Flat A–Z listing. For the grouped tree view see index.html.
ICMP Address Mask Request and Reply, where a host queries its subnet mask and a router responds with the correct mask for the interface.
ICMP Destination Unreachable with code 13 (communication administratively prohibited), returned for traffic to TCP port 80 blocked by an ACL or firewall.
IPsec AH in transport mode directly between two hosts, authenticating the original IP payload without encapsulation.
IPsec AH in tunnel mode between gateways, authenticating the entire inner IP packet carried inside an outer IP header.
IPsec AH in transport mode protecting a GRE tunnel, authenticating the GRE-encapsulated payload between endpoints.
IPsec AH in tunnel mode wrapping a GRE tunnel, authenticating both the outer tunnel and the GRE-carried inner traffic.
Automatic Multicast Tunneling over IPv4, with Relay Discovery, Request, Membership Query/Update, and Multicast Data delivering multicast to unicast-only hosts.
Automatic Multicast Tunneling for IPv6, using AMT Gateway/Relay signaling to deliver IPv6 multicast across unicast-only networks.
Anycast first-hop redundancy failover where the active next-hop becomes unreachable and clients transparently converge on a secondary anycast instance.
AppleTalk Phase 1 initialization showing legacy non-extended AARP/RTMP exchanges on a single network number.
AppleTalk Phase 2 routing with extended network ranges, exchanging RTMP updates and ZIP zone information between routers.
Standard ARP resolution: broadcast Request for an IPv4 address and unicast Reply from the owning host with its MAC.
Gratuitous ARP: host broadcasts an ARP announcing its own IP→MAC binding, used for duplicate address detection and cache updates.
Proxy ARP: a router answers ARP requests on behalf of a host on another subnet, replying with its own MAC.
Unicast ARP Request/Reply (RFC 5227): targeted ARP refresh between two known peers rather than broadcasting.
ATM AAL5 with LLC/SNAP encapsulation carrying IP traffic across a PVC, typical of classical IP-over-ATM.
Babel routing protocol with interface-level diversity extension carrying IPv4 and IPv6 routes between neighbors.
Babel routing protocol with non-interface diversity metrics exchanging IPv4 and IPv6 routes between neighbors.
Babel neighbor initialization: Hello, IHU, Router-ID, Next-Hop and Update TLVs establishing IPv4/IPv6 adjacency.
Babel IPv4/IPv6 exchange showing Hello/IHU timestamp TLVs used for RTT measurement between neighbors.
beamform_poll: Empty ndjson (0 events) for the 802.11 beamforming poll capture; no decoded frames present in the sequence.
BFD session with authentication mismatch between peers: control packets exchanged but authentication fails, session never reaches Up.
BFD asynchronous session plus Echo function between peers, no authentication; session reaches Up state.
BFD asynchronous session with Echo function and SHA1 keyed authentication between peers; session reaches Up.
BFD Multihop session (UDP/4784) between non-adjacent peers without authentication; session transitions to Up.
BFD Multihop session (UDP/4784) with SHA1 authentication between non-adjacent peers; session reaches Up.
BFD asynchronous-only session (no Echo) without authentication; Down/Init/Up state transitions between peers.
BFD asynchronous-only session (no Echo) with SHA1 keyed authentication between peers; session reaches Up.
BGP Monitoring Protocol initialization from a monitored router to BMP collector: Initiation, Peer Up Notifications and Route Monitoring updates.
iBGP EVPN (AFI/SAFI 25/70) session exchanging MAC/IP advertisement and Ethernet Auto-Discovery routes for VLAN-based L2VPN.
iBGP BGP-LS (AFI 16388) session distributing link-state NLRI (nodes, links, prefixes) from IGP to a BGP-LS consumer.
iBGP MDT SAFI (66) session exchanging Multicast Distribution Tree NLRI for draft-rosen mVPN setup.
iBGP mVPN (MCAST-VPN SAFI 5) initialization for IPv4 and IPv6 with Intra-AS I-PMSI A-D routes between PEs.
iBGP mVPN IPv4/IPv6 exchange advertising I-PMSI (Inclusive PMSI) A-D routes for default MDT setup between PEs.
iBGP mVPN IPv4/IPv6 advertising Shared-Tree (*,G) C-multicast Join routes (Type-6) between PEs.
iBGP mVPN IPv4/IPv6 advertising S-PMSI (Selective PMSI) A-D routes (Type-3) to signal data MDT for high-rate groups.
iBGP mVPN IPv4/IPv6 advertising Source-Tree (S,G) C-multicast Join routes (Type-7) between PEs.
iBGP mVPN IPv4/IPv6 showing SPT switchover: receiver PE transitioning from shared-tree to source-tree via Type-7 Join.
iBGP Route Target Constrain (SAFI 132) initialization: PEs advertise RT memberships to filter VPN route distribution.
iBGP IPv4 Flowspec (SAFI 133) initialization distributing traffic filtering rules between speakers.
eBGP IPv4 Labeled-Unicast (SAFI 4) session initialization: OPEN, KEEPALIVE and UPDATE with MPLS labels.
eBGP IPv4 Multicast (SAFI 2) session initialization exchanging multicast RPF routes.
Confederation eBGP IPv4 Unicast session initialization between member-AS peers: OPEN, KEEPALIVE and UPDATEs.
eBGP IPv4 Unicast showing aggregate-address with AS_SET: aggregator advertises summarized prefix carrying component ASNs.
eBGP IPv4 Unicast showing basic aggregate-address: summary prefix advertised with AGGREGATOR attribute, components suppressed.
eBGP IPv4 Unicast init between two 4-byte ASN speakers using AS4 capability (RFC 6793).
eBGP IPv4 Unicast interop between 2-byte and 4-byte ASN speakers using AS4_PATH/AS4_AGGREGATOR attributes.
eBGP session over IPv4 transport carrying IPv6 unicast NLRI via MP-BGP (AFI 2/SAFI 1).
eBGP IPv4 Unicast Graceful Restart: GR capability negotiated, End-of-RIB markers and stale route preservation across restart.
eBGP IPv4 Unicast session initialization: OPEN/KEEPALIVE/UPDATE establishing adjacency between two ASes.
eBGP IPv4 Unicast carrying community values used for QoS Policy Propagation via BGP (QPPB) classification.
eBGP IPv4 Unicast session reset via NOTIFICATION (Cease) followed by re-establishment OPEN/KEEPALIVE.
eBGP IPv4 Unicast showing route flap: repeated UPDATE announce and withdraw cycles for the same prefix.
eBGP IPv4 Unicast protected by TCP-AO (RFC 5925) with AES-128-CMAC MAC; session establishes successfully.
eBGP IPv4 Unicast protected by TCP-AO with HMAC-SHA1 MAC; session establishes successfully.
eBGP IPv4 Unicast protected by TCP-AO with HMAC-SHA256 MAC; session establishes successfully.
eBGP IPv4 Unicast using GTSM (TTL security) and TCP MD5 authentication; session establishes successfully.
eBGP IPv4 Unicast with mismatched remote-AS: OPEN triggers NOTIFICATION Bad Peer AS, session fails.
eBGP IPv4 Unicast with mismatched TCP MD5 key: TCP handshake fails, BGP session never establishes.
eBGP IPv4 Unicast with duplicate/bad Router-ID in OPEN: NOTIFICATION Bad BGP Identifier, session fails.
iBGP IPv4 Unicast with ADD-PATH capability (RFC 7911): multiple paths per prefix advertised with path identifiers.
iBGP IPv4 Unicast carrying Cisco Cost Community for fine-grained best-path tie-breaking.
iBGP IPv4 Unicast carrying DMZ Link-Bandwidth extended community for BGP multipath load sharing.
iBGP IPv4 Unicast Route Reflector initialization: client/RR session with ORIGINATOR_ID and CLUSTER_LIST.
iBGP IPv4 Unicast advertising prefixes with standard BGP communities (RFC 1997).
BGP Unnumbered (RFC 5549) over IPv6 link-local using IPv4 NLRI with IPv6 next-hop via extended next-hop capability.
iBGP IPv6 Flowspec (AFI 2/SAFI 133) initialization distributing IPv6 traffic filtering rules between speakers.
iBGP IPv6 Labeled-Unicast (AFI 2/SAFI 4) session initialization with MPLS labels in UPDATE.
eBGP IPv6 Multicast (AFI 2/SAFI 2) session initialization exchanging IPv6 multicast RPF routes.
Confederation eBGP IPv6 Unicast session initialization between member-AS peers: OPEN, KEEPALIVE and UPDATEs.
eBGP IPv6 Unicast aggregate-address with AS_SET: summary prefix advertised carrying component ASNs.
eBGP IPv6 Unicast basic aggregate-address: summary prefix advertised with AGGREGATOR, components suppressed.
eBGP IPv6 Unicast init between 4-byte ASN speakers using AS4 capability (RFC 6793).
eBGP session over IPv6 transport carrying IPv4 unicast NLRI via MP-BGP.
eBGP IPv6 Unicast Graceful Restart: GR capability, End-of-RIB markers and stale route preservation across restart.
eBGP IPv6 Unicast session initialization: OPEN/KEEPALIVE/UPDATE establishing adjacency between two ASes.
eBGP IPv6 Unicast session reset via NOTIFICATION (Cease) followed by re-establishment OPEN/KEEPALIVE.
eBGP IPv6 Unicast showing route flap: repeated UPDATE announce/withdraw cycles for the same prefix.
eBGP IPv6 Unicast protected by TCP-AO with AES-128-CMAC MAC; session establishes successfully.
eBGP IPv6 Unicast protected by TCP-AO with HMAC-SHA1 MAC; session establishes successfully.
eBGP IPv6 Unicast protected by TCP-AO with HMAC-SHA256 MAC; session establishes successfully.
eBGP IPv6 Unicast using GTSM (TTL security) with TCP MD5 authentication; session establishes successfully.
eBGP IPv6 Unicast with mismatched remote-AS: OPEN triggers NOTIFICATION Bad Peer AS, session fails.
eBGP IPv6 Unicast with mismatched TCP MD5 key: TCP handshake fails, BGP session never establishes.
eBGP IPv6 Unicast with duplicate/bad Router-ID in OPEN: NOTIFICATION Bad BGP Identifier, session fails.
iBGP IPv6 Unicast with ADD-PATH capability advertising multiple paths per prefix with path identifiers.
iBGP IPv6 Unicast carrying Cisco Cost Community for best-path tie-breaking.
iBGP IPv6 Unicast carrying DMZ Link-Bandwidth extended community for BGP multipath load sharing.
iBGP IPv6 Unicast Route Reflector initialization: client/RR session with ORIGINATOR_ID and CLUSTER_LIST.
iBGP IPv6 Unicast advertising prefixes with standard BGP communities (RFC 1997).
