I was using tcpdump on ubuntu for capturing IP packets while i was connected to a ftp server. I got the output but I did not understand the output fully. Here's the output:
20:36:59.447287 IP 195.144.107.198.21 > 192.168.0.103.38358: Flags [P.], seq 1:15, ack 6, win 257, options [nop,nop,TS val 118776594 ecr 2892624995], length 14: FTP: 221 Goodbye.
0x0000: 4500 0042 67fb 4000 6906 b954 c390 6bc6 E..Bg.@.i..T..k.
0x0010: cQa8 0067 0015 95d6 b5d5 9b80 8f8f ed64 ...g...........d
©x0020: 8018 0101 273e 0000 0101 080a 0714 6312 ....'>........c.
0x0030: ac69 £463 3232 3120 476f 6f64 6279 652e .i.c221.Goodbye.
0x0040: Od0a
This is the packet captured when I closed the connection with the ftp server. I understood the IP header which is on the left but I did not understood the payload fully. The "Goodbye" message was displayed when I exited from the ftp server, but what is the rest of it? I am talking about this:
E..Bg.@.i..T..k.
...g...........d
....'>........c.
.i.c221.Goodbye.
..
What are those periods, and random characters (apart from "Goodbye")?
Each of those dots is a non-printable character. When ASCII was first developed, 0-31 were control characters, some of which were designed to control messages. 127 is delete, which xxd also treats as a control character. These will all show as a . when interpreted by xxd.
You can replicate this by saving every character from 0 to 127 in a file ascii_chars
seq 0 127 | while read n; do printf "\x$(printf %x $n)" $n >> ascii_chars; done
If we pass this in to xxd, we can see that the first 2 lines (0-31) and 127 are ..
$ xxd ascii_chars
00000000: 0001 0203 0405 0607 0809 0a0b 0c0d 0e0f ................
00000010: 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................
00000020: 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f !"#$%&'()*+,-./
00000030: 3031 3233 3435 3637 3839 3a3b 3c3d 3e3f 0123456789:;<=>?
00000040: 4041 4243 4445 4647 4849 4a4b 4c4d 4e4f @ABCDEFGHIJKLMNO
00000050: 5051 5253 5455 5657 5859 5a5b 5c5d 5e5f PQRSTUVWXYZ[\]^_
00000060: 6061 6263 6465 6667 6869 6a6b 6c6d 6e6f `abcdefghijklmno
00000070: 7071 7273 7475 7677 7879 7a7b 7c7d 7e7f pqrstuvwxyz{|}~.