The packet section contains raw network packet data and provides parsed protocol information for supported protocols.
Fields
Total packet length in bytes.
Number of bytes actually captured. This may be less than len if the packet was truncated.
Base64-encoded raw packet data.The packet starts at the Ethernet header and includes all protocol layers.
Parsed Protocol Display
When displayed, packets are automatically parsed and formatted based on detected protocols:
Ethernet
{src_mac} > {dst_mac} ethertype {name} ({hex})
aa:bb:cc:dd:ee:ff > 11:22:33:44:55:66 ethertype IPv4 (0x0800)
VLAN (802.1Q)
vlan {id} p {priority} [DEI] ethertype {name} ({hex})
vlan 100 p 5 DEI ethertype IPv4 (0x0800)
ARP
Request:
request who-has {target_ip} tell {sender_ip}
reply {sender_ip} is-at {sender_mac}
request who-has 192.168.1.1 tell 192.168.1.100
reply 192.168.1.1 is-at aa:bb:cc:dd:ee:ff
IPv4
{src_ip}.{src_port} > {dst_ip}.{dst_port} tos {tos} {ecn} ttl {ttl}
id {id} off {offset} [{flags}] len {len} opts [{options}] proto {proto} ({num})
10.0.1.100.54321 > 10.0.2.200.80 tos 0x0 ttl 64 id 12345 off 0 [DF] len 60 proto TCP (6)
+ = More fragmentsDF = Don’t fragmentrsvd = Reserved bit set
ECN:
ECT(1) = ECN Capable Transport (1)ECT(0) = ECN Capable Transport (0)CE = Congestion Experienced
IPv6
{src_ip}.{src_port} > {dst_ip}.{dst_port} {ecn} ttl {ttl} label {flow_label}
len {len} exts [{extensions}] proto {proto} ({num})
2001:db8::1.54321 > 2001:db8::2.80 ttl 64 label 0x12345 len 1280 proto TCP (6)
TCP
flags [{flags}] seq {seq}[:{end}] ack {ack} win {window} [{options}]
flags [S] seq 1234567890 win 65535 [mss 1460,sackOK,TS val 123456 ecr 0,nop,wscale 7]
F = FINS = SYNR = RSTP = PSH. = ACKU = URGE = ECEW = CWRe = NS (RFC 7560)
Options: mss, wscale, sackOK, sack, TS (timestamps), nop, eol, tfo (Fast Open), mptcp, and more.
UDP
Example:
ICMP / ICMPv6
Example:
type 8 code 0 (echo request)
type 3 code 3 (port unreachable)
VXLAN
vxlan [{flags}] vni {vni} {inner_packet}
vxlan [I] vni 0x2a {inner_ethernet_frame}
Geneve
geneve [{flags}] vni {vni} proto {proto} ({hex}) opts_len {len} {inner_packet}
geneve [C] vni 0x64 proto TEB (0x6558) opts_len 8 {inner_frame}
O = OAM packetC = Critical options present
IPsec (ESP/AH)
ESP:
AH:
spi {spi} seq {seq} icv 0x{icv_hex} proto {next_proto} ({num})
MACsec
an {assoc_num} pn {packet_num} flags [{flags}] [sl {short_len}] [sci 0x{sci}]
E = EncryptionC = Changed textS = End stationB = Single copy broadcastI = SCI present
Example JSON
Simple TCP Packet
{
"packet": {
"len": 74,
"capture_len": 74,
"data": "aabbccddeeff112233445566080045000028abcd0000401100c0a801640a0b0c0d"
}
}
Truncated Packet
{
"packet": {
"len": 1500,
"capture_len": 128,
"data": "...(base64)..."
}
}
VXLAN Encapsulated Packet
{
"packet": {
"len": 148,
"capture_len": 148,
"data": "...(base64-encoded VXLAN packet)..."
}
}
When This Section Appears
The packet section is populated when:
- The
skb or skb-tracking collector is enabled
- The probe has access to packet data
- Packet capture is not disabled
Truncated Packets
If capture_len < len, the packet was truncated during capture. The display will show:
... (truncated or incomplete packet)
Unsupported Protocols
For protocols not yet supported by Retis, the display shows:
... (ethertype 0x1234 not supported, use 'retis pcap')
retis pcap to export packets to PCAP format for analysis with tools like Wireshark.
The data field contains the complete raw packet as base64. This can be decoded and analyzed with packet analysis tools even if Retis doesn’t natively parse the protocol.
