Date: Sun, 26 Feb 2006 18:18:43 -0800 (PST) From: Matthew Hilder To: Gavin McCullagh Subject: Re: Navini Diagnostics (my analysis of Packets of 22 and 400 bytes each minute) Hi Gavin, I also had a look at the packets that are sent each minute (the 22 and 400 byte ones). Note that this analysis is stetchier that the one for the 1 each second packet header. Also note that the packet appear to reveal you IP address, which you might not want to put up the website in dissasembled form. Another long email... Packets from Gavin: The UDP 22 packet from Navini Diagnostics to the modem looks to be a way of checking if the modem is there (speculation: the packet is a request to answer the sender back). The 400 packet back looks like a reply to the 22 packet, with the beginning of the data portion of the packet being configured like 22 packet. I wonder if the Update Modem Application works like this but has a different command in the 22 packet. Suggest that you do not try to upload a modem application if you can find one 14:21:36.424694 sn127806940122.dhcp-ripwave.irishbroadband.ie.3859 > 255.255.255.255.3859: udp 22 (DF) 0x0000 4500 0032 0000 4000 4011 87c4 57c0 5b37 E..2..@.@...W.[7 0x0010 ffff ffff 0f13 0f13 001e 1dd4 0101 0001 ................ 0x0020 0004 0045 0001 0000 0000 0000 0000 ffba ...E............ 0x0030 0fba .. Byte: Byte Value Meaning 0000: 45 IP version (first 4 bits) & IHL Internet Header Length in 48 bit words (minimum value is 5). (Note 1) 0001: 00 Type of Service (Note 2) 0002: 00 Total Length (in bytes) of IP Packet (Highest order byte) 0003: 32 Total Length (in bytes) of IP Packet (Lowest order byte) These bytes represent a value of 50 dec) 0004: 00 ID of fragment (aids in reassembly of datagrams) (Highest order byte) 0005: 00 ID of fragment (aids in reassembly of datagrams) (Lowest order byte) 0006: 40 Flags (Note 3)(0100 binary) means Don't Fragment. Bit 3 belongs to Fragment offset (but is zero) 0007: 00 Fragment Offset (0 =not used here) 0008: FF TTL (Time To Live) in hops This packet says 64 hops. 0009: 11 Protocol Number (low bits) 0x11 is UDP 000A: 87 Header Checksum (16 bits) (Highest order byte) 000B: C4 Header Checksum (16 bits) (Lowest order byte) 000C: 57 Source IP Address (Highest order Byte) 87 000D: C0 Source IP Address 212 000E: 5B Source IP Address 92 000F: 37 Source IP Address (Lowest order Byte) 55 (IP address: 87.212.92.55 *) 0010: FF Destination IP Address (Highest order Byte)255 0011: FF Destination IP Address 255 0012: FF Destination IP Address 255 0013: FF Destination IP Address (Lowest order Byte) 255 (IP address 255.255.255.255 Broadcast) 0014: 0F Source Port (16 bits) (Highest order byte) 0015: 13 Source Port (16 bits) (Lowest order byte) (this packet says port 3859 dec) 0016: 0F Destination Port (16 bits) (Highest order byte) 0017: 13 Destination Port (16 bits) (Lowest order byte) (this packet says port 3859 dec) 0018: 00 Length of Datagram including UDP Header (Highest order byte) 0019: 1E Length of Datagram including UDP Header (Lowest order byte) (30 dec which is 22 plus 8 bytes) 001A: 1D UDP Checksum (Highest order Byte) 001B: D4 UDP Checksum (Lowest order Byte) 001C: 01 001D: 01 001E: 00 001F: 01 0020: 00 0021: 04 04 0022: 00 00 (send back packet of 400 dec length) ?? 0023: 45 (IP version and IHL of '5') ?? 0024: 00 0025: 01 0026: 00 0027: 00 0028: 00 0028: 00 002A: 00 002B: 00 002C: 00 002D: 00 002E: FF MAC address of modem (to send packet back to)? 002F: BA MAC address of modem (to send packet back to)? 0030: OF MAC address of modem (to send packet back to)? 0031: BA MAC address of modem (to send packet back to)? * Assigned to an ISP called Versatel which is based in the Netherlands * (.nl), but entry in Ripe: (http://ripe.net/whois) says assigned PA * which means that the ISP can assign it to someone else. 14:21:36.496982 169.254.254.1.3859 > sn127806940122.dhcp-ripwave.irishbroadband.ie.3859: udp 400 0x0000 4500 01ac 0000 0000 ff11 5f49 a9fe fe01 E........._I.... 0x0010 57c0 5b37 0f13 0f13 0198 8252 0102 0001 W.[7.......R.... 0x0020 0005 0045 0001 0000 0000 0000 0000 0000 ...E............ 0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0050 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0060 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0070 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0080 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0090 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x00a0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x00b0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x00c0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x00d0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x00e0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x00f0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0100 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0110 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0120 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0130 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0140 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0150 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0160 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0170 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0180 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0190 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x01a0 0000 0000 0000 0000 0000 0000 Byte: Byte Value Meaning 0000: 45 IP version (first 4 bits) & IHL Internet Header Length in 48 bit words (minimum value is 5). (Note 1) 0001: 00 Type of Service (Note 2) 0002: 01 Total Length (in bytes) of IP Packet (Highest order byte) 0003: AC Total Length (in bytes) of IP Packet (Lowest order byte) These bytes represent a value of 429 dec) 0004: 00 ID of fragment (aids in reassembly of datagrams) (Highest order byte) 0005: 00 ID of fragment (aids in reassembly of datagrams) (Lowest order byte) 0006: 00 Flags (Note 3). Bit 3 belongs to Fragment offset (but is zero) 0007: 00 Fragment Offset (0 =not used here) 0008: FF TTL (Time To Live) in hops This packet says 64 hops. 0009: 11 Protocol Number (low bits) 0x11 is UDP 000A: 5F Header Checksum (16 bits) (Highest order byte) 000B: 49 Header Checksum (16 bits) (Lowest order byte) 000C: A9 Source IP Address (Highest order Byte) 169 000D: FE Source IP Address 254 000E: FE Source IP Address 254 000F: 01 Source IP Address (Lowest order Byte) 1 (IP address: 169.254.254.1) 0010: 57 Destination IP Address (Highest order Byte)87 0011: C0 Destination IP Address 208 0012: 5B Destination IP Address 91 0013: 37 Destination IP Address (Lowest order Byte) 55 (IP address 87.208.91.55 *) 0014: 0F Source Port (16 bits) (Highest order byte) 0015: 13 Source Port (16 bits) (Lowest order byte) (this packet says port 3859 dec) 0016: 0F Destination Port (16 bits) (Highest order byte) 0017: 13 Destination Port (16 bits) (Lowest order byte) (this packet says port 3859 dec) 0018: 01 Length of Datagram including UDP Header (Highest order byte) 0019: 98 Length of Datagram including UDP Header (Lowest order byte) (392 dec which is 384 plus 8 bytes) 001A: 82 UDP Checksum (Highest order Byte) 001B: 52 UDP Checksum (Lowest order Byte) 001C: 01 001D: 02 001E: 00 001F: 01 0020: 00 0021: 05 0022: 00 0023: 45 (IP version and IHL of '5') ?? 0024: 00 0025: 01 0026: 00 .... * Assigned to an ISP called Versatel which is based in the Netherlands (.nl), but entry in Ripe: (http://ripe.net/whois) says assigned PA which means that the ISP can assign it to someone else. Matthew Hilder