Packet Trace of Win95 Booting

This is a detailed look at a Win95 machine booting. All non-IPX transactions are described in detail whenever possible. Some packets are rearranged in order to group transactions together. However, no packet content has been modified.

DHCP

DHCP server is 128.2.6.17

Address received: 128.2.6.192.

20:25:56.940532 0.0.0.0.68 > 255.255.255.255.67:
20:25:57.030532 128.2.6.17.67 > 255.255.255.255.68: [tos 0x10]
20:25:57.030532 arp who-has 128.2.6.192 tell 128.2.6.192

NetBIOS Registration

Registers with the WINS server at 128.2.35.60. Registrations:

KRYTEN 0x03
KRYTEN 0x00
CAMPUS 0x00
KRYTEN 0x20
CAMPUS 0x1E

Confirmed via the output to nbtstat -n.

20:25:58.940532 arp who-has 128.2.6.124 tell 128.2.6.192
20:25:58.940532 arp reply 128.2.6.124 is-at 0:e0:8f:9:90:0
20:25:58.940532 128.2.6.192.137 > 128.2.35.60.137: NBT UDP PACKET(137)
20:25:58.960532 128.2.35.60.137 > 128.2.6.192.137: NBT UDP PACKET(137)
20:26:00.440532 128.2.6.192.137 > 128.2.35.60.137: NBT UDP PACKET(137)
20:26:00.440532 128.2.6.192.137 > 128.2.35.60.137: NBT UDP PACKET(137)
20:26:00.480532 128.2.35.60.137 > 128.2.6.192.137: NBT UDP PACKET(137)
20:26:00.510532 128.2.35.60.137 > 128.2.6.192.137: NBT UDP PACKET(137)
[ ... ]
20:26:03.150532 128.2.6.192.137 > 128.2.35.60.137: NBT UDP PACKET(137)
20:26:03.180532 128.2.35.60.137 > 128.2.6.192.137: NBT UDP PACKET(137)
20:26:03.610532 128.2.6.192.137 > 128.2.35.60.137: NBT UDP PACKET(137)
20:26:03.620532 128.2.35.60.137 > 128.2.6.192.137: NBT UDP PACKET(137)

IPX Stuff

20:26:02.640532 0.00:aa:00:ac:21:3f.4006 > 0.ff:ff:ff:ff:ff:ff.452:ipx-sap-nearest-req 4 ''
20:26:02.650532 10.00:e0:f7:58:a1:20.452 > 10.00:aa:00:ac:21:3f.4006: ipx-#4006 66
20:26:07.170532 0.00:aa:00:ac:21:3f.4008 > 0.ff:ff:ff:ff:ff:ff.453:ipx-rip-req 2147633159/65535.65535
20:26:07.180532 10.00:e0:f7:58:a1:20.453 > 10.00:aa:00:ac:21:3f.4008: ipx-#4008 10
20:26:07.180532 10.00:aa:00:ac:21:3f.4002 > 80024807.00:00:00:00:00:01.451: ipx-ncp 7
20:26:07.190532 80024807.00:00:00:00:00:01.451 > 10.00:aa:00:ac:21:3f.4002: ipx-#4002 8
20:26:07.190532 10.00:aa:00:ac:21:3f.4002 > 80024807.00:00:00:00:00:01.451: ipx-ncp 10
20:26:07.200532 80024807.00:00:00:00:00:01.451 > 10.00:aa:00:ac:21:3f.4002: ipx-#4002 136
20:26:07.200532 10.00:aa:00:ac:21:3f.4002 > 80024807.00:00:00:00:00:01.451: ipx-ncp 10
20:26:07.210532 80024807.00:00:00:00:00:01.451 > 10.00:aa:00:ac:21:3f.4002: ipx-#4002 13
20:26:07.210532 10.00:aa:00:ac:21:3f.4002 > 80024807.00:00:00:00:00:01.4002: ipx-#4002 1468
20:26:07.260532 80024807.00:00:00:00:00:01.4002 > 10.00:aa:00:ac:21:3f.4002: ipx-#4002 1468
20:26:07.260532 10.00:aa:00:ac:21:3f.4002 > 80024807.00:00:00:00:00:01.4002: ipx-#4002 10
20:26:07.270532 80024807.00:00:00:00:00:01.4002 > 10.00:aa:00:ac:21:3f.4002: ipx-#4002 10
20:26:07.270532 10.00:aa:00:ac:21:3f.4002 > 80024807.00:00:00:00:00:01.451: ipx-ncp 9
20:26:07.280532 80024807.00:00:00:00:00:01.451 > 10.00:aa:00:ac:21:3f.4002: ipx-#4002 10
20:26:07.280532 10.00:aa:00:ac:21:3f.4002 > 80024807.00:00:00:00:00:01.451: ipx-ncp 45
20:26:07.290532 80024807.00:00:00:00:00:01.451 > 10.00:aa:00:ac:21:3f.4002: ipx-#4002 8
20:26:07.290532 10.00:aa:00:ac:21:3f.4002 > 80024807.00:00:00:00:00:01.451: ipx-ncp 25
20:26:07.300532 80024807.00:00:00:00:00:01.451 > 10.00:aa:00:ac:21:3f.4002: ipx-#4002 16

