Date: Sat, 25 Feb 2006 05:05:00 -0800 (PST)
From: Matthew Hilder 
To: Gavin McCullagh
Subject: Navini Diagnostics (my analysis of Packet Header Description for
    1 second packets)


Hi Gavin,

I've been working on the packet header and would like to share with you
what I've found (this email is very long). Have a look and see if it makes
sense with your packets:

I'll send you another email too as I'll now look at the short packets
(Navini Diagnostics to modem) and Modem to Navini Diagnostics (400 bytes).

Suggest you copy it out and format is all in a fixed-width font like
Monaco, so that it all lines up nicely.


Packet every second (my packets):

Overall packet length is 206 bytes (octets), with the payload length within
the UDP packet being 162 bytes. Therefore All headers total 44 bytes.

Header summery (beginning to end):
IP Header is first 20 bytes
UDP Header is next 8 bytes
Next 18 bytes is neither IP nor UDP header *(see at end of this email).


IP 169.254.254.1.3859 > 255.255.255.255.3859: UDP, length: 162
	0x0000:  4500 00be 0000 0000 ff11 132f a9fe fe01  E........../....
	0x0010:  ffff ffff 0f13 0f13 00aa 124a 0103 0001  ...........J....
	0x0020:  0001 0000 0001 0000 0000 0000 0000 ffba  ................
	0x0030:  8e50 0713 050f 332e 1228 0b1e 07d4 1228  .P....3..(.....(
	0x0040:  0b1e 07d4 0000 0000 0061 0401 0401 0300  .........a......
	0x0050:  0808 0030 0001 0003 0f7c ffff 45aa 0159  ...0.....|..E..Y
	0x0060:  0003 0c67 02d9 00f0 0001 0000 0000 0010  ...g............
	0x0070:  0000 0000 0000 ffff 0019 427b 0016 006c  ..........B{...l
	0x0080:  0061 ffdc 5cd7 0008 0000 0004 0004 0f00  .a..\...........
	0x0090:  0000 0000 0000 ffff ffff 0000 0000 ffff  ................
	0x00a0:  ffff 7998 9797 ff9c 0033 0001 0000 0000  ..y......3......
	0x00b0:  0000 0000 5642 7cb2 0000 0000 0000       ....VB|.......

Header in your packets:
0x0000   4500 016c 0000 0000 ff11 1281 a9fe fe01        E..l............
0x0010   ffff ffff 0f13 0f13 0158 8a49 0203 0001        .........X.I....
0x0020   0001 0000 0001 0000 0000 0000 0000



My packet manually decoded


Byte: Byte Value  Meaning
      
                  <IP Header>

0000: 45          IP version (first 4 bits) & IHL Internet Header Length in 48 bit words (minimum value is 5). (Note 1)
0001: 00          Type of Service (Note 2) 
0002: 00          Total Length (in bytes) of IP Packet (Highest order byte)
0003: BE          Total Length (in bytes) of IP Packet (Lowest order byte) These bytes represent a value of 206 dec)
0004: 00          ID of fragment (aids in reassembly of datagrams) (Highest order byte)
0005: 00          ID of fragment (aids in reassembly of datagrams) (Lowest order byte)
0006: 00          Flags (Note 3)
0007: 00          Fragment Offset (0 =not used here)
0008: FF          TTL (Time To Live) in hops This packet says 255 hops - the maximum.
0009: 11          Protocol Number (low bits)  0x11 is UDP
000A: 13          Header Checksum (16 bits) (HIghest order byte)
000B: 2F          Header Checksum (16 bits) (Lowest order byte)
000C: AG          Source IP Address (Highest order Byte)
000D: FE          Source IP Address
000E: FE          Source IP Address
000F: 01          Source IP Address (Lowest order Byte)
0010: FF          Destination IP Address (Highest order Byte)
0011: FF          Destination IP Address
0012: FF          Destination IP Address
0013: FF          Destination IP Address (Lowest order Byte)

                  <UDP Header>

0014: 0F          Source Port (16 bits) (Highest order byte)
0015: 13          Source Port (16 bits) (Lowest order byte) (this packet says port 3859 dec)
0016: 0F          Destination Port (16 bits) (Highest order byte)
0017: 13          Destination Port (16 bits) (Lowest order byte) (this packet says port 3859 dec)
0018: 00          Length of Datagram including UDP Header (Highest order byte)
0019: AA          Length of Datagram including UDP Header (Lowest order byte) (170 dec which is 162 plus 8 bytes)
001A: 12          UDP Checksum (Highest order Byte)
001B: 4A          UDP Checksum (Lowest order Byte)

                  <NOT IP or UDP Header and NOT Datagram> (Deadspace ???)

001C: 01  
001D: 03  
001E: 00  
001F: 01  
0020: 00  
0021: 01  
0022: 00  
0023: 00
0024: 00  
0025: 01  
0026: 00  
0027: 00  
0028: 00  
0028: 00  
002A: 00  
002B: 00  
002C: 00  
002D: 00


URL References:

1) IP Header Description: http://www.freesoft.org/CIE/Course/Section3/7.htm
2) Protocol Number: http://support.microsoft.com/default.aspx?scid=kb;EN-US;289892
3) UDP Header Description (also IP and TCP): http://www.protocols.com/pbook/tcpip2.htm#UDP)


Notes:

1)  This means that the UDP Header begins at word 5 (0x0014) and that there
    are consequently NO options field in this packet.
2)  TOS: (0 means Precedence [routine], Normal delay & Normal throughput
    for this packet. Type of Service bits 4-5 (0 means Normal reliability)
    with bits 6-7 reserved)
3)  Flags: bit 0 reserved, must be zero; DF flag (Don't fragment) 0 means
    can fragment; MF flag (more fragments no or yes) 0 means no more
    fragments); bit 4 goes with the next 12 bits. AND Fragment Offset (0
    -not used here)


* The 'extra' 18 bytes question. It's funny as the 18 bytes don't seem to
  be part of either the header or the payload of the packet, but DO have
  values (apart from zeros of all FF's. Very strange.


Matthew Hilder