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..0.        Synchronize bit Off
 TCP:     .... ...0        Finish bit Off
 TCP:  Window: 32850      Checksum: D011   (Correct)
 TCP:  No Options
--------------------------------- DATA -----------------------------------
0000 2B 4F 4B 0D 0A                                       +OK..
The server has accepted the user name. 
-------------------------- #:12 --------------------------
 Delta Time:  0.000sec   Packet Length: 51 bytes (33 hex)
 Compressed and Unfiltered Packet Length: 20 bytes (14 hex)
 PPP: Protocol 0x002D  (VJ Compressed)
 PPP:   Dest: 207.217.121.215    Source:  209.179.045.140
----------------------- IP HEADER -----------------------
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 50 (x32) bytes          Id: 5C3B
 IP:  Flags: 2
 IP:     .1..       Don't Fragment
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
 IP:  Time To Live: 64 sec    Protocol: 6  TCP
 IP:  Header Checksum: 959A    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
 TCP:  Source Port: 51690  (Unassigned port)       Dest Port: 110  (Unassigned port)
 TCP:  Sequence #: 2383959377 
 TCP:  Ack #: 1959031700 
 TCP:  Offset: 20 bytes
 TCP:  Flags: 18
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...1 ....   Ack bit On
 TCP:     .... 1...  Push bit On
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..0.        Synchronize bit Off
 TCP:     .... ...0        Finish bit Off
 TCP:  Window: 33580      Checksum: 3FB   (Correct)
 TCP:  No Options
--------------------------------- DATA -----------------------------------
0000 50 41 53 53 20 78 78 78    0D 0A                     PASS xxx..
Now the client sends the password. 
-------------------------- #:13 --------------------------
 Delta Time:  0.238sec   Packet Length: 42 bytes (2A hex)
 Compressed and Unfiltered Packet Length: 11 bytes (B hex)
 PPP: Protocol 0x002D  (VJ Compressed)
 PPP:   Dest: 209.179.045.140    Source:  207.217.121.215
----------------------- IP HEADER -----------------------
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 40 (x28) bytes          Id: 1C77
 IP:  Flags: 0
 IP:     .0..       May Fragment
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
 IP:  Time To Live: 251 sec    Protocol: 6  TCP
 IP:  Header Checksum: 5A68    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
 TCP:  Source Port: 110  (Unassigned port)       Dest Port: 51690  (Unassigned port)
 TCP:  Sequence #: 1959031700 
 TCP:  Ack #: 2383959387 
 TCP:  Offset: 20 bytes
 TCP:  Flags: 10
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...1 ....   Ack bit On
 TCP:     .... 0...        Push bit Off
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..0.        Synchronize bit Off
 TCP:     .... ...0        Finish bit Off
 TCP:  Window: 32850      Checksum: 506C   (Correct)
 TCP:  No Options
 TCP:  No data or not output.

-------------------------- #:14 --------------------------
 Delta Time:  4.914sec   Packet Length: 81 bytes (51 hex)
 Compressed and Unfiltered Packet Length: 48 bytes (30 hex)
 PPP: Protocol 0x002D  (VJ Compressed)
 PPP:   Dest: 209.179.045.140    Source:  207.217.121.215
----------------------- IP HEADER -----------------------
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 79 (x4F) bytes          Id: 1C78
 IP:  Flags: 0
 IP:     .0..       May Fragment
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
 IP:  Time To Live: 251 sec    Protocol: 6  TCP
 IP:  Header Checksum: 5A40    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
 TCP:  Source Port: 110  (Unassigned port)       Dest Port: 51690  (Unassigned port)
 TCP:  Sequence #: 1959031700 
 TCP:  Ack #: 2383959387 
 TCP:  Offset: 20 bytes
 TCP:  Flags: 18
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...1 ....   Ack bit On
 TCP:     .... 1...  Push bit On
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..0.        Synchronize bit Off
 TCP:     .... ...0        Finish bit Off
 TCP:  Window: 32850      Checksum: CAFC   (Correct)
 TCP:  No Options
--------------------------------- DATA -----------------------------------
0000 2D 45 52 52 20 62 61 64    20 70 61 73 73 77 6F 72   -ERR bad passwor
0010 64 20 6F 72 20 75 6E 6B    6E 6F 77 6E 20 75 73 65   d or unknown use
0020 72 6E 61 6D 65 0D 0A                                 rname..
Well, we expected this. However, a closer look at the USER command tells us where the problem is. steve35 should have been steve53. I don't know how we missed this on the e-mail settings page, but we did. Sometimes just seeing something presented in a different way helps to solve the problem.