User Registration

Registers the name RYAN 0x03 with the WINS server.

20:26:18.930532 128.2.6.192.137 > 128.2.35.60.137: NBT UDP PACKET(137)
20:26:18.950532 128.2.35.60.137 > 128.2.6.192.137: NBT UDP PACKET(137)

NTP Synchronization

Local NTP client synchronizes with the NTP daemon running on netserver.

20:26:39.450532 128.2.6.192.1025 > 128.2.35.50.37: S 50073:50073(0) win 8192 <mss 1460> (DF)
20:26:39.460532 128.2.35.50.37 > 128.2.6.192.1025: S 413261722:413261722(0) ack 50074 win 8760 <mss 1460> (DF)
20:26:39.460532 128.2.6.192.1025 > 128.2.35.50.37: . ack 1 win 8760 (DF)
20:26:39.470532 128.2.35.50.37 > 128.2.6.192.1025: P 1:5(4) ack 1 win 8760 (DF)
20:26:39.470532 128.2.35.50.37 > 128.2.6.192.1025: F 5:5(0) ack 1 win 8760 (DF)
20:26:39.470532 128.2.6.192.1025 > 128.2.35.50.37: . ack 6 win 8756 (DF)
20:26:39.520532 128.2.6.192.1025 > 128.2.35.50.37: F 1:1(0) ack 6 win 8756 (DF)
20:26:39.520532 128.2.6.192.1026 > 128.2.35.50.37: S 50147:50147(0) win 8192 <mss 1460> (DF)
20:26:39.530532 128.2.35.50.37 > 128.2.6.192.1025: . ack 2 win 8760 (DF)
20:26:39.530532 128.2.35.50.37 > 128.2.6.192.1026: S 413373692:413373692(0) ack 50148 win 8760 <mss 1460> (DF)
20:26:39.530532 128.2.6.192.1026 > 128.2.35.50.37: . ack 1 win 8760 (DF)
20:26:39.540532 128.2.35.50.37 > 128.2.6.192.1026: P 1:5(4) ack 1 win 8760 (DF)
20:26:39.540532 128.2.35.50.37 > 128.2.6.192.1026: F 5:5(0) ack 1 win 8760 (DF)
20:26:39.540532 128.2.6.192.1026 > 128.2.35.50.37: . ack 6 win 8756 (DF)
20:26:39.540532 128.2.6.192.1026 > 128.2.35.50.37: F 1:1(0) ack 6 win 8756 (DF)
20:26:39.540532 128.2.6.192.1027 > 128.2.35.50.37: S 50166:50166(0) win 8192 <mss 1460> (DF)
20:26:39.550532 128.2.35.50.37 > 128.2.6.192.1026: . ack 2 win 8760 (DF)
20:26:39.550532 128.2.35.50.37 > 128.2.6.192.1027: S 413565871:413565871(0) ack 50167 win 8760 <mss 1460> (DF)
20:26:39.550532 128.2.6.192.1027 > 128.2.35.50.37: . ack 1 win 8760 (DF)
20:26:39.560532 128.2.35.50.37 > 128.2.6.192.1027: P 1:5(4) ack 1 win 8760 (DF)
20:26:39.560532 128.2.35.50.37 > 128.2.6.192.1027: F 5:5(0) ack 1 win 8760 (DF)
20:26:39.560532 128.2.6.192.1027 > 128.2.35.50.37: . ack 6 win 8756 (DF)
20:26:39.560532 128.2.6.192.1027 > 128.2.35.50.37: F 1:1(0) ack 6 win 8756 (DF)
20:26:39.560532 128.2.6.192.1028 > 128.2.35.50.37: S 50183:50183(0) win 8192 <mss 1460> (DF)
20:26:39.560532 128.2.35.50.37 > 128.2.6.192.1027: . ack 2 win 8760 (DF)
20:26:39.560532 128.2.35.50.37 > 128.2.6.192.1028: S 413707913:413707913(0) ack 50184 win 8760 <mss 1460> (DF)
20:26:39.560532 128.2.6.192.1028 > 128.2.35.50.37: . ack 1 win 8760 (DF)
20:26:39.570532 128.2.35.50.37 > 128.2.6.192.1028: P 1:5(4) ack 1 win 8760 (DF)
20:26:39.570532 128.2.35.50.37 > 128.2.6.192.1028: F 5:5(0) ack 1 win 8760 (DF)
20:26:39.570532 128.2.6.192.1028 > 128.2.35.50.37: . ack 6 win 8756 (DF)
20:26:39.810532 128.2.6.192.1028 > 128.2.35.50.37: F 1:1(0) ack 6 win 8756 (DF)
20:26:39.810532 128.2.35.50.37 > 128.2.6.192.1028: . ack 2 win 8760 (DF)

