AFS Transfer Example
Captured by Connie Logg
Here is an example of AFS traffic. It involves the transfer of 5700 bytes of data. Since the mtu is only 1500, this data must be broken up into multiple packets (fragments of the data stream). There are 4 packets in this flow. The first UDP packet contains the port numbers, and the following 3 UDP packets contain the rest of the data. I want to have these counted, because they represent a large portion of the data. The statistics from analyzing the netflow data will be grossly wrong if they are not since we have a lot of large data transfers. The identification field is the key to counting the packets correctly. For the results that I see when I compare a packet capture with the netflow records, it appears that the last 3 packets are counted as being from/to port 0.
---Packet 1: has ports in it for level 3 decode
---------
----- Level # 1 is ETHERNET Offset: 0 Size: 14
Dest Address : Cisco -07-ac-10 00 00 0c 07 ac 10 ......
Source Address : Sun -9a-d8-b3 08 00 20 9a d8 b3 .. ...
Type : 2048 (DoD IP) 08 00 ..
----- Level # 2 is DoD IP Offset: 14 Size: 20
Version : 4 4 .
Header Length : 20 5 .
Type Of Service: 0 00 .
: 000..... Routine
: ...0.... Normal Delay
: ....0... Normal Throughput
: .....0.. Normal Reliability
Total Length : 1500 05 dc ..
Identification : 2736 0a b0 --- critical info: identification
Flags : 3 3 .
: 0.. Reserved
: .1. Don't Fragment
: ..1 More Fragments --- note more fragments to come
Fragment Offset: 0 60 00 `.
Time To Live : 255 ff .
Protocol : 17 (DODUDP) 11 .
Header Checksum: 44704 ae a0 ..
Source Address : [134.79.16.109] AFS09.SLAC.Stanfo86 4f 10 6d .O.m
Dest Address : [128.138.133.121] blanca.Colorado80 8a 85 79 ...y
----- Level # 3 is DoD UDP Offset: 34 Size: 8
Source Port : 7000 (AFS3-FILESERVER) 1b 58 .X
Dest Port : 7001 (AFS3-CALLBACK) 1b 59 .Y
--- note has ports in it
Length : 5700 16 44 .D
--- total transfer length
Checksum : 23042 5a 02 Z.
----- Level # 7 is UserData Offset: 42 Size: 1476
00032: a5 f5 c1 83 67 08 ....g.
00048: 90 3c 00 00 00 07 00 00 00 01 00 00 00 08 01 02 .<..............
....
---Packet 2: UDP data packet with NO port info...just data
---------
Frame 49 Size 1518 Absolute Time Apr 26 15:41:35.401 ASCII MODE
-------------------------------------------------------------------------------
----- Level # 1 is ETHERNET Offset: 0 Size: 14
Dest Address : Cisco -07-ac-10 00 00 0c 07 ac 10 ......
Source Address : Sun -9a-d8-b3 08 00 20 9a d8 b3 .. ...
Type : 2048 (DoD IP) 08 00 ..
----- Level # 2 is DoD IP Offset: 14 Size: 20
Version : 4 4 .
Header Length : 20 5 .
Type Of Service: 0 00 .
: 000..... Routine
: ...0.... Normal Delay
: ....0... Normal Throughput
: .....0.. Normal Reliability
Total Length : 1500 05 dc ..
Identification : 2736 0a b0 --- critical info: identification
Flags : 3 3 .
: 0.. Reserved
: .1. Don't Fragment
: ..1 More Fragments --- more fragments to come
Fragment Offset: 1480 60 b9 `.
Time To Live : 255 ff .
Protocol : 17 (DODUDP) 11 .
Header Checksum: 44519 ad e7 ..
Source Address : [134.79.16.109] AFS09.SLAC.Stanfo86 4f 10 6d .O.m
Dest Address : [128.138.133.121] blanca.Colorado80 8a 85 79 ...y
----- Level # 7 is UserData Offset: 34 Size: 1484
00032: 65 64 75 20 4e 4f 5f 55 4e 49 58 49 44 20 edu NO_UNIXID
---Packet 3: Another fragment...udp data packet only
---------
Frame 50 Size 1518 Absolute Time Apr 26 15:41:35.402 ASCII MODE
-------------------------------------------------------------------------------
----- Level # 1 is ETHERNET Offset: 0 Size: 14
Dest Address : Cisco -07-ac-10 00 00 0c 07 ac 10 ......
Source Address : Sun -9a-d8-b3 08 00 20 9a d8 b3 .. ...
Type : 2048 (DoD IP) 08 00 ..
----- Level # 2 is DoD IP Offset: 14 Size: 20
Version : 4 4 .
Header Length : 20 5 .
Type Of Service: 0 00 .
: 000..... Routine
: ...0.... Normal Delay
: ....0... Normal Throughput
: .....0.. Normal Reliability
Total Length : 1500 05 dc ..
Identification : 2736 0a b0 --- critical info: identification
Flags : 3 3 .
: 0.. Reserved
: .1. Don't Fragment
: ..1 More Fragments ---more fragments to come
Fragment Offset: 2960 61 72 ar
Time To Live : 255 ff .
Protocol : 17 (DODUDP) 11 .
Header Checksum: 44334 ad 2e ..
Source Address : [134.79.16.109] AFS09.SLAC.Stanfo86 4f 10 6d .O.m
Dest Address : [128.138.133.121] blanca.Colorado80 8a 85 79 ...y
----- Level # 7 is UserData Offset: 34 Size: 1484
00032: 73 61 2e 69 6e 66 6e 2e 69 74 20 43 4f 53 sa.infn.it COS
00048: 54 41 4e 54 49 20 43 6f 73 74 61 6e 74 69 6e 69 TANTI Costantini
---Packet 4: Last UDP data packet
---------
Frame 51 Size 1298 Absolute Time Apr 26 15:41:35.402 ASCII MODE
-------------------------------------------------------------------------------
----- Level # 1 is ETHERNET Offset: 0 Size: 14
Dest Address : Cisco -07-ac-10 00 00 0c 07 ac 10 ......
Source Address : Sun -9a-d8-b3 08 00 20 9a d8 b3 .. ...
Type : 2048 (DoD IP) 08 00 ..
----- Level # 2 is DoD IP Offset: 14 Size: 20
Version : 4 4 .
Header Length : 20 5 .
Type Of Service: 0 00 .
: 000..... Routine
: ...0.... Normal Delay
: ....0... Normal Throughput
: .....0.. Normal Reliability
Total Length : 1280 05 00 ..
Identification : 2736 0a b0 --- critical info: identification
Flags : 2 2 .
: 0.. Reserved
: .1. Don't Fragment
: ..0 Last Fragment ---last fragment
Fragment Offset: 344 42 2b B+
Time To Live : 255 ff .
Protocol : 17 (DODUDP) 11 .
Header Checksum: 52561 cd 51 .Q
Source Address : [134.79.16.109] AFS09.SLAC.Stanfo86 4f 10 6d .O.m
Dest Address : [128.138.133.121] blanca.Colorado80 8a 85 79 ...y
----- Level # 7 is UserData Offset: 34 Size: 1264
00032: 70 69 73 61 2e 69 6e 66 6e 2e 69 74 20 42 pisa.infn.it B