The above failure is rather easy to analyze. Another that I see a lot is related to SMTP-Auth. Many ISPs are changing to SMTP-Auth verification for sending e-mail. A login failure caused by this would be clearly identified in the trace output. The e-mail client might not report this with any useful detail. 

-------------------------- #:15 --------------------------
 Delta Time:  0.006sec   Packet Length: 45 bytes (2D hex)
 Compressed and Unfiltered Packet Length: 46 bytes (2E hex)
 PPP: Protocol 0x0021  (IP)
 PPP:   Dest: 207.217.121.215    Source:  209.179.045.140
----------------------- IP HEADER -----------------------
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 40 (x28) bytes          Id: 5C3C
 IP:  Flags: 2
 IP:     .1..       Don't Fragment
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
 IP:  Time To Live: 64 sec    Protocol: 6  TCP
 IP:  Header Checksum: 95A3    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
 TCP:  Source Port: 51690  (Unassigned port)       Dest Port: 110  (Unassigned port)
 TCP:  Sequence #: 2383959387 
 TCP:  Ack #: 1959031739
 TCP:  Offset: 20 bytes
 TCP:  Flags: 11
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...1 ....   Ack bit On
 TCP:     .... 0...        Push bit Off
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..0.        Synchronize bit Off
 TCP:     .... ...1   Finish bit On
This FIN flag tells the server the client wants to end this connection. 
 TCP:  Window: 33580      Checksum: 4D6A   (Correct)
 TCP:  No Options
 TCP:  No data or not output.

-------------------------- #:16 --------------------------
 Delta Time:  0.004sec   Packet Length: 45 bytes (2D hex)
 Compressed and Unfiltered Packet Length: 46 bytes (2E hex)
 PPP: Protocol 0x0021  (IP)
 PPP:   Dest: 209.179.045.140    Source:  207.217.121.215
----------------------- IP HEADER -----------------------
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 40 (x28) bytes          Id: 1C79
 IP:  Flags: 0
 IP:     .0..       May Fragment
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
 IP:  Time To Live: 251 sec    Protocol: 6  TCP
 IP:  Header Checksum: 5A66    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
 TCP:  Source Port: 110  (Unassigned port)       Dest Port: 51690  (Unassigned port)
 TCP:  Sequence #: 1959031739 
 TCP:  Ack #: 2383959387 
 TCP:  Offset: 20 bytes
 TCP:  Flags: 11
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...1 ....   Ack bit On
 TCP:     .... 0...        Push bit Off
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..0.        Synchronize bit Off
 TCP:     .... ...1   Finish bit On
This FIN flag tells the client that the server is willing to end this connection. 
 TCP:  Window: 32850      Checksum: 5044   (Correct)
 TCP:  No Options
 TCP:  No data or not output.