iBGP VPLS (AFI 25/SAFI 65) with BGP auto-discovery and BGP signaling (RFC 4761) establishing pseudowires between PEs.
iBGP VPLS auto-discovery (RFC 6074) with LDP pseudowire signaling between PEs for L2VPN transport.
iBGP VPNv4/VPNv6 Flowspec (SAFI 134) initialization distributing per-VRF traffic filtering rules.
iBGP VPNv4 and VPNv6 (SAFI 128) session initialization: MP-BGP UPDATEs with RD, labels and RT extended communities.
iBGP VPNv4/VPNv6 redistributing EIGRP PE-CE routes: EIGRP extended communities carried across the MPLS VPN core.
iBGP VPNv4/VPNv6 redistributing OSPF PE-CE routes: OSPF Domain-ID and Route-Type extended communities carried across the VPN core.
bpdu_dispute: SW3 keeps sending RSTP Proposals while SW4 responds with RSTP Forwarding (agreement-less), illustrating an STP dispute condition on a half-duplex link.
bridge_uwgb_cckm_peap_wired: Wired side of uWGB CCKM/PEAP bridging: AP-to-AP DTLS CAPWAP tunnel carries client Assoc Req/Resp and 4-way EAPOL Key handshake for Client A.
bridge_uwgb_cckm_peap_wlan: WLAN side of uWGB CCKM/PEAP: Client A probes, authenticates and associates to Cisco AP 1, then completes a 4-way EAPOL Key handshake for CCKM keys.
bridge_uwgb_dot1x_peap_wired: Wired view of uWGB 802.1X/PEAP: AP-to-AP DTLS tunnel transports client association and EAPOL Key 4-way handshake between Client A and the AP.
bridge_uwgb_dot1x_peap_wlan: WLAN view of uWGB 802.1X/PEAP: Client A probes, 802.11 authenticates, associates, then 4-way EAPOL Key handshake installs PTK/GTK.
bridge_uwgb_open_wired: Wired side of uWGB open-auth bridge: Client A associates (Assoc Req/Resp) while the AP-AP DTLS tunnel carries encapsulated traffic.
bridge_uwgb_open_wlan: WLAN side of uWGB open authentication: Client A probes, receives Probe Response and Beacon, 802.11 open-authenticates and associates to the AP.
bridge_uwgb_opendata_wired: Wired path for uWGB open-auth data: DHCP Discover/Offer/Request/ACK via WLC, client data through AP, with ICMP keepalives between WLCs.
bridge_uwgb_opendata_wlan: WLAN open-auth data: Client A sends QoS Data to the broadcast address and unicast via the AP, showing post-association data forwarding.
bridge_uwgb_wpa2psk_wired: Wired trace of uWGB WPA2-PSK: AP-AP DTLS CAPWAP tunnel carries Client A's Association exchange and 4-way EAPOL Key handshake.
bridge_uwgb_wpa2psk_wlan: WLAN WPA2-PSK association: Client A probes, open-authenticates, associates, then completes the 4-way EAPOL Key handshake to derive PTK/GTK.
bridge_wgb_cckm_peap_wired: Wired path for WGB CCKM/PEAP: AP-AP DTLS tunnel while Client B associates and finishes 4-way EAPOL Key handshake under CCKM fast roam.
bridge_wgb_cckm_peap_wlan: WLAN view of WGB CCKM/PEAP: Client B probes, authenticates, associates to AP and completes 4-way EAPOL Key handshake for CCKM.
bridge_wgb_dot1x_peap_wired: Wired side of WGB 802.1X/PEAP: AP-AP DTLS tunnel, Client B associates to Cisco AP 1, then 4-way EAPOL Key handshake installs keys.
bridge_wgb_dot1x_peap_wlan: WLAN view of WGB 802.1X/PEAP: Client B probes, authenticates, associates and runs 4-way EAPOL Key handshake after EAP-PEAP success.
bridge_wgb_open_wired: Wired view of WGB open-auth: Client B associates to AP and AP-AP DTLS tunnel forwards encapsulated data frames.
bridge_wgb_open_wlan: WLAN open-auth WGB: Client B probes, 802.11 authenticates, and associates to Cisco AP 1, then exchanges QoS Data.
bridge_wgb_opendata_wired: Wired open-auth WGB data: clients broadcast then DHCP Request/ACK through WLC, data relayed via AP, with ICMP WLC-to-WLC keepalives.
bridge_wgb_opendata_wlan: WLAN open-auth WGB data: Clients A and B send QoS Data frames via the AP to broadcast and unicast destinations.
bridge_wgb_wpa2psk_wired: Wired view of WGB WPA2-PSK: AP-AP DTLS tunnel while Client B associates and completes 4-way EAPOL Key handshake.
bridge_wgb_wpa2psk_wlan: WLAN WPA2-PSK WGB: Client B probes, authenticates, associates, then runs multiple EAPOL Key exchanges (4-way + group key) with the AP.
capwap-discovery_ipv4_broadcast: AP gets IP via DHCP, broadcasts CAPWAP Discovery Request, WLC responds with CAPWAP Discovery Response, then DTLS handshake establishes the CAPWAP tunnel.
capwap-discovery_ipv4_dhcp-opt43: AP obtains IP with DHCP option 43 (controller list), resolves DNS, sends CAPWAP Discovery Requests to WLC and completes DTLS handshake to join.
capwap-discovery_ipv4_dns: AP gets DHCP lease, uses DNS (CISCO-CAPWAP-CONTROLLER) to find WLC, exchanges CAPWAP Discovery Request/Response, then completes DTLS handshake.
capwap-discovery_ipv4_failed: AP completes DHCP, sends many DNS Queries and CAPWAP Discovery Requests to broadcast but receives no WLC response, then DHCP Releases and retries (discovery failure).
capwap-discovery_ipv4_ip-helper: AP uses DHCP plus broadcast CAPWAP Discovery Requests forwarded by ip-helper; AP wired A (WLC) replies with Discovery Response and DTLS handshake follows.
capwap-discovery_ipv4_primed: Primed AP (pre-configured WLC) sends unicast and broadcast CAPWAP Discovery Requests; WLC responds and DTLS handshake joins the AP.
capwap-discovery_ipv6_dhcp-opt52: IPv6 AP only emits DHCP Discover frames (shown as broadcast) using DHCPv6 option 52 for CAPWAP controller address; no controller response in trace.
capwap-discovery_ipv6_dns: IPv6 CAPWAP discovery via DNS variant; only DHCP Discover broadcasts captured, no controller reply or DTLS present in this slice.
capwap-discovery_ipv6_failed: IPv6 CAPWAP discovery failure: AP issues repeated DHCP Discover broadcasts with no successful DHCP lease or controller discovery response.
capwap-discovery_ipv6_localmcast: IPv6 CAPWAP discovery using link-local multicast (IPv6 All Nodes) alongside DHCP Discover broadcasts from the AP.
capwap-discovery_ipv6_primed: IPv6 primed AP: only DHCP Discover broadcasts observed in the capture, CAPWAP controller already seeded but no reply in this slice.
ccx_client_linktest_wlan: CCX link test on WLAN: AP beacons, then Client A and AP exchange bidirectional QoS Data frames used to measure link quality.
ccx_client_request_wlan: CCX client request exchange: AP beacon followed by QoS Data between AP and Client A carrying CCX management measurement requests.
ccx_mfp_wlan: CCX/Management Frame Protection: Client A associates (probe, auth, assoc), runs 4-way EAPOL Key, then AP sends MFP-protected Beacons before a Disassociate.
Cisco Discovery Protocol neighbor advertisement: device multicasts CDP frame with device ID, platform, capabilities and port info.
Ethernet CFM Continuity Check Messages initializing between L3 and L7 MEPs in a core domain, establishing MEP adjacency and fault monitoring baseline.
CFM Loopback (ping) and Linktrace (traceroute) exchange at maintenance level 3, validating core-domain reachability and path discovery between MEPs.
Y.1731 one-way delay measurement (1DM) frames sent between core MEPs at level 3, used to measure unidirectional latency across the Ethernet OAM domain.
Y.1731 two-way delay measurement using DMM requests and DMR responses at core level 3, computing round-trip delay between MEPs.
Y.1731 synthetic loss measurement with SLM probes and SLR replies at core level 3, calculating frame loss ratios between MEPs.
CFM Alarm Indication Signal at level 7 triggered by an attachment circuit down event in the core domain, propagating fault notification upward.
CFM AIS at level 7 generated on edge when an attachment circuit fails, alerting upstream MEPs of the service-affecting condition.
CFM multicast Loopback ping at level 7 in the core, discovering all reachable MEPs in the maintenance association via a single multicast probe.
CFM Loopback and Linktrace at level 7 within the core domain, verifying service-level connectivity and hop-by-hop path between MEPs.
CFM Loopback and Linktrace operations at level 7 from the edge, validating end-to-end service reachability across the provider network.
clientassoc_dot1x_eap_passthrough_wired: Wired view of 802.1X EAP-passthrough: iPhone client associates to AP; AP-AP DTLS tunnel forwards EAP frames to controller for authentication.
clientassoc_dot1x_eap_passthrough_wlan: WLAN 802.1X EAP-passthrough: iPhone probes, 802.11 authenticates and associates, then exchanges QoS Data/Action frames during EAP passthrough to RADIUS.
clientassoc_dot1x_wpa_peapv1_wired: Wired view of WPA PEAPv1: client associates, AP-AP DTLS relays PEAP EAP, and 4-way EAPOL Key handshake completes (TKIP) before data flows.
clientassoc_dot1x_wpa_peapv1_wlan: WLAN WPA PEAPv1: iPhone probes, auths, associates, completes PEAPv1 via Action frames then 4-way EAPOL Key handshake and data.
clientassoc_dot1x_wpa2_eapfast_fail_wired: Wired view of EAP-FAST failure: client associates and AP-AP DTLS carries EAP exchange that ultimately fails (no 4-way EAPOL Key follows).
clientassoc_dot1x_wpa2_eapfast_fail_wlan: WLAN WPA2/EAP-FAST failure: iPhone associates but EAP-FAST authentication does not succeed and client ends with a Disassociate (no keys installed).
clientassoc_dot1x_wpa2_eapmd5_fail_wired: Wired view of EAP-MD5 failure: client associates and AP-AP DTLS carries EAP exchange; no successful 4-way handshake completes.
clientassoc_dot1x_wpa2_eapmd5_fail_wlan: WLAN WPA2/EAP-MD5 failure: iPhone associates, exchanges Action frames, but EAP-MD5 is rejected and client issues Disassociate.
clientassoc_dot1x_wpa2_eaptls_fail_wired: Wired view of EAP-TLS failure: client associates and AP-AP DTLS carries EAP-TLS exchange that fails before keys are derived.