Prepare to Become a Browser

This host now prepares to become a backup browser. First, it looks up the existing LMB for the CAMPUS workgroup, and then downloads the entire browse list from it.

20:27:25.570532 128.2.6.192.137 > 128.2.35.60.137: NBT UDP PACKET(137)
20:27:25.580532 128.2.35.60.137 > 128.2.6.192.137: NBT UDP PACKET(137)
20:27:25.580532 arp who-has 128.2.6.95 tell 128.2.6.192
20:27:25.590532 arp reply 128.2.6.95 is-at 0:0:c0:99:a2:b
20:27:25.590532 128.2.6.192.1029 > 128.2.6.95.139: S 96217:96217(0) win 8192 <mss 1460> (DF)
20:27:25.590532 128.2.6.95.139 > 128.2.6.192.1029: S 192382432:192382432(0) ack 96218 win 8760 <mss 1460> (DF)
20:27:25.590532 128.2.6.192.1029 > 128.2.6.95.139: . ack 1 win 8760 (DF)
20:27:25.590532 128.2.6.192.1029 > 128.2.6.95.139: P 1:73(72) ack 1 win 8760 NBT Packet (TCP 139) (DF)
20:27:25.600532 128.2.6.95.139 > 128.2.6.192.1029: P 1:5(4) ack 73 win 8688 NBT Packet (TCP 139) (DF)
20:27:25.600532 128.2.6.192.1029 > 128.2.6.95.139: P 73:231(158) ack 5 win 8756 NBT Packet (TCP 139) (DF)
20:27:25.610532 128.2.6.95.139 > 128.2.6.192.1029: P 5:100(95) ack 231 win 8530 NBT Packet (TCP 139) (DF)
20:27:25.610532 128.2.6.192.1029 > 128.2.6.95.139: P 231:365(134) ack 100 win 8661 NBT Packet (TCP 139) (DF)
20:27:25.620532 128.2.6.95.139 > 128.2.6.192.1029: P 100:200(100) ack 365 win 8396 NBT Packet (TCP 139) (DF)
20:27:25.620532 128.2.6.192.1029 > 128.2.6.95.139: P 365:492(127) ack 200 win 8561 NBT Packet (TCP 139) (DF)
20:27:25.650532 128.2.6.95.139 > 128.2.6.192.1029: . 200:1660(1460) ack 492 win 8269 NBT Packet (TCP 139) (DF)
20:27:25.660532 128.2.6.95.139 > 128.2.6.192.1029: . 1660:3120(1460) ack 492 win 8269 NBT Packet (TCP 139) (DF)
20:27:25.660532 128.2.6.95.139 > 128.2.6.192.1029: P 3120:3124(4) ack 492 win 8269 NBT Packet (TCP 139) (DF)
20:27:25.660532 128.2.6.192.1029 > 128.2.6.95.139: . ack 3120 win 8760 (DF)
20:27:25.880532 128.2.6.192.1029 > 128.2.6.95.139: . ack 3124 win 8756 (DF)
20:27:25.890532 128.2.6.95.139 > 128.2.6.192.1029: P 3124:4424(1300) ack 492 win 8269 NBT Packet (TCP 139) (DF)