-------------------------- #:17 --------------------------
 Delta Time:  0.000sec   Packet Length: 41 bytes (29 hex)
 Compressed and Unfiltered Packet Length: 11 bytes (B hex)
 PPP: Protocol 0x002D  (VJ Compressed)
 PPP:   Dest: 207.217.121.215    Source:  209.179.045.140
----------------------- IP HEADER -----------------------
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 40 (x28) bytes          Id: 5C3D
 IP:  Flags: 2
 IP:     .1..       Don't Fragment
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
 IP:  Time To Live: 64 sec    Protocol: 6  TCP
 IP:  Header Checksum: 95A2    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
 TCP:  Source Port: 51690  (Unassigned port)       Dest Port: 110  (Unassigned port)
 TCP:  Sequence #: 2383959388 
 TCP:  Ack #: 1959031740 
 TCP:  Offset: 20 bytes
 TCP:  Flags: 10
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...1 ....   Ack bit On
This ACK tells the server that the client has received the server's FIN response. 
 TCP:     .... 0...        Push bit Off
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..0.        Synchronize bit Off
 TCP:     .... ...0        Finish bit Off
 TCP:  Window: 33580      Checksum: 4D69   (Correct)
 TCP:  No Options
 TCP:  No data or not output.

-------------------------- #:18 --------------------------
 Delta Time:  0.146sec   Packet Length: 42 bytes (2A hex)
 Compressed and Unfiltered Packet Length: 12 bytes (C hex)
 PPP: Protocol 0x002D  (VJ Compressed)
 PPP:   Dest: 209.179.045.140    Source:  207.217.121.215
----------------------- IP HEADER -----------------------
 IP:  Version: 4 Correct    Header Length: 20 bytes
 IP:  Type Of Service: 00
 IP:     000. ....  Routine
 IP:     ...0 ....  Normal Delay
 IP:     .... 0...  Normal Throughput
 IP:     .... .0..  Normal Reliability
 IP:  Total Len: 40 (x28) bytes          Id: 1C7A
 IP:  Flags: 0
 IP:     .0..       May Fragment
 IP:     ..0.       Last Fragment
 IP:  Fragment Offset: 000
 IP:  Time To Live: 251 sec    Protocol: 6  TCP
 IP:  Header Checksum: 5A65    (Correct)
 IP:  No Options
---------------------- TCP HEADER ----------------------
 TCP:  Source Port: 110  (Unassigned port)       Dest Port: 51690  (Unassigned port)
 TCP:  Sequence #: 1959031740 
 TCP:  Ack #: 2383959388 
 TCP:  Offset: 20 bytes
 TCP:  Flags: 10
 TCP:     ..0. ....        Urgent bit Off
 TCP:     ...1 ....   Ack bit On
This ACK tells the client that the server has received the client's ACK response. 
 TCP:     .... 0...        Push bit Off
 TCP:     .... .0..        Reset bit Off
 TCP:     .... ..0.        Synchronize bit Off
 TCP:     .... ...0        Finish bit Off
 TCP:  Window: 32850      Checksum: 5043   (Correct)
 TCP:  No Options
 TCP:  No data or not output.
 Finished
That's it for our simple trip though TCP/IP packet analysis.

If you want to understand a bit more about the guts of the TCP/IP protocols, take a look at the RFC's. RFC 791 and 793 are the real deal. You can find them at the RFC FTP Site. As you might expect, there are plenty of resources on the web that cover this material in more or less detail. It should be easy enough to find one written to your comfort level.

The ipformat output is sufficient for resolving many problems. However, there are cases where the output volume is just too large and you are going to need a packet analyzer to provide some sorting and filtering. Mr. KIA has been told that Ethereal runs well under Odin. Ipformat can generate the "sniffer" compatible output that Ethereal understands.

If you need help analyzing a specific trace, you can always ask Mr. KIA.


Curious or in doubt, you can ask Mr. Know-It-All
OS/2 is his specialty and sharing solutions is his passion
Mr. Know-It-All lives in Southern California.

The Southern California OS/2 User Group
P.O. Box 26904
Santa Ana, CA 92799-6904, USA

Copyright 2003 the Southern California OS/2 User Group. ALL RIGHTS RESERVED.

SCOUG, Warp Expo West, and Warpfest are trademarks of the Southern California OS/2 User Group. OS/2, Workplace Shell, and IBM are registered trademarks of International Business Machines Corporation. All other trademarks remain the property of their respective owners.