clientassoc_dot1x_wpa2_eaptls_fail_wlan: WLAN WPA2/EAP-TLS failure: iPhone authenticates and associates but EAP-TLS cert validation fails, ending in Disassociate.
clientassoc_dot1x_wpa2_leap_fail_wired: Wired view of LEAP failure: client associates, AP-AP DTLS forwards LEAP EAP messages which are rejected by the server.
clientassoc_dot1x_wpa2_leap_fail_wlan: WLAN WPA2/LEAP failure: iPhone associates, LEAP Action frame exchange fails, client issues Disassociate and no keys installed.
clientassoc_dot1x_wpa2_peapv1_wired: Wired view of WPA2 PEAPv1 success: AP-AP DTLS carries the PEAP/EAP exchange, then client completes 4-way EAPOL Key handshake.
clientassoc_dot1x_wpa2_peapv1_wlan: WLAN WPA2 PEAPv1 success: iPhone associates, runs PEAPv1 via Action frames, then finishes 4-way EAPOL Key handshake and sends data.
clientassoc_no_matching_rates_wlan: Association fails because BSS and client have no matching basic rates: only Beacon and repeated Probe Request/Response pairs are seen, no Auth or Assoc.
clientassoc_open_wlan: Open-system WLAN association: iPhone probes, 802.11 open-authenticates, receives Association Response, then sends a Null function (power-save) frame.
clientassoc_unsupported_algorithm_fail_wlan: Repeated 802.11 Authentication and Association Requests never complete because the AP rejects the unsupported auth algorithm requested by the client.
clientassoc_wep_fail_wlan: WEP shared-key authentication failure: client and AP exchange multiple Authentication frames (challenge/response) but AP never returns a successful Association Response.
clientassoc_wep_wlan: WEP shared-key success: iPhone completes 4-message WEP Authentication challenge, receives Association Response, then sends QoS Data frames.
clientassoc_wpa2psk_fail_wlan: WPA2-PSK failure: client associates but 4-way EAPOL Key handshake fails (wrong PSK); AP finally sends Deauthentication.
clientassoc_wpa2psk_wlan: WPA2-PSK success: iPhone authenticates, associates, runs a clean 4-way EAPOL Key handshake, then transmits QoS Data.
clientassoc_wpapsk_fail_wlan: WPA-PSK failure: iPhone associates but 4-way EAPOL Key handshake fails (MIC mismatch), AP ends with a Deauthentication.
clientassoc_wpapsk_wlan: WPA-PSK success: iPhone authenticates, associates, completes 4-way EAPOL Key handshake (TKIP) then exchanges QoS Data frames.
CLNS network carrying IS-IS Level-2 routing PDUs, showing pure OSI routing without an IP overlay.
CLNS network running Cisco's ISO-IGRP distance-vector routing protocol to exchange NSAP reachability information.
CMP (Certificate Management Protocol) certificate request: client sends a cert request PKIMessage and the CA responds with the issued certificate.
CMP initialization/registration exchange: client performs ir/ip (initialization request/response) to enroll with the CA for its first certificate.
CoAP GET request over UDP retrieving a resource from a constrained IoT server, with a piggybacked ACK carrying the response payload.
CoAP POST creating a resource followed by DELETE removing it, demonstrating REST-style resource manipulation on a constrained IoT device.
Cisco TrustSec SXP exchange with MD5/TCP-MD5 authentication between speaker and listener, propagating IP-to-SGT bindings over TCP/64999.
Cisco TrustSec SXP session without authentication between speaker and listener, distributing IP-to-SGT mappings over TCP/64999.
DECnet Phase IV DNA routing exchange showing Hello and Level-1 routing messages between DECnet nodes.
Standard DHCPv4 DORA handshake: client Discover, server Offer, client Request, server Ack — address successfully leased.
DHCPv4 lease acquired by a DMVPN spoke that subsequently forms EIGRP adjacency over the mGRE tunnel.
DHCPv4 with a relay agent (giaddr set) forwarding Discover/Request between client subnet and remote DHCP server.
DHCPv4 lease renewal (T1): client unicasts Request to its server and receives an Ack extending the existing lease.
DHCPv6 Prefix Delegation over DMVPN: spoke requests an IA_PD and server delegates an IPv6 prefix used on LAN interfaces.
IPv6 RA with M flag set drives stateful DHCPv6: client performs Solicit/Advertise/Request/Reply for an address.
IPv6 RA with both M and O flags: client obtains address via stateful DHCPv6 and also requests other configuration options.
IPv6 RA with only O flag: client uses SLAAC for addressing but runs DHCPv6 Information-Request for other options (DNS, etc.).
DHCPv6 relay agent wraps client messages in Relay-Forward and server responses in Relay-Reply between client link and server.
DHCPv6 Release: client relinquishes its assigned address/prefix and server acknowledges with Reply.
DHCPv6 Renew/Reply exchange at T1: client extends its existing IA_NA lease with the original server.
DLSw (Data Link Switching) initialization between peers, establishing TCP capabilities exchange to bridge SNA/NetBIOS over IP.
DMVPN Phase 1 hub-and-spoke flow where spokes tunnel all traffic through the hub via mGRE and IPsec, without spoke-to-spoke shortcuts.
DMVPN Phase 2 flow with NHRP resolution enabling dynamic spoke-to-spoke tunnels, bypassing the hub after initial NHRP resolution.
DMVPN Phase 3 data-plane flow showing NHRP shortcut redirect and resolution between hub and spokes, enabling spoke-to-spoke dynamic tunnels over mGRE.
DMVPN spoke-to-hub NHRP registration exchange over mGRE, binding the spoke's NBMA address to its tunnel IP so the hub can forward traffic.
DNS resolution for email delivery: client queries MX for the domain then A records for the returned mail exchangers.
DNS A-record query over IPv4 for a cisco.com hostname; resolver returns the IPv4 address in the response.
DNS AAAA-record query over IPv4 for a cisco.com name; resolver returns the IPv6 address.
Basic DNS query/response over IPv4 UDP: client asks for a record and authoritative server answers successfully.
DNS MX-record query over IPv4 for cisco.com, returning the mail exchanger hostnames and preferences.
DNS NS-record query over IPv4 for cisco.com, returning the authoritative name servers for the zone.
DNS PTR reverse lookup over IPv4 for a Cisco IP address, returning the in-addr.arpa hostname mapping.
RFC 6555 Happy Eyeballs over IPv4 DNS: AAAA/A queries with the IPv6 path failing, client falls back to IPv4 connectivity.
RFC 6555 Happy Eyeballs: parallel A and AAAA lookups with successful IPv6-preferred connection establishment.
DNS SOA-record query over IPv4 for cisco.com, returning the zone's start-of-authority parameters.
DNS TXT-record query over IPv4 returning free-form text strings (e.g., SPF/DKIM policies).
RFC 6555 Happy Eyeballs over IPv6 transport: AAAA preferred fails, client fails over to the IPv4 candidate address.
RFC 6555 Happy Eyeballs on IPv6 transport: parallel AAAA/A resolution and successful IPv6 connection.
dot11w_pmf_wlan: 802.11w PMF: client associates, runs 4-way EAPOL Key handshake with protected management frames; later probe triggers a protected Disassociate.
802.1X EAPoL plus RADIUS EAP-MSCHAPv2 between supplicant R1, authenticator R3 (NAS), and AAA Server. Ends in Access-Reject and EAP Failure (bad credentials).
802.1X EAPoL plus RADIUS EAP-MSCHAPv2 between supplicant R1, authenticator R3 (NAS), and AAA Server. Ends in Access-Accept and EAP Success.
Draft-Rosen multicast VPN: customer PIM control traffic carried inside a GRE MDT tunnel across the provider core.
SIP voice call with asymmetric DTMF relay: endpoints negotiate different DTMF methods in offer/answer SDP.
DTMF relay scenario exhibiting digit drop: initial digits lost during mode negotiation or transcoding between gateways.
DTMF relay interworking using RTP Named Telephone Events (RFC 2833/4733) between SIP endpoints via a gateway.
DTMF relay standard interworking: gateway translates between in-band, NTE and out-of-band signaling methods.
DTMF relay via MTP with RFC 4733 NTE passthrough: MTP passes named-event RTP packets end-to-end.
DTMF relay with no interworking: both endpoints use the same method (e.g. RFC 2833) end-to-end.
DTMF relay with symmetric negotiation: both endpoints agree on the same method in SDP offer/answer.
SIP NOTIFY-based DTMF relay across MTP with RFC 2833 NTE for the RTP leg.
DTMF relay failure: SIP NOTIFY for DTMF rejected with 403 Forbidden when NTE is expected instead.
SIP voice call using RFC 4733 (telephone-event) RTP payload for in-band DTMF relay end-to-end.
SIP unsolicited NOTIFY DTMF relay without digit drop: all digits delivered cleanly between endpoints.
Dynamic Trunking Protocol frames negotiate trunking mode (desirable/auto) between two Cisco switch ports.
EIGRP IPv4 neighbor initialization showing interop between classic and named-mode routers, with Hello, Update/INIT and Ack forming the adjacency.
EIGRP IPv4 neighbor formation with HMAC-MD5 authentication: authenticated Hellos and INIT Updates bring up the adjacency.
EIGRP IPv4 neighbor initialization with no authentication: Hellos, INIT Update, Ack, and topology exchange establish adjacency.
EIGRP IPv4 neighbor formation with HMAC-SHA-256 authentication: authenticated Hellos and INIT Updates bring up the adjacency.
EIGRP IPv4 adjacency where one router advertises stub flags in its Hello, restricting the routes it will advertise.
EIGRP IPv4 unicast-neighbor adjacency using statically configured neighbor addressing instead of the 224.0.0.10 multicast Hellos.
EIGRP IPv4 adjacency formed over an IP-unnumbered interface, exchanging Hellos/Updates without a subnet on the link.
EIGRP Over-the-Top (OTP) IPv4 data-plane flow: LISP-encapsulated user traffic between sites after OTP adjacency is up.
EIGRP Over-the-Top (OTP) IPv4 control-plane initialization: EIGRP neighbors form over LISP with route exchange across the OTP overlay.
EIGRP IPv4 route-loss diffusing computation: a Query is flooded to neighbors and each returns a Reply so the router can pick a successor.
EIGRP IPv4 Stuck-in-Active recovery using SIA-Query/SIA-Reply to confirm the distant neighbor is still processing the active route.
EIGRP IPv4 stub behavior: queries are not sent toward the stub neighbor, demonstrating query-scope reduction.
EIGRP IPv4 topology where a stub router receives a query but, per stub rules, replies with Inaccessible rather than propagating.
EIGRP IPv4 adjacency fails because the routers are configured with mismatched Autonomous System numbers; Hellos are ignored.
