Strange tcp dump collects

Question

I had tried to bind my internet pdn on my phone to a particular interface like wlan0 or cdma0. So I bound the ip address to the tcp socket created and tried to send an http get request to google.com. What I get in tcpdump is a very strange log.

My queries are. 1. What are these protocol names 0c4a7d and 0xdb40? and wht am i not able to seen any TCP protocol enter image description here ? 2. How do I know if the data actually passed from the pdn i wanted it to go through because there arent any http packets etc?

Please let me know if any more info is required.

Regards Tariq

First image shows the request

Second image shows the response

"What are these protocol names 0c4a7d and 0xdb40? and wht am i not able to seen any TCP protocol?" Because whatever program wrote `tcp_mnet0.pcap` put the wrong link-layer header type on it, so Wireshark can't interpret it correctly. On what OS was the program that captured it running, and what interface was it capturing on? — , Apr 22 '13 at 20:57
This app is for android. As I said earlier I wanted to bind the socket to a particular ip address of an interface. The reason is when wifi is on internet pdn is not used. My intent is to set up and use internet pdn in presence of wifi. So I set up internet connection which is successfully done and then I want to send an http request through this interface. So I made a tcp socket and bound it to local interface address and send http get request. So this is the internet pdn interface. Hope I could clarify your queries. (for setting up socket n sending http request I am using native interface.) — tariq zafar, Apr 23 '13 at 05:06
The only app that's relevant here is the one that captured the traffic, which I'm assuming from the title of the question is tcpdump. If you mean that *tcpdump* was running on Android, what was the name of the interface (if you specified a `-i` flag when capturing, what was the argument to `-i`)? — , Apr 23 '13 at 05:43
thanks for reply. Yeah tcpdump was used for capture and the interface name I used was cdma_rmnet0. — tariq zafar, Apr 23 '13 at 05:54
So what particular model of Android phone is this? (And from what manufacturer?) I'll have to look at the kernel to see what the problem is; the `cdma_rmnet0` device probably has `ARPHRD_ETHER` as the link-layer header type it tells code such as libpcap (as used by tcpdump and Wireshark) it has, but that's completely bogus - it's ***NOT*** supplying Ethernet headers! — , Apr 23 '13 at 21:43
In fact, it's probably not supplying *any* link-layer headers, given that the packets all begin with 0x45, which is the most common first byte of an IPv4 header. libpcap will have to special-case that device, at least until they fix the `ARPHRD_` value its driver supplies, so I need to see whether this is a generic Android problem or a problem with a particular driver (so that libpcap can correctly identify the problematic devices). That's why I need information about the phone. — , Apr 24 '13 at 03:14
However, a workaround might be to run the command `editcap -T rawip tcp_rmnet0.pcap tcp_rmnet0_fixed.pcap`, and try reading the `tcp_rmnet0_fixed.pcap` command that this produces. — , Apr 24 '13 at 03:17
Thanks a lot for your replies. I'll try your suggestion. But I am sorry but I cant divulge details about the phone except that it is not a production phone :(. However I would like to point out that if i collect the logs on wlan0 interface without running my program I can see normal TCP packets flowing. And i am not much of a kernel person. Thanks again for your help. Any more suggestions are surely welcome. — tariq zafar, Apr 24 '13 at 05:52
Well, one suggestion is "complain to whoever wrote the driver for the `coma_rmnet0` adapter and tell them that if they're providing no link-layer headers, the appropriate `ARPHRD_` value is `ARPHRD_NONE` *even if that means they have to fix either kernel or userland code that can't handle `ARPHRD_NONE`, including dhcpd*. (I.e., don't make people trying to capture network traffic suffer for dhcpd's inadequacies.) — , May 10 '13 at 23:43

score 0 · Answer 1 · answered Apr 22 '13 at 10:21

0

For question 1: Check your preferences (Edit -> Preferences) and select then User Interface -> Columns and check if the Column with Title = Protocol is also of Field type Protocol. If not, delete that one and add it on the bottom.

answered Apr 22 '13 at 10:21

TimVK

1,146
6
16

Hi, Thanks for your reply. It already has title = Protocol and moreover for TCP packets it shows protocol as TCP. – tariq zafar Apr 22 '13 at 10:52

Strange tcp dump collects

1 Answers1