decoding ripv2 packets with Packetor

I regularly read Daniel Miessler’s blog and his unsupervised learning newsletter.  He recently mentioned a website called Packetor which is a free online packet analyzer.

I captured some ripv2 packets on my lab network using tcpdump, and filtered for destination address 224.0.0.9, which is the multicast IP address for ripv2 routers.  Ripv2 routers blast their entire routing table to this multicast address periodically (usually every 30 seconds).  I captured the packets like so:

sudo tcpdump -i eno1 dst 224.0.0.9 -# -XX | tee ripd.txt

This command captures ripv2 packets, numbers them, displays them in hex and ascii, and pipes the output to a text file.  Here is some of the tcpdump output.

 3 21:31:38.536458 IP 192.168.0.5 > rip2-routers.mcast.net: igmp v2 report rip2-routers.mcast.net
0x0000: 0100 5e00 0009 e411 5b40 6fa8 0800 46c0 ..^.....[@o...F.
0x0010: 0020 0000 4000 0102 4361 c0a8 0005 e000 ....@...Ca......
0x0020: 0009 9404 0000 1600 09f6 e000 0009 ..............
4 21:31:44.808348 IP 192.168.0.5 > rip2-routers.mcast.net: igmp v2 report rip2-routers.mcast.net
0x0000: 0100 5e00 0009 e411 5b40 6fa8 0800 46c0 ..^.....[@o...F.
0x0010: 0020 0000 4000 0102 4361 c0a8 0005 e000 ....@...Ca......
0x0020: 0009 9404 0000 1600 09f6 e000 0009 ..............
5 21:31:55.606022 IP 192.168.0.201.route > rip2-routers.mcast.net.route: RIPv2, Response, length: 64
0x0000: 0100 5e00 0009 0014 1c61 b1b4 0800 45c0 ..^......a....E.
0x0010: 005c 0000 0000 0211 1657 c0a8 00c9 e000 .\.......W......
0x0020: 0009 0208 0208 0048 ea3d 0202 0000 0002 .......H.=......
0x0030: 0000 0a0a 0a32 ffff ffff 0000 0000 0000 .....2..........
0x0040: 0001 0002 0000 0a14 1400 ffff ff00 0000 ................
0x0050: 0000 0000 0001 0002 0000 0a32 3206 ffff ...........22...
0x0060: ffff 0000 0000 0000 0002 ..........
6 21:32:21.206294 IP 192.168.0.201.route > rip2-routers.mcast.net.route: RIPv2, Response, length: 64
0x0000: 0100 5e00 0009 0014 1c61 b1b4 0800 45c0 ..^......a....E.
0x0010: 005c 0000 0000 0211 1657 c0a8 00c9 e000 .\.......W......
0x0020: 0009 0208 0208 0048 ea3d 0202 0000 0002 .......H.=......
0x0030: 0000 0a0a 0a32 ffff ffff 0000 0000 0000 .....2..........
0x0040: 0001 0002 0000 0a14 1400 ffff ff00 0000 ................
0x0050: 0000 0000 0001 0002 0000 0a32 3206 ffff ...........22...
0x0060: ffff 0000 0000 0000 0002 ..........

This is great and all, but I wanted to see like some human-readable routing table information or something. That is where packetor came in.

I pasted the hex output of a frame from the router at 192.168.0.201 and got much more detailed information about the routing table ->

I’m impressed.   Definitely going into ctrl+d.

Leave a Reply

Your email address will not be published. Required fields are marked *