EIGRP IPv4 adjacency fails due to mismatched K-values; peer logs K-value mismatch and the neighborship is torn down.
EIGRP IPv4 adjacency fails because of mismatched MD5 authentication keys; Hellos are dropped and no neighbor forms.
EIGRP IPv4 adjacency fails due to mismatched SHA-256 authentication keys; Hellos are dropped and no neighbor forms.
EIGRP IPv4 unicast-neighbor misconfiguration (one side unicast, other multicast, or wrong address), adjacency never forms.
EIGRP IPv6 neighbor initialization showing classic/named-mode interop over link-local addresses to FF02::A.
EIGRP IPv6 neighbor formation with HMAC-MD5 authentication bringing up the adjacency over link-local Hellos.
EIGRP IPv6 neighbor initialization with no authentication; Hellos to FF02::A, INIT Update and Ack form the adjacency.
EIGRP IPv6 neighbor formation with HMAC-SHA-256 authentication over link-local Hellos.
EIGRP IPv6 adjacency where one router advertises stub flags in Hello, restricting its advertised routes.
EIGRP IPv6 unicast-neighbor adjacency using configured neighbor addresses rather than link-local multicast.
EIGRP Over-the-Top (OTP) IPv6 data-plane flow: LISP-encapsulated user traffic between sites after OTP adjacency is up.
EIGRP Over-the-Top (OTP) IPv6 control-plane initialization: EIGRP neighbors form over LISP with route exchange across the overlay.
EIGRP IPv6 diffusing computation: Query flooded and Replies returned so the router can choose a new successor.
EIGRP IPv6 Stuck-in-Active recovery using SIA-Query/SIA-Reply to keep the active route from timing out.
EIGRP IPv6 stub behavior: queries are suppressed toward the stub neighbor, reducing query scope.
EIGRP IPv6 topology where a stub router that does receive a query replies Inaccessible per stub rules.
EIGRP IPv6 adjacency fails due to mismatched AS numbers; Hellos are ignored by the peer.
EIGRP IPv6 adjacency fails due to mismatched K-values; peer logs K-value mismatch and tears down the neighbor.
EIGRP IPv6 adjacency fails because of mismatched MD5 authentication keys; Hellos are dropped.
EIGRP IPv6 adjacency fails due to mismatched SHA-256 authentication keys; Hellos are dropped.
EIGRP IPv6 unicast-neighbor misconfiguration, adjacency never forms.
E-LMI status exchange initialization between CE and PE, with STATUS ENQUIRY and STATUS messages reporting EVC and UNI configuration to the customer device.
IPsec ESP with AES encryption in transport mode between two hosts, protecting the original IP payload end-to-end.
IPsec ESP-AES in tunnel mode between gateways, encrypting the full inner IP packet inside a new outer IP header.
Cisco GETVPN data-plane flow using ESP-AES with a group-shared SA, preserving the original IP header for any-to-any encrypted delivery.
ESP-AES in transport mode protecting a GRE tunnel, encrypting GRE-encapsulated payloads between the tunnel endpoints.
ESP-AES transport mode over GRE with NAT-Traversal, encapsulating ESP in UDP/4500 to traverse NAT devices.
ESP-AES tunnel mode wrapping a GRE tunnel, providing full encryption of the GRE-tunneled inner traffic.
ESP-AES tunnel mode protecting mGRE (DMVPN) traffic with NAT-Traversal via UDP/4500 encapsulation.
IPsec ESP with null encryption in transport mode, providing authentication only so the payload remains inspectable in capture.
ESP-null transport mode between hosts with NAT-Traversal, wrapping the ESP in UDP/4500 for NAT compatibility.
ESP-null tunnel mode between gateways, authenticating the encapsulated inner IP packet without encryption.
ESP-null tunnel mode with NAT-Traversal, carrying the authenticated-only ESP inside UDP/4500 across NAT.
GETVPN data plane using ESP-null, preserving original IP headers and allowing inspection of the authenticated payload.
ESP-null transport mode protecting GRE, authenticating the GRE-tunneled payload while leaving it readable.
ESP-null transport mode over GRE with NAT-T, encapsulating the authentication-only ESP in UDP/4500.
ESP-null tunnel mode wrapping GRE, providing authentication-only protection of the GRE-tunneled inner traffic.
ESP-null tunnel mode protecting mGRE (DMVPN) with NAT-Traversal via UDP/4500, authentication only.
802.1ad Q-in-Q with the standard 0x88A8 S-Tag EtherType, showing double-tagged provider-bridged Ethernet frames.
802.1ad-style Q-in-Q using legacy 0x9100 outer EtherType for S-Tag, commonly seen on older provider-bridge gear.
802.1ad-style Q-in-Q using legacy 0x9200 outer EtherType for the service tag on older vendor implementations.
802.1ah MAC-in-MAC (PBB) frame demonstrating I-Tag priority and DEI bit encoding in a provider-backbone-bridged network.
802.1Q VLAN-tagged frame showing PCP priority and DEI (drop-eligible) bits in the TCI field.
802.1Q trunk link carrying multiple VLAN-tagged frames between switches, identifying each frame by VLAN ID.
IEEE 802.1Qbb Priority Flow Control (PFC) PAUSE frames signaling per-CoS pause to the upstream port to prevent frame loss in lossless Ethernet.
IEEE 802.3x MAC PAUSE frames signaling link-level flow control to halt all Ethernet transmission from the upstream port for a specified quanta.
Cisco ISL trunk encapsulation, legacy VLAN tagging that wraps Ethernet frames in a 26-byte ISL header.
Ethernet jumbo frames exceeding the standard 1500-byte MTU, showing large-payload transmission on capable links.
Basic PPPoE session: Discovery (PADI/PADO/PADR/PADS) followed by LCP/IPCP negotiation over the established session.
PPPoE session to a Broadband Network Gateway, including PPPoE discovery and subscriber PPP authentication/IPCP.
PPPoE session to a Cisco FTD where LCP Configure-Reject is sent for unsupported options, showing negotiation fallback.
Q-in-ISL encapsulation where 802.1Q-tagged frames are further wrapped inside a legacy Cisco ISL trunk header.
Q-in-Q service provider tunnel double-tagging customer VLANs with an outer S-Tag to transport them transparently.
Plain untagged Ethernet frames on an access port with no VLAN tag in the header.
H.323 fax pass-through from the originating gateway perspective: voice-band fax tones carried in G.711 RTP.
H.323 fax pass-through from the terminating gateway perspective: voice-band fax tones received over G.711 RTP.
SIP fax pass-through at the originating gateway: fax carried end-to-end as G.711 without T.38 switchover.
SIP fax pass-through at the terminating gateway: fax received over G.711 RTP without T.38 switchover.
H.323 fax call switching to T.38 at the originating gateway: H.245 OpenLogicalChannel for T38FaxUdp, then T.38 UDPTL.
H.323 fax call switching to T.38 at the terminating gateway: H.245 T38 capability and T.38 UDPTL packets received.
H.323 fax call using Cisco NSE (Named Signaling Events) to trigger T.38 fax switchover at originating gateway.
H.323 fax call using Cisco NSE to trigger T.38 fax switchover at terminating gateway.
MGCP-controlled fax call using Cisco NSE to trigger T.38 switchover at originating gateway.
SCCP-controlled fax call using Cisco NSE to trigger T.38 switchover at originating gateway.
SCCP-controlled fax call using Cisco NSE to trigger T.38 switchover at terminating gateway.
SIP fax call using Cisco NSE to trigger mid-call T.38 reINVITE switchover at originating gateway.
SIP fax call using Cisco NSE to trigger mid-call T.38 reINVITE switchover at terminating gateway.
flex_centralsw_dot1x_peap_wired: FlexConnect central-switching 802.1X/PEAP (wired view): iPhone associates via Client C (AP), AP-AP DTLS carries EAP, 4-way EAPOL Key completes, data flows to Server B.
flex_centralsw_joindata_wired: FlexConnect central-switching join/data: iPhone associates via Client C AP; AP-AP DTLS tunnel carries client data to broadcast and Server B.
flex_localsw_dot1x_peap_wired: FlexConnect local-switching 802.1X/PEAP (wired view): client associates locally, 4-way EAPOL Key completes, then DHCP Request and WLC-WLC ICMP keepalives.
flex_localsw_joindata_wired: FlexConnect local-switching join/data: client DHCP Request answered by WLC G, followed by ICMP Echo Request/Reply keepalives between WLC G and H.
Frame Relay with Cisco proprietary encapsulation on a PVC, commonly used between Cisco routers.
Frame Relay frames illustrating congestion signaling via the DE, FECN, and BECN bits in the address field.
Frame Relay bridging Ethernet frames over a PVC using RFC 1490/2427 bridged encapsulation.
Frame Relay with IETF (RFC 2427) multiprotocol encapsulation carrying IP over a PVC.
FTP active-mode download where the client issues PORT then RETR, the server opens a data connection back to the client, and the file is transferred.
FTP active-mode upload using PORT and STOR, with the server initiating the data connection back to the client to receive the file.
FTP passive-mode download using PASV and RETR, with the client initiating the data connection to the server-supplied port to download the file.
FTP passive-mode GET using min/max passive port range negotiation, demonstrating how the server advertises a port within a constrained range for the data channel.
FTP passive-mode upload with PASV and STOR, where the client opens the data connection to the server and streams the file for storage.
FTPS (FTP over TLS) active-mode download with AUTH TLS securing the control channel and an encrypted data channel for the RETR transfer.
FTPS active-mode upload with TLS-protected control and data channels, using STOR to push an encrypted file to the server.
FTPS passive-mode download where PASV plus TLS data-channel protection secure the RETR file transfer end to end.
FTPS passive-mode upload with TLS-secured control and data channels, delivering the STOR payload under encryption.
Geneve tunnel encapsulating IPv4 and IPv6 inner traffic over a UDP overlay, demonstrating extensible TLV-based tunnel options.
GLBP Active Virtual Forwarder failover, where a secondary AVF assumes forwarding responsibility for a virtual MAC after the primary AVF fails.
GLBP initialization with Hello and Request/Response messages electing the Active Virtual Gateway and assigning virtual MACs to Active Virtual Forwarders.
GRE tunnel capture exercising all optional header fields (checksum, key, sequence number) to illustrate the full GRE option set between endpoints.
GRE tunnel with the checksum option enabled, showing how the optional checksum field is carried in the GRE header between tunnel endpoints.
GRE encapsulation using the key field as an entropy label to aid ECMP hashing of tunneled flows across the underlay.
ERSPAN over GRE capture showing mirrored Ethernet frames encapsulated with an ERSPAN header for remote traffic analysis.
GRE tunnel keepalive exchange where the sender injects a self-addressed GRE packet that the peer loops back to prove liveness.