20:27:25.890532 128.2.6.192.1029 > 128.2.6.95.139: P 492:619(127) ack 4424 win 7456 NBT Packet (TCP 139) (DF)
20:27:25.940532 128.2.6.95.139 > 128.2.6.192.1029: . 4424:5884(1460) ack 619 win 8142 NBT Packet (TCP 139) (DF)
20:27:25.940532 128.2.6.95.139 > 128.2.6.192.1029: . 5884:7344(1460) ack 619 win 8142 NBT Packet (TCP 139) (DF)
20:27:25.940532 128.2.6.95.139 > 128.2.6.192.1029: P 7344:7348(4) ack 619 win 8142 NBT Packet (TCP 139) (DF)
20:27:25.940532 128.2.6.192.1029 > 128.2.6.95.139: . ack 7344 win 8760 (DF)
20:27:26.100532 128.2.6.192.1029 > 128.2.6.95.139: . ack 7348 win 8756 (DF)
20:27:26.110532 128.2.6.95.139 > 128.2.6.192.1029: . 7348:8808(1460) ack 619 win 8142 NBT Packet (TCP 139) (DF)
20:27:26.120532 128.2.6.95.139 > 128.2.6.192.1029: . 8808:10268(1460) ack 619 win 8142 NBT Packet (TCP 139) (DF)
20:27:26.120532 128.2.6.95.139 > 128.2.6.192.1029: P 10268:10272(4) ack 619 win 8142 NBT Packet (TCP 139) (DF)
20:27:26.120532 128.2.6.192.1029 > 128.2.6.95.139: . ack 10268 win 8760 (DF)
20:27:26.310532 128.2.6.192.1029 > 128.2.6.95.139: . ack 10272 win 8756 (DF)
20:27:26.330532 128.2.6.95.139 > 128.2.6.192.1029: . 10272:11732(1460) ack 619 win 8142 NBT Packet (TCP 139) (DF)
20:27:26.340532 128.2.6.95.139 > 128.2.6.192.1029: . 11732:13192(1460) ack 619 win 8142 NBT Packet (TCP 139) (DF)
20:27:26.340532 128.2.6.95.139 > 128.2.6.192.1029: P 13192:13196(4) ack 619 win 8142 NBT Packet (TCP 139) (DF)
20:27:26.340532 128.2.6.192.1029 > 128.2.6.95.139: . ack 13192 win 8760 (DF)
20:27:26.530532 128.2.6.192.1029 > 128.2.6.95.139: . ack 13196 win 8756 (DF)
20:27:26.550532 128.2.6.95.139 > 128.2.6.192.1029: . 13196:14656(1460) ack 619 win 8142 NBT Packet (TCP 139) (DF)
20:27:26.560532 128.2.6.95.139 > 128.2.6.192.1029: . 14656:16116(1460) ack 619 win 8142 NBT Packet (TCP 139) (DF)
20:27:26.560532 128.2.6.95.139 > 128.2.6.192.1029: P 16116:16120(4) ack 619 win 8142 NBT Packet (TCP 139) (DF)
20:27:26.560532 128.2.6.192.1029 > 128.2.6.95.139: . ack 16116 win 8760 (DF)
20:27:26.750532 128.2.6.192.1029 > 128.2.6.95.139: . ack 16120 win 8756 (DF)
20:27:26.770532 128.2.6.95.139 > 128.2.6.192.1029: . 16120:17580(1460) ack 619 win 8142 NBT Packet (TCP 139) (DF)
