The lower window displays information about the other types of traffic on your network. The following protocols are detected:
User Datagram Protocol (UDP)
Internet Control Message Protocol (ICMP)
Open Shortest-Path First (OSPF)
Interior Gateway Routing Protocol (IGRP)
Interior Gateway Protocol (IGP)
Internet Group Management Protocol (IGMP)
General Routing Encapsulation (GRE)
Address Resolution Protocol (ARP)
Reverse Address Resolution Protocol (RARP)
Unrecognized IP packets are indicated by their protocol numbers while non-IP packets are indicated as Non-IP in the lower window.
The source and destination addresses for ARP and RARP entries are MAC addresses.
Strictly speaking, ARP and RARP packets aren't IP packets, since they are not encapsulated in an IP datagram. They're just indicated because they are integral to proper IP operation on LANs.
For all packets in the lower window, only the first IP fragment is indicated (since that contains the header of the IP-encapsulated protocol) but with no further information from the encapsulated protocol.
UDP packets are also displayed in address:port format while ICMP entries also contain the ICMP message type. For easier location, each type of protocol is color-coded (only on color terminals such as the Linux console).
Red on White
Yellow on Blue
Black on Cyan
Bright white on Cyan
Red on Cyan
Bright green on Blue
Blue on white
Bright white on Red
Bright white on Red
Yellow on red
Yellow on Red
The lower window can hold up to 512 entries. You can scroll the lower window by using the W key to move the Active indicator to it, and by using the Up and Down cursor keys. The lower window automatically scrolls every time a new entry is added, and either the first entry or last entry is visible. Upon reaching 512 entries, old entries are thrown out as new entries are added.
Some entries may be too long to completely fit in a screen line. You can use the Left and Right cursor keys to vertically scroll the lower window when it is marked Active.
Entries for packets received on LAN interfaces also include the source MAC address of the LAN host which delivered it. This behavior is enabled by turning on the Source MAC addrs in traffic monitor toggle in the Configure... menu.
In general, the entries in the lower window indicate the protocol, the IP datagram size (full frame size for non-IP, including ARP and RARP), the source address, the destination address, and the network interface the packet was detected on. However, some protocols have a little more information.
ICMP entries are displayed in this format:
ICMP type [(subtype)] (size bytes) from source to destination [(src HWaddr srcMACaddress)] on interface
where type could be any of the following:
ICMP echo request and reply. Usually used by the ping program and other network monitoring and diagnostic program.
ICMP destination unreachable. Something failed to reach its target. The dest unreach type is supplemented with a further indicator of the problem. Destination unreachable messages for TCP traffic causes the corresponding TCP entry in the upper window to be made available for reuse by new connections.
ICMP redirect. Usually generated by a router to tell a host that a better gateway is available.
The ICMP source quench is used to stop a host from transmitting. It's a flow control mechanism for IP.
Indicates a packet's time-to-live value expired before it got to its destination. Mostly happens if a destination is too far away. Also used by the traceroute program.
ICMP router advertisement
ICMP router solicitation
ICMP timestamp request
ICMP timestamp reply
ICMP information request
ICMP information reply
ICMP address mask request
ICMP address mask reply
ICMP parameter problem
An unrecognized ICMP packet was received, or the packet is corrupted.
The destination unreachable message also includes information on the type of error encountered. Here are the destination unreachable codes:
packet filtered (normally by an access rule on a router or firewall)
the packet has to be fragmented somewhere, but its don't fragment (DF) bit is set.
source route failed
source isolated (obsolete)
network communication denied
host communication denied
network unreachable for specified IP type-of-service
host unreachable for specified IP type-of-service
destination network unknown
destination network unknown
For more information on ICMP, see RFC 792.
OSPF messages also include a little more information. The format of an OSPF message in the window is:
OSPF type (a=area r=router) (sizebytes) from source to destination [(src HWaddr srcMACaddress)] on interface
The type can be one of the following:
OSPF hello. Hello messages establish OSPF communications and keep routers informed of each other's presence.
OSPF Database Description
OSPF Link State Request
OSPF Link State Update. Messages indicating the states of the OSPF network links
OSPF Link State Acknowledgment
The entries in parentheses:
The area number of the OSPF message
The IP address of the router that generated the message. It is not necessarily the same as the source address of the encapsulating IP packet.
Many times, the destination addresses for OSPF packets are class D multicast addresses in standard dotted decimal notation or (if reverse lookup is enabled), hosts under the MCAST.NET domain. Such multicast addresses are defined as follows:
OSPF all routers
OSPF all designated routers
See RFC 1247 for details on the OSPF protocol.