GRE tunnel with the optional 32-bit key field set, commonly used to demultiplex multiple GRE tunnels between the same endpoint pair.
Minimal GRE tunnel capture with no optional header fields, showing the baseline GRE encapsulation between two endpoints.
GRE tunnel using the optional sequence number field so that in-order delivery of encapsulated packets can be tracked.
gNMI Capabilities RPC over gRPC/HTTP2, where the client requests supported models and encodings and the target returns its capability response.
gNMI Get RPC retrieving configuration or state data from a network device, returning a Notification with the requested paths and values.
gNMI Set RPC with a delete operation removing a configuration path from the target, acknowledged via SetResponse.
gNMI Set RPC using replace semantics to fully overwrite a configuration subtree on the target device.
gNMI Set RPC using update semantics to merge configuration changes into the target's existing configuration.
gNMI Subscribe RPC establishing a streaming telemetry subscription, with the target pushing periodic or on-change updates for the subscribed paths.
gNMI RPC returning an Unimplemented gRPC status, indicating the target does not support the requested operation.
gRPC network management DeleteConfig RPC removing a configuration element on the target, with success/failure status returned to the client.
gRPC GetConfig RPC fetching the current configuration from the target device over HTTP/2.
gRPC MergeConfig RPC applying a partial configuration merge on the target, preserving existing settings not referenced in the request.
gRPC ReplaceConfig RPC fully replacing a configuration subtree on the target, overwriting previous values.
gRPC streaming telemetry using Google Protocol Buffers (compact GPB) encoding, pushing device metrics to a collector.
gRPC streaming telemetry using JSON-encoded payloads, delivering human-readable device state updates to the collector.
gRPC streaming telemetry using the self-describing key-value GPB encoding, providing schema-agnostic telemetry to the collector.
guest_anchor_data_wlan: Guest anchor WLAN data: only bidirectional QoS Data frames to/from the iPhone client captured over the anchor tunnel.
guest_anchor_dhcp_fail_wired2: Guest-anchor wired view where DHCP never completes: iPhone associates via AP 1b but only broadcasts Data (no DHCP Offer), indicating DHCP failure on the anchor.
guest_anchor_dhcp_fail_wlan2: Guest-anchor WLAN side of DHCP failure: client associates and runs 4-way EAPOL Key, but anchor AP 1b later Deauthenticates because DHCP did not complete.
guest_anchor_eoip_data_wired: Guest anchor EoIP tunnel: WLC C and WLC D exchange ICMP Echo Req/Reply across the EoIP tunnel while iPhone client data traverses the anchor.
guest_anchor_newmob_data_wired: Guest-anchor new-mobility data: only bidirectional Data frames to/from iPhone client captured over the new-mobility anchor tunnel.
guest_anchor_newmob_half_encr_data_wired: Guest-anchor new-mobility half-encrypted data: only the AP-to-AP DTLS Application Data frames captured, showing the CAPWAP control plane.
guest_anchor_webauth_wired: Guest-anchor web-auth wired flow: AP-AP DTLS, WLC-to-WLC TCP handshakes, redirects and TCP resets as the client is web-authenticated via the anchor WLC.
guest_anchor_webpassthru_wired: Guest-anchor web-passthrough wired flow: AP associates, client DHCP Discover/Offer/Request/ACK through the anchor, then TCP sessions and ICMP Type 3 indicate redirect path.
H.245 control channel exchange showing alphanumeric UserInput messages for DTMF/keypad input over H.323.
H.245 control channel exchange showing signal-type UserInput (signal/signalUpdate) messages for DTMF over H.323.
H.323 supplementary service Hold/Resume: H.450.4 invoke APDUs and H.245 CLC/OLC to mute/unmute media.
H.323 supplementary service Hold then Transfer: H.450.4 Hold followed by H.450.2 Call Transfer invoke APDUs.
Cisco HDLC encapsulation on a serial link, using the proprietary 4-byte header to multiplex IP and CDP.
HSRPv1 failure and preempt scenario where the active router goes down, a standby takes over, then a higher-priority router preempts to reclaim the active role.
HSRPv1 initialization with Hello messages electing the active and standby routers for the virtual IP gateway.
HSRPv2 failover and preempt flow over IPv4/IPv6, demonstrating active-router loss, standby promotion, and subsequent preemption by a higher-priority peer.
HSRPv2 startup with Hellos using the 224.0.0.102 multicast group, electing active and standby routers for the virtual gateway.
HTTP-based JSON-RPC call that creates a new network interface on the device, returning a success result from the RPC endpoint.
HTTP-based JSON-RPC call retrieving the list of interfaces from the device, with the server returning the interface inventory as JSON.
HTTP traffic on non-standard TCP port 5000, showing a GET request and server response for a service hosted outside the default port 80.
HTTP proxy caching flow where the client requests content through a proxy, the proxy fetches from origin, caches the response, and serves later requests from cache.
HTTP/2 over TLS session with ALPN negotiation, HEADERS and DATA frames multiplexed over a single encrypted TCP connection.
HTTP/3 session over QUIC, with the client and server exchanging encrypted QUIC packets carrying request/response streams without TCP.
IGMPv1 Membership Query and Membership Report exchange, where hosts announce interest in a multicast group to the local router.
IGMPv2 flow with Queries, Membership Reports, and Leave Group messages, managing multicast group membership on a LAN.
IGMPv2 used with Source-Specific Multicast semantics driven by DNS-discovered sources, joining specific (S,G) channels.
IGMPv2 with SSM using URL Rendezvous Directory (URD) for source discovery, allowing hosts to join specific (S,G) multicast channels.
IGMPv3 with source-filtered Reports allowing hosts to include or exclude specific source addresses for each multicast group (SSM/ASM).
IMAP4 FETCH command fails (e.g., NO/BAD response) because the message UID or mailbox state is invalid.
IMAP4 LIST command enumerating mailbox folders; server returns the mailbox hierarchy and OK completion.
IMAP4 LOGIN attempt rejected with NO Authentication failed due to invalid credentials.
IMAP4 NOOP keepalive/poll command, server responds OK possibly with untagged status updates.
IMAP4 SEARCH command returns NO/BAD because of invalid criteria or no selected mailbox.
IMAP4 SEARCH returning matching UIDs followed by FETCH to retrieve those messages.
InfluxDB HTTP API login attempt rejected with authentication failure (401 Unauthorized) due to invalid credentials.
InfluxDB CREATE DATABASE query issued over the HTTP API, server responds with success creating the database.
InfluxDB DROP DATABASE query issued over the HTTP API, server acknowledges removal of the database.
InfluxDB DROP SERIES query removing specific measurement series, acknowledged by the server.
InfluxDB SELECT query returning an empty result set because no points match the time range or tags.
InfluxDB SELECT query returning measurement point values over HTTP to the client.
InfluxDB line-protocol write of a measurement point via the HTTP /write endpoint, server responds 204 No Content on success.
Legacy ICMP Information Request/Reply exchange, originally used for hosts to discover the network number before BOOTP/DHCP existed.
interop_11b_11g_wlan: 802.11b/g interop: Client K beacons, iPhone uses Null function power-save frames and exchanges QoS Data with the server showing mixed-rate BSS.
interop_11g_11n_wlan: 802.11g/n interop: multiple APs emit Beacons with varying HT capabilities while iPhone exchanges QoS Data with Server E across the mixed-rate BSS.
IP-in-IP (protocol 4) tunnel capture where an outer IPv4 header encapsulates an inner IPv4 packet between tunnel endpoints.
Cisco IP SLA ICMP jitter probe sending timed ICMP echo bursts between source and responder to measure latency/jitter/loss.
Cisco IP SLA Path Echo: hop-by-hop probing along the route using increasing-TTL ICMP echoes to measure per-hop reachability.
Cisco IP SLA Path Jitter: per-hop jitter measurements along the traceroute path between source and responder.
Cisco IP SLA TCP Connect probe measuring TCP three-way-handshake completion time to a target port.
Cisco IP SLA UDP Echo operation between source and IP SLA Responder measuring round-trip time.
Cisco IP SLA Voice (UDP jitter) using G.711 A-law payload to estimate MOS/ICPIF quality between source and responder.
Cisco IP SLA Voice (UDP jitter) using G.711 u-law payload to estimate MOS/ICPIF voice quality.
Cisco IP SLA Voice (UDP jitter) using G.729a payload simulating compressed-codec voice to estimate MOS/ICPIF.
IPv4 fragmented datagram flow where a large payload is split into multiple fragments and reassembled at the destination based on identification and fragment offset.
IPv4 Loose Source Routing option success flow, where a packet traverses specified intermediate hops and reaches the destination via the LSR-directed path.
IPv4 Record Route option probe, with each router along the path appending its IP address to the option field for path visibility.
IPv4 Strict Source Routing failing with an ICMP Parameter Problem response, indicating a router could not honor the strict next-hop requirement.
IPv4 Strict Source Route forward succeeds but the return path fails, showing asymmetric routing breakage when SSR cannot be satisfied on the reverse leg.
IPv4 Strict Source Routing success flow where the packet traverses the exact hop list specified in the SSR option and is delivered to the destination.
IPv4 Timestamp option probe where each router stamps its time (and optionally address) into the IP header, useful for latency and path analysis.
IPv6-over-IPv4 tunneled traffic carrying an IPsec Authentication Header extension, providing integrity and origin authentication across the transition tunnel.
Pure IPv6 flow with an Authentication Header extension, authenticating the packet end-to-end without encryption.
IPv6 packet carrying a Destination Options extension header, delivering options processed only by the final destination node.
IPv6-in-IPv4 tunnel carrying an ESP-encrypted payload, showing IPsec confidentiality applied over a transition tunnel.
Native IPv6 flow protected by an IPsec ESP extension header, providing encrypted confidential transport end-to-end.
IPv6 packet with a Hop-by-Hop Options extension header processed by every router along the path, used for features like Jumbo payloads or router alerts.
IPv6 packet carrying both Hop-by-Hop and Destination Options extension headers in a single datagram, demonstrating chained extension-header processing.
IPv6 packet with a Routing extension header specifying intermediate nodes to visit, analogous to IPv4 source routing for explicit path steering.
IPv6 flow using the Fragment extension header at the source, splitting a large datagram for reassembly at the destination (IPv6 does not fragment in-transit).
IPv6 Rapid Deployment (6rd) capture where IPv6 packets are encapsulated in IPv4 using the provider's 6rd prefix for transit.
6to4 tunneling where IPv6 packets are carried inside IPv4 (protocol 41) using the 2002::/16 prefix derived from the IPv4 address.
IPv6 transition using GRE over IPv4 to tunnel IPv6 traffic across an IPv4-only underlay between dual-stack endpoints.
ISATAP capture where IPv6 is tunneled over IPv4 with the IPv4 address embedded in the interface ID of the IPv6 address.
