Lower Window

The lower window displays information about the other types of traffic on your network. The following protocols are detected:

Unrecognized IP packets are indicated by their protocol numbers while non-IP packets are indicated as Non-IP in the lower window.

NoteNote
 

The source and destination addresses for ARP and RARP entries are MAC addresses.

Strictly speaking, ARP and RARP packets aren't IP packets, since they are not encapsulated in an IP datagram. They're just indicated because they are integral to proper IP operation on LANs.

For all packets in the lower window, only the first IP fragment is indicated (since that contains the header of the IP-encapsulated protocol) but with no further information from the encapsulated protocol.

UDP packets are also displayed in address:port format while ICMP entries also contain the ICMP message type. For easier location, each type of protocol is color-coded (only on color terminals such as the Linux console).

UDP

Red on White

ICMP

Yellow on Blue

OSPF

Black on Cyan

IGRP

Bright white on Cyan

IGP

Red on Cyan

IGMP

Bright green on Blue

GRE

Blue on white

ARP

Bright white on Red

RARP

Bright white on Red

Other IP

Yellow on red

Non-IP

Yellow on Red

The lower window can hold up to 512 entries. You can scroll the lower window by using the W key to move the Active indicator to it, and by using the Up and Down cursor keys. The lower window automatically scrolls every time a new entry is added, and either the first entry or last entry is visible. Upon reaching 512 entries, old entries are thrown out as new entries are added.

Some entries may be too long to completely fit in a screen line. You can use the Left and Right cursor keys to vertically scroll the lower window when it is marked Active.

Entries for packets received on LAN interfaces also include the source MAC address of the LAN host which delivered it. This behavior is enabled by turning on the Source MAC addrs in traffic monitor toggle in the Configure... menu.

Entry Details

In general, the entries in the lower window indicate the protocol, the IP datagram size (full frame size for non-IP, including ARP and RARP), the source address, the destination address, and the network interface the packet was detected on. However, some protocols have a little more information.

ICMP

ICMP entries are displayed in this format:

ICMP type [(subtype)] (size bytes) from source to destination
[(src HWaddr srcMACaddress)] on interface

where type could be any of the following:

echo req, echo rply

ICMP echo request and reply. Usually used by the ping program and other network monitoring and diagnostic program.

dest unrch

ICMP destination unreachable. Something failed to reach its target. The dest unreach type is supplemented with a further indicator of the problem. Destination unreachable messages for TCP traffic causes the corresponding TCP entry in the upper window to be made available for reuse by new connections.

redirct

ICMP redirect. Usually generated by a router to tell a host that a better gateway is available.

src qnch

The ICMP source quench is used to stop a host from transmitting. It's a flow control mechanism for IP.

time excd

Indicates a packet's time-to-live value expired before it got to its destination. Mostly happens if a destination is too far away. Also used by the traceroute program.

router adv

ICMP router advertisement

router sol

ICMP router solicitation

timestmp req

ICMP timestamp request

timestmp rep

ICMP timestamp reply

info req

ICMP information request

info rep

ICMP information reply

addr mask req

ICMP address mask request

addr mask rep

ICMP address mask reply

param prob

ICMP parameter problem

bad/unknown

An unrecognized ICMP packet was received, or the packet is corrupted.

The destination unreachable message also includes information on the type of error encountered. Here are the destination unreachable codes:

ntwk

network unreachable

host

host unreachable

proto

protocol unreachable

port

port unreachable

pkt fltrd

packet filtered (normally by an access rule on a router or firewall)

DF set

the packet has to be fragmented somewhere, but its don't fragment (DF) bit is set.

src rte fail

source route failed

src isltd

source isolated (obsolete)

net comm denied

network communication denied

host comm denied

host communication denied

net unrch for TOS

network unreachable for specified IP type-of-service

host unrch for TOS

host unreachable for specified IP type-of-service

prec violtn

precedence violation

prec cutoff

precedence cutoff

dest net unkn

destination network unknown

dest host unkn

destination network unknown

For more information on ICMP, see RFC 792.

OSPF

OSPF messages also include a little more information. The format of an OSPF message in the window is:

OSPF type (a=area r=router) (sizebytes) from source to destination
[(src HWaddr srcMACaddress)] on interface

The type can be one of the following:

hlo

OSPF hello. Hello messages establish OSPF communications and keep routers informed of each other's presence.

DB desc

OSPF Database Description

LSR

OSPF Link State Request

LSU

OSPF Link State Update. Messages indicating the states of the OSPF network links

LSA

OSPF Link State Acknowledgment

The entries in parentheses:

a=area

The area number of the OSPF message

r=router

The IP address of the router that generated the message. It is not necessarily the same as the source address of the encapsulating IP packet.

Many times, the destination addresses for OSPF packets are class D multicast addresses in standard dotted decimal notation or (if reverse lookup is enabled), hosts under the MCAST.NET domain. Such multicast addresses are defined as follows:

224.0.0.5 (OSPF-ALL.MCAST.NET)

OSPF all routers

224.0.0.6 (OSPF-DSIG.MCAST.NET)

OSPF all designated routers

See RFC 1247 for details on the OSPF protocol.