20:27:26.780532 128.2.6.95.139 > 128.2.6.192.1029: . 17580:19040(1460) ack 619 win 8142 NBT Packet (TCP 139) (DF)
20:27:26.780532 128.2.6.95.139 > 128.2.6.192.1029: P 19040:19044(4) ack 619 win 8142 NBT Packet (TCP 139) (DF)
20:27:26.780532 128.2.6.192.1029 > 128.2.6.95.139: . ack 19040 win 8760 (DF)
20:27:26.970532 128.2.6.192.1029 > 128.2.6.95.139: . ack 19044 win 8756 (DF)
20:27:26.990532 128.2.6.95.139 > 128.2.6.192.1029: P 19044:19815(771) ack 619 win 8142 NBT Packet (TCP 139) (DF)
20:27:26.990532 128.2.6.192.1029 > 128.2.6.95.139: P 619:746(127) ack 19815 win 7985 NBT Packet (TCP 139) (DF)
20:27:27.010532 128.2.6.95.139 > 128.2.6.192.1029: . 19815:21275(1460) ack 746 win 8015 NBT Packet (TCP 139) (DF)
20:27:27.020532 128.2.6.95.139 > 128.2.6.192.1029: P 21275:21789(514) ack 746 win 8015 NBT Packet (TCP 139) (DF)
20:27:27.020532 128.2.6.192.1029 > 128.2.6.95.139: . ack 21789 win 8760 (DF)
20:27:29.180532 128.2.6.192.1029 > 128.2.6.95.139: P 746:785(39) ack 21789 win 8760 NBT Packet (TCP 139) (DF)
20:27:29.190532 128.2.6.95.139 > 128.2.6.192.1029: P 21789:21828(39) ack 785 win 7976 NBT Packet (TCP 139) (DF)
20:27:29.190532 128.2.6.192.1029 > 128.2.6.95.139: F 785:785(0) ack 21828 win 8721 (DF)
20:27:29.200532 128.2.6.95.139 > 128.2.6.192.1029: F 21828:21828(0) ack 786 win 7976 (DF)
20:27:29.200532 128.2.6.192.1029 > 128.2.6.95.139: . ack 21829 win 8721 (DF)

Register with the Local Master Browser

The client announces its presence with a subnet broadcasted Host Announcement. This occurs constantly, with the inter-packet interval eventually increasing to 12 minutes.

20:26:04.620532 128.2.6.192.138 > 128.2.6.255.138: NBT UDP PACKET(138)
20:27:04.680532 128.2.6.192.138 > 128.2.6.255.138: NBT UDP PACKET(138)
20:27:28.050532 128.2.6.192.138 > 128.2.6.255.138: NBT UDP PACKET(138)
20:28:28.100532 128.2.6.192.138 > 128.2.6.255.138: NBT UDP PACKET(138)
20:29:28.090532 128.2.6.192.138 > 128.2.6.255.138: NBT UDP PACKET(138)

Raw Data: win95-boot.tcpdump
Verbose Decoded Data: win95-boot.verbose.txt

Ryan Troll

Last modified: Thu Sep 10 13:40:58 EDT 1998