Plain IPv6-in-IPv4 encapsulation (protocol 41) showing static manual tunneling of IPv6 packets over an IPv4 network.
Novell IPX network running Cisco EIGRP for IPX, exchanging Hello and Update packets to advertise IPX routes.
IPX network initialization using Ethernet II (ARPA) framing, showing RIP/SAP exchanges on the segment.
IPX network initialization using Novell raw 802.3 framing (ethernet_ii disabled), with RIP/SAP traffic.
IPX network initialization using 802.2 LLC/SNAP framing to carry IPX RIP and SAP on the LAN.
ICMP Router Discovery Protocol using broadcast Router Advertisements and Solicitations so hosts can learn default gateways on the LAN.
ICMP Router Discovery Protocol using multicast Router Advertisements to 224.0.0.1, with host Solicitations to 224.0.0.2 learning available gateways.
IS-IS Level-1 initialization on a broadcast LAN where the DIS sets the attached bit to signal reachability to L2 backbone.
IS-IS Level-1 adjacency failure due to mismatched area (NET) addresses, so neighbors never progress past the Hello stage.
IS-IS Level-1 injection of a new inter-area route, showing LSP flooding and SPF updates in response to the topology change.
IS-IS L1 point-to-point adjacency bring-up with HMAC-MD5 authentication on both Hellos and LSP/CSNP/PSNP PDUs.
IS-IS L1 p2p adjacency init using cleartext-password authentication on both Hello and LSP-class PDUs.
IS-IS L1 p2p init where only Hello PDUs are protected with HMAC-MD5 authentication while LSPs remain unauthenticated.
IS-IS L1 p2p init with cleartext authentication applied only to Hello PDUs during adjacency formation.
IS-IS L1 p2p init with HMAC-MD5 authentication on LSP/CSNP/PSNP PDUs only, leaving Hellos unauthenticated.
IS-IS L1 p2p init using cleartext-password authentication applied only to LSP-class PDUs.
IS-IS L1 p2p adjacency initialization with the overload (OL) bit set, signaling the router should not be used for transit.
IS-IS L1 p2p init where Hellos are padded to MTU only on the first few exchanges to verify MTU before trimming.
IS-IS L1 p2p init with Hello padding disabled entirely, so PDUs are sent at minimum size from the start.
IS-IS L1/L2 p2p adjacency using the IETF 3-way handshake TLV to unambiguously confirm bidirectional reachability.
IS-IS L1/L2 p2p init using narrow (original) 6-bit TLV metrics for interface and IP reachability.
IS-IS L1/L2 p2p init using wide-metric TLVs (TLV 22/135) enabling 24/32-bit metrics needed for MPLS-TE.
IS-IS Level-2 broadcast LAN scenario showing a DIS election change and pseudonode LSP re-origination.
IS-IS Level-2 adjacency initialization on a broadcast LAN including DIS election and CSNP/PSNP synchronization.
IS-IS Level-2 p2p adjacency brought up across a GRE tunnel interface between two routers.
IS-IS extensions for MPLS-TE showing wide-metric TLVs with TE sub-TLVs (bandwidth, admin-group) advertising link attributes.
L2TPv3 control-plane bring-up using 4-byte authentication cookies, establishing a pseudowire between PE devices.
L2TPv3 control-plane bring-up using 8-byte authentication cookies for additional session-id protection on the pseudowire.
L2TPv3 basic session establishment with SCCRQ/SCCRP/SCCCN and ICRQ/ICRP/ICCN, building a point-to-point L2 pseudowire.
L2TPv3 session establishment failing due to authentication mismatch, with a StopCCN or CDN message tearing down the session.
L2TPv3 session failing because the requested pseudowire or peer does not exist, producing a Call-Disconnect-Notify teardown.
L2TPv3 session using IETF-standard AVP encoding, showing interoperable control-channel setup for pseudowire transport.
L2TPv3 pseudowire encapsulated in UDP (rather than native IP protocol 115), traversing NAT or firewall-friendly paths.
L2TPv3 Universal Transport Interface variant carrying arbitrary Layer 2 payloads across the pseudowire.
IEEE 802.3ad LACP exchange: partners send LACPDUs negotiating Actor/Partner state until the link aggregation bundle becomes active.
LDP Address and Label Mapping exchange where peers advertise their interface addresses and FEC-to-label bindings.
LDP pseudowire with attachment-circuit down: the PE signals AC status TLV indicating the local access side is inactive.
AToM pseudowire (LDP-signaled) carrying Frame Relay frames across an MPLS core between PEs.
AToM pseudowire transporting Cisco HDLC frames across MPLS via LDP-signaled VC labels.
AToM IP-interworking pseudowire allowing different Layer-2 encapsulations to interwork at the IP layer over MPLS.
AToM pseudowire carrying PPP frames between PEs, with LDP signaling the PW label binding.
LDP pseudowire using a control word to preserve sequencing and to avoid misordering by ECMP load balancers.
LDP pseudowire with control word plus a flow label (RFC 6391) to enable per-flow load balancing across the core.
LDP pseudowire scenario where the underlying LSP goes down, triggering PW status signaling and traffic loss.
LDP pseudowire operating without a control word, suitable for encapsulations where one is not required.
LDP session setup between peers secured with TCP MD5 authentication, progressing through Hello, Init, and KeepAlive.
LDP session setup without authentication: UDP Hellos discover the peer, then TCP Init/KeepAlive bring the session up.
Established LDP session in steady state exchanging periodic KeepAlive messages to maintain the adjacency.
LDP label withdraw and label release exchange, showing how peers revoke and free FEC-label bindings when a route is removed.
LDPv6 session init using IPv6 transport with explicit-null label advertisement and TCP MD5 authentication.
LDPv6 session initialization over IPv6 transport with no authentication, completing Hello/Init/KeepAlive.
LISP ETR-to-Map-Server registration flow where the ETR advertises its EID-to-RLOC mapping and the Map-Server acknowledges.
LISP IPv4 Map-Request in instance-ID 0, showing the control-plane lookup from an ITR through the Map-Resolver to obtain RLOC mappings.
LISP PxTR handling IPv4 traffic in IID 0 by LISP-encapsulating native packets from a non-LISP site toward the destination ETR.
LISP PxTR decapsulating IPv4 traffic in IID 0 and forwarding it natively into a non-LISP network segment.
LISP IPv4 Map-Request in instance-ID 100, showing EID-to-RLOC resolution within a specific VRF/VPN context.
LISP IPv6 Map-Request in instance-ID 0 where an ITR queries the mapping system for an IPv6 EID's RLOC set.
LISP PxTR encapsulating native IPv6 traffic into LISP for delivery toward a registered IPv6 ETR in instance-ID 0.
LISP PxTR decapsulating IPv6 LISP traffic in IID 0 and forwarding the inner packet natively to a non-LISP IPv6 destination.
LISP IPv6 Map-Request in instance-ID 100, resolving an IPv6 EID to its RLOCs within a segmented VPN context.
Link Layer Discovery Protocol advertisement: device multicasts LLDP frame with chassis/port IDs and TLVs describing capabilities.
MPLS LSP Ping (LSPV) basic IPv4 echo request/reply per the early draft, used to verify LSP data-plane connectivity.
MPLS LSP Ping over IPv4 using an early pre-RFC4379 draft revision 1 echo request/reply exchange, verifying basic label switched path connectivity.
MPLS LSP Ping over IPv4 using pre-RFC4379 draft revision 2 echo request/reply format, testing an early iteration of the LSP verification protocol.
Standard RFC 4379 MPLS LSP Ping over IPv4: egress LSR returns an echo reply confirming the FEC is reachable along the tested label switched path.
MPLS LSP Ping over IPv4 where the PHP advertises explicit-null (label 0), verifying EXP preservation on the final hop before IP forwarding.
MPLS LSP Ping over an IPv4 BGP-labeled FEC that fails: the transit LSR has no mapping for the FEC, returning a 'No FEC Mapping' return code.
MPLS LSP Ping with a Generic IPv4 FEC TLV; egress returns an echo reply with success code, validating LSP reachability without protocol-specific FEC info.
MPLS LSP Ping over an LDP IPv4 prefix FEC completing successfully: egress LSR replies 'Egress for FEC at stack depth', confirming the LDP path.
MPLS LSP Ping over IPv4 where the transit LSR's reply indicates a labeled outgoing interface, confirming continued label switching toward egress.
MPLS LSP Ping over IPv4 hitting an MTU limit: a transit LSR returns an error/PTB indication, signaling the echo request exceeded path MTU.
MPLS LSP Ping over IPv4 using the Router Alert label (1) so each transit LSR punts the echo request to the control plane for per-hop processing.
MPLS LSP Traceroute per RFC 4379: incremented TTL causes each transit LSR to reply in turn, mapping the full IPv4 label switched path.
MPLS LSP Ping over IPv4 where the transit LSR reports an unlabeled outgoing interface, indicating the LSP terminates (PHP) at that hop.
MPLS LSP Ping over IPv4 fails because the receiver does not understand a mandatory TLV, returning a 'Malformed/Unsupported TLV' error return code.
MPLS LSP Ping over IPv4 with FEC verification enabled: egress checks the received FEC against its own binding and replies with the match status.
RFC 4379 MPLS LSP Ping over IPv6: echo request carries an IPv6 FEC and the egress LSR returns a successful echo reply confirming reachability.
MPLS LSP Ping across an mLDP multipoint-to-multipoint MDT tree, verifying the multicast LSP used for default MDT distribution in MVPN.
MPLS LSP Ping over an mLDP point-to-multipoint inband-signaled tree, validating the multicast LSP built for a specific (S,G) flow.
RFC 4379 MPLS LSP Ping across an L2 pseudowire using the control word, verifying VC label connectivity between PE endpoints.
RFC 4379 MPLS LSP Ping over a pseudowire negotiated without a control word, verifying VC label forwarding on the bare PW.
MPLS LSP Ping over a pseudowire where the echo reply traverses the PW control channel, validating the bidirectional VC.
MPLS LSP Ping over a pseudowire without control word where the reply uses the PW control channel for return path validation.
MPLS LSP Ping over a pseudowire using an entropy label for ECMP hashing, verifying load-balanced PW forwarding between PEs.
MPLS LSP Ping over a pseudowire fails: echo request is malformed and the receiver returns a 'Malformed echo request' error return code.
MPLS LSP Ping over a pseudowire times out with no echo reply received, indicating a broken VC or unreachable remote PE.
MPLS LSP Ping over a pseudowire using the Router Alert label so each LSR punts the echo to control plane for PW validation.
MPLS LSP Ping across a pseudowire leveraging Router Alert processing at every hop for per-LSR PW fault detection.
MPLS LSP Ping over a pseudowire where the TTL expires at a transit LSR, which returns a TTL-expired echo reply for PW traceroute.
RFC 4379 MPLS LSP Ping over an RSVP-TE tunnel: egress LSR confirms the signaled TE LSP is operational by returning an echo reply.
MPLS LSP Traceroute across an RSVP-TE tunnel: each transit LSR replies with its role along the explicit-routed TE path.
MPLS-TP LSP Ping via the G-ACh Continuity Verification (CV) channel, used for OAM on transport profile LSPs.
MPLS-TP LSP Ping using an IP-encapsulated G-ACh channel to verify connectivity of a transport profile LSP.
MPLS-TP LSP Ping across a transport-profile pseudowire, exercising basic OAM echo request/reply over the PW.
MACsec frame with confidentiality offset of 30 bytes, leaving the first 30 bytes of the payload in cleartext and encrypting the remainder.
MACsec frame using a confidentiality offset of 50 bytes so that 50 bytes of header remain visible while the rest is encrypted.
MACsec frame carrying a 802.1Q VLAN tag in the clear outside the MACsec protection, allowing VLAN-aware transit devices to see the tag.
MACsec frame with the 802.1Q VLAN tag hidden inside the encrypted payload, so the tag is only visible after MACsec decryption.
MACsec frame captured without the ICV indicator bit set, illustrating an alternative TCI/AN encoding of the SecTAG.
Initial MACsec handshake on an untagged link, establishing the SecY session before user frames are protected.
Cisco Meraki MR20 access point initialization traffic: DHCP, DNS, and cloud-controller TLS registration to the Meraki dashboard.
Cisco Meraki MV12WE camera initialization flow: address acquisition, time sync, and secure check-in to Meraki cloud services.
Cisco Meraki MX64 security appliance traffic showing management check-in to the Meraki cloud and typical WAN services.
mesh_data_remotewap_wired: Wired view of mesh data via remote WAP: multiple AP-AP DTLS CAPWAP tunnels carry the client traffic between mesh APs, with client probe and data frames.
mesh_data_remotewap_wlan: WLAN mesh data via remote WAP: a few QoS Data frames and a broadcast Data frame from AP 2b illustrate mesh backhaul data forwarding.
mesh_data_wired: Wired view of mesh data: multiple AP-AP DTLS CAPWAP tunnels between mesh APs, DNS Queries, and WLC B pings AP wired F confirming mesh reachability via ICMP Echo.
mesh_data_wlan: WLAN mesh data: two QoS Data frames with unresolved endpoints plus a Beacon from Client AY, a minimal sample of mesh backhaul WLAN traffic.
Mesh AP (MAP) teardown captured over-the-air: broadcast data frame from Cisco AP advertises link-down; no reassociation follows, indicating the mesh child AP detached from its parent.
Wired CAPWAP join of a mesh AP to its WLC: DHCP Discover/Offer/Request/ACK for AP address, CAPWAP Discovery Request/Response, then DTLS Handshake setting up the secure control tunnel.
Over-the-air mesh MAP join to parent RAP: beacons, probe/authentication handshakes and 802.11 data frames show the child mesh AP discovering and linking to the root access point.
MGCP call with out-of-band DTMF: gateway reports digits to Call Agent via NTFY with D/digit observed events.
MGCP call with in-band DTMF via RTP Named Telephone Events (RFC 2833) carried end-to-end.
MGCP FXO endpoint registration with Call Agent: RSIP restart-in-progress and RQNT provisioning.
MGCP FXS inbound call: Call Agent sends CRCX/MDCX to gateway, NTFY off-hook and digit events drive call setup.
MGCP FXS outbound call: NTFY off-hook plus dialed digits trigger Call Agent to set up connection via CRCX/MDCX.
MGCP FXS endpoint registration with Call Agent: RSIP restart and RQNT provisioning of line events.
MGCP FXS endpoint reset: gateway sends RSIP (graceful/forced) to Call Agent; endpoints re-register.
MGCP-controlled ISDN PRI call: Q.931 backhaul over MGCP between gateway and Call Agent for call setup/teardown.
MGCP ISDN PRI endpoint registration: RSIP and Q.931 backhaul channel establishment with Call Agent.
MGCP gateway restart: RSIP (restart-in-progress) sent to Call Agent followed by endpoint re-provisioning.
mLDP signaling of a point-to-multipoint Data MDT: label mapping messages build an on-demand multicast LSP for a high-bandwidth (S,G).
mLDP signaling of a multipoint-to-multipoint Default MDT: PEs exchange label mappings to build the always-on MVPN multicast tree.
mLDP inband signaling carrying IPv4 and IPv6 multicast state directly in the LDP FEC, building per-(S,G) LSPs without PIM.
mLDP inband signaling for VPNv4/VPNv6 multicast: per-VRF (S,G) FECs are encoded in LDP to build MVPN LSPs without a default MDT.
MLDv1 (Multicast Listener Discovery) flow for IPv6 with Listener Query, Report, and Done messages managing multicast membership.
MLDv1 over IPv6 used with Source-Specific Multicast semantics driven by DNS source discovery, joining specific (S,G) channels.
MLDv2 for IPv6 with source-filtered Listener Reports enabling include/exclude semantics per multicast group, supporting SSM.
ICMP Mobility Agent Advertisement messages used by Mobile IP foreign and home agents to announce themselves to mobile nodes.
H.323 modem pass-through using Cisco NSE to signal modem tone detection and switch to clear-channel codec at OGW.
H.323 modem pass-through using Cisco NSE to signal modem tone detection and switch to clear-channel codec at TGW.
MGCP modem pass-through using Cisco NSE at originating gateway: switch to clear-channel codec for modem traffic.
MGCP modem pass-through using Cisco NSE at terminating gateway: switch to clear-channel codec for modem traffic.
SCCP modem pass-through using Cisco NSE at originating gateway: switch to clear-channel codec for modem traffic.
SCCP modem pass-through using Cisco NSE at terminating gateway: switch to clear-channel codec for modem traffic.
SIP modem pass-through using Cisco NSE at originating gateway: reINVITE to clear-channel codec for modem traffic.
SIP modem pass-through using Cisco NSE at terminating gateway: reINVITE to clear-channel codec for modem traffic.
MongoDB wire-protocol authentication (SASL SCRAM) rejected due to bad credentials, returning an auth failure to the client.
MongoDB delete operation over the wire protocol removing matching documents from a collection and returning n deleted.
MongoDB find query returning matching documents from a collection over the wire protocol.
MongoDB insert of one or more documents into a collection via the wire protocol, acknowledged by the server.
MongoDB serverStatus admin command returning runtime metrics (connections, memory, ops) to the client.
MPLS-in-IP tunneling where labeled packets are encapsulated in IP (protocol 137) for traversal across non-MPLS segments.
MPLS labels carried over a DMVPN phase 1 hub-and-spoke GRE tunnel, extending MPLS forwarding across an IPsec-protected overlay.
MPLS over DMVPN phase 2: spoke-to-spoke dynamic NHRP shortcuts carry labeled traffic directly between spokes over the mGRE overlay.
MPLS over DMVPN phase 3 with NHRP redirect/resolution enabling summarized routing and spoke-to-spoke MPLS forwarding.
Traffic exercising the MPLS reserved label range 0-15 (IPv4 explicit null, router alert, IPv6 explicit null, implicit null, entropy indicator, etc.).
MPLS-TP BFD session establishment over the G-ACh: endpoints negotiate BFD Down→Init→Up for transport LSP continuity monitoring.
MQTT over TLS session with CONNECT/CONNACK handshake, SUBSCRIBE/PUBLISH exchanges, and DISCONNECT, all protected by TLS encryption.
MQTT over WebSockets secured by TLS, tunneling MQTT CONNECT, PUBLISH, and SUBSCRIBE frames through an encrypted WSS connection.
MQTT session in the clear with CONNECT, SUBSCRIBE, PUBLISH, and DISCONNECT messages exchanged without TLS protection.
MQTT over plain WebSockets without TLS, carrying CONNECT, PUBLISH, and SUBSCRIBE frames through an unencrypted WS upgrade.
MSDP IPv4 peering session establishment between RPs using TCP port 639 and TCP MD5 signature authentication.
MSDP IPv4 peering session established between RPs over TCP port 639 without authentication, exchanging Keepalives.
MSDP IPv4 Source-Active (SA) messages announcing active multicast sources from one RP to peer RPs across PIM-SM domains.
MSDP IPv4 Source-Active messages arrive but fail the peer-RPF check against the MSDP peer, causing the SA to be dropped rather than forwarded.
mst_bpdu: Single MST BPDU observed: SW1 sends an RSTP Agreement to the STP multicast group, showing the MSTI agreement frame format.
mst_interregion_change: Inter-region MST topology change: SW3 Proposes, SW4 Agrees then floods RSTP Topology Change notifications; SW3 continues sending Agreements to stabilize.
mst_pvst_sim_bpdu: SW3 in MST PVST-simulation mode emits legacy STP Config BPDUs to both the Cisco PVST+ and IEEE STP multicast addresses, ensuring interop with PVST neighbors.
mst_pvst_sim_vlan10_fail: In MST/PVST simulation, SW3 sends STP Config BPDUs while SW4 keeps raising RSTP Topology Change; indicates PVST simulation failure for VLAN 10 (inconsistent blocking).
mst_topo_change: SW1 sends RSTP Agreements and Topology Change BPDUs, SW3 injects an RSTP Proposal, and SW1 re-agrees as the MST topology reconverges.
Multicast traceroute (mtrace) query failing to return a complete response, indicating a broken RPF path or unsupported hop in the multicast tree.
Multicast traceroute (mtrace) successfully walking the reverse-path tree from receiver to source, reporting each hop's multicast state.
MySQL handshake with failed Native Password authentication; server responds with ERR access-denied packet and closes the connection.
MySQL query rejected with ERR 1064 syntax-error response due to malformed SQL.
MySQL CREATE TABLE DDL statement acknowledged by the server with OK packet.
MySQL DELETE ... WHERE statement removing matching rows, server returns OK with affected-rows count.
MySQL DROP TABLE DDL removing a table, server responds with OK packet.
MySQL INSERT followed by COMMIT in a transaction, server acknowledges both and persists the row.
MySQL SELECT query returning a result set with column definitions and row packets to the client.
MySQL SHOW TABLES metadata query returning the list of tables in the current database.
Cisco Nexus 9000 vPC peers exchange CFS (Cisco Fabric Services) messages over the peer link to synchronize vPC configuration and state between the two peer switches.
Cisco Nexus 9000 vPC peer keepalive heartbeats exchanged over a dedicated management path to detect peer liveness and prevent dual-active (split-brain) conditions.
NAT44 with PAT (overload) for ICMP: inside host's echo request is translated using a rewritten ICMP identifier to share the outside IP.
NAT44 PAT (overload) for UDP: inside source IP:port is translated to a shared outside IP with a unique port for the session.
NAT44 with a pool (one-to-one dynamic) for ICMP: inside host gets a dedicated outside IPv4 address for echo translation.
NAT44 dynamic pool translation for UDP: inside host is mapped to a free pool address without port overloading.
NAT44 twice-NAT translating both source and destination IPv4 addresses of an ICMP flow, typical for overlapping address space scenarios.
NAT44 twice-NAT translating both source and destination of a UDP flow to bridge overlapping inside/outside IPv4 networks.
Stateful NAT64 with PAT for ICMP: IPv6 echo is translated into an IPv4 echo with a rewritten ICMP identifier sharing the outside v4 IP.
Stateful NAT64 PAT for UDP: IPv6 host's UDP flow is translated to a shared IPv4 outside address using port overloading.
Stateful NAT64 with an IPv4 pool for ICMP: each IPv6 host is dynamically mapped to a dedicated v4 address for echo translation.
Stateful NAT64 pool translation for UDP: IPv6 sources are mapped 1:1 to IPv4 pool addresses without port overloading.
Stateless NAT64 (RFC 6145) translating ICMPv6 echo to ICMPv4 using algorithmic IPv4-embedded IPv6 address mapping.
Stateless NAT64 translation of a UDP flow between IPv6 and IPv4 using algorithmic address mapping, with no per-flow state.
Stateless NPTv6 (NAT66) translating ICMPv6 echo between two IPv6 prefixes via algorithmic prefix rewriting.
Stateless NPTv6 (NAT66) translating a UDP flow between IPv6 prefixes using 1:1 prefix substitution, preserving end-to-end transparency.
IPv6 Neighbor Discovery with Neighbor Solicitation and Neighbor Advertisement, performing address resolution and reachability confirmation on the link.
IPv6 Neighbor Discovery Router Solicitation and Router Advertisement, where hosts learn on-link prefixes, default routers, and SLAAC parameters.
IPFIX (NetFlow v10) export of IPv4 flow records: exporter sends templates followed by data sets to the collector over UDP.
IPFIX (NetFlow v10) export of IPv6 flow records with templates describing v6 source/destination fields.
IPFIX (NetFlow v10) export of MPLS-labeled flow records including label stack fields within the flow template.
Classic NetFlow v5 export of IPv4 flows: fixed-format records sent from exporter to collector, no templates.
NetFlow v9 template-based export of IPv4 flow records, with template FlowSet followed by data FlowSets.
NetFlow v9 template-based export of IPv6 flow records, using v9 templates that define IPv6 address fields.
NetFlow v9 export of MPLS-tagged flow records: templates include label stack entries alongside IP flow fields.
nonstp_flexlink: Cisco FlexLink pair (non-STP): after active link failure, SW-F ports send L2 MAT (MAC Address Table) Flush frames to the Cisco multicast group for ARP/LLC/IPX; ICMP between SW1 and SW2 resumes after failover.
KA9Q NOS IP-over-IP tunnel (protocol 94) capture showing legacy amateur-radio-style IP encapsulation between endpoints.
NTP broadcast mode initialization: server multicasts/broadcasts time packets and clients synchronize from them.
NTP client/server mode (mode 3/4): client queries server and server replies with authoritative time.
NTP multicast mode initialization: server sends time packets to an NTP multicast group and listening clients sync.
NTP symmetric-active association initiation: peer sends mode-1 packets to form a mutual symmetric peer relationship.
NTP symmetric-passive response: peer replies in mode 2 to a symmetric-active request, forming a mutual peering.
NVGRE tunnel carrying IPv4 and IPv6 inner frames using GRE with the Virtual Subnet ID, providing network virtualization overlay transport.
IEEE 802.3ah Ethernet OAM PDU discovery handshake where peers exchange Information OAMPDUs to negotiate OAM capabilities on a point-to-point link.
Ethernet OAMPDU remote loopback control sequence, enabling then disabling the remote peer's loopback mode for link diagnostics.
OpenFlow controller programs Open vSwitch with flow rules, then an ARP packet-in/packet-out round trip demonstrates reactive handling of ARP traffic.
OpenFlow controller and Open vSwitch exchange flow-mod and packet-in messages handling a CDP frame punted from the data plane.
OpenFlow controller installs flows on Open vSwitch and processes OSPFv3 traffic via packet-in and packet-out, exercising IPv6 OSPF handling.
Complex OpenFlow channel initialization between controller and Open vSwitch: Hello, Features Request/Reply, Set Config, multipart description and flow programming.
Simple OpenFlow channel initialization between controller and Open vSwitch: Hello exchange, Features Request/Reply, and basic Set Config.
OpenFlow multipart port statistics request/reply exchange between controller and Open vSwitch, retrieving per-port counters.
OSPF TE opaque LSA flooding: routers advertise MPLS-TE link attributes (bandwidth, admin groups, metrics) to populate the TED.
OSPF MPLS-TE opaque LSAs including the Mesh Group ID sub-TLV, used for auto-mesh RSVP-TE tunnel creation among mesh members.
OSPFv2 routers flood a new Type 1 Router LSA and ack it after an interface prefix is added, converging on the new route across the area.
OSPFv2 neighbor adjacency brought up using cryptographic MD5 authentication on Hello and DBD/LSU exchanges.
OSPFv2 neighbor adjacency established using HMAC-SHA256 cryptographic authentication (RFC 5709) on all OSPF packets.
OSPFv2 neighbor adjacency forms with simple plaintext password authentication in the OSPF header.
OSPFv2 broadcast-segment DR/BDR election via Hello packets, with routers comparing priority and RID before forming full adjacencies with the DR.
OSPFv2 LSA flooding war where two routers repeatedly flood newer instances of the same LSA, illustrating unstable re-origination behavior.
OSPFv2 adjacency bring-up with Link-Local Signaling (LLS) disabled; Hellos and DBDs omit the LLS block normally used for capability signaling.
OSPFv2 flooding of Type 1 Router LSAs and Type 2 Network LSAs describing intra-area topology on a broadcast segment.
OSPFv2 Type 3 Summary LSAs originated by an ABR advertising inter-area prefixes into a connected area.
OSPFv2 Type 4 ASBR Summary LSAs originated by an ABR advertising reachability to an ASBR across area boundaries.
OSPFv2 Type 5 AS External LSAs with metric-type E1 flooded throughout the OSPF domain for external redistributed prefixes.
OSPFv2 Type 5 AS External LSAs with metric-type E2 (default) flooded throughout the OSPF domain for external redistributed prefixes.
OSPFv2 Type 6 Group Membership LSAs (MOSPF) used to advertise multicast group membership within an area.
OSPFv2 Type 7 NSSA External LSAs with metric-type N1 originated inside an NSSA area for external prefixes, later translated to Type 5 at the ABR.
OSPFv2 Type 7 NSSA External LSAs with metric-type N2 originated inside an NSSA area, subject to Type 7 to Type 5 translation at the NSSA ABR.
OSPFv2 Hellos between a broadcast-type interface and a point-to-point-type interface fail to form adjacency due to network type mismatch.
OSPFv2 neighbors get stuck in ExStart/Exchange because DBD packets advertise mismatched interface MTU values, blocking the adjacency.
OSPFv2 topology spanning multiple areas with an ABR originating Type 3 summaries between area 0 and non-zero areas.
OSPFv2 Non-Broadcast (NBMA) network type adjacency where Hellos are unicast to manually configured neighbors and a DR is elected.
OSPFv2 Point-to-Multipoint network type adjacency forming without DR/BDR, treating each neighbor as an individual point-to-point link.
OSPFv2 NSSA area initial adjacency with the N-bit set in Hello options, enabling Type 7 LSAs inside the NSSA.
OSPFv2 prefix suppression in action: interface prefixes are omitted from Router LSAs, shrinking the LSDB while preserving transit connectivity.
OSPFv2 stub area initial adjacency with the E-bit cleared in Hello options, preventing Type 5 external LSAs from entering the area.
OSPFv2 neighbor adjacency protected by GTSM TTL security, accepting only packets arriving with TTL equal to 255 for spoofing protection.
OSPFv2 adjacency over an IP unnumbered point-to-point link, forming full neighbor state without a subnet on the interface.
OSPFv2 virtual link tunneled across non-backbone area 1 to reconnect a disconnected ABR to the backbone area 0.
OSPFv3 for IPv4 address family floods updated Router/Intra-Area-Prefix LSAs after a new IPv4 prefix is added to an interface.
OSPFv3 for IPv4 AF with IPsec/authentication trailer using HMAC-SHA256 to authenticate OSPFv3 packets between neighbors.
OSPFv3 for IPv4 broadcast DR/BDR election driven by Hello priorities and Router IDs before full adjacencies form with the DR.
OSPFv3 for IPv4 adjacency protected by IPsec ESP with null encryption, providing integrity without confidentiality on OSPF packets.
OSPFv3 for IPv4 flooding war with routers repeatedly re-originating newer sequence numbers of the same LSA, an unstable LSDB condition.
OSPFv3 for IPv4 flooding Router (0x2001), Network (0x2002), Link (0x0008), and Intra-Area-Prefix (0x2009) LSAs describing the topology.
OSPFv3 for IPv4 Inter-Area-Prefix LSAs (type 0x2003) originated by an ABR to advertise inter-area IPv4 prefixes.
OSPFv3 for IPv4 Inter-Area-Router LSAs (type 0x2004) advertising ASBR reachability across area boundaries.
OSPFv3 for IPv4 NSSA External LSAs (type 0x2007) with metric type N1 originated inside an NSSA area.
OSPFv3 for IPv4 NSSA External LSAs (type 0x2007) with metric type N2 inside an NSSA area, translated to 0x4005 at the ABR.
OSPFv3 for IPv4 AS-External LSAs (type 0x4005) with metric type E1 flooded domain-wide for external redistributed IPv4 prefixes.
OSPFv3 for IPv4 AS-External LSAs (type 0x4005) with default metric type E2 flooded domain-wide for external redistributed IPv4 prefixes.
OSPFv3 for IPv4 Hellos fail to form adjacency due to a network-type mismatch between broadcast and point-to-point interfaces.
OSPFv3 for IPv4 neighbors stall in ExStart/Exchange because DBD MTU values disagree, blocking database exchange.
OSPFv3 for IPv4 deployment spanning multiple areas, with an ABR originating Inter-Area-Prefix LSAs between backbone and non-zero areas.
OSPFv3 for IPv4 Non-Broadcast network-type adjacency with unicast Hellos to configured neighbors and DR election.
OSPFv3 for IPv4 Point-to-Multipoint network-type adjacency forming without DR/BDR across multiple neighbors.
OSPFv3 for IPv4 NSSA area bring-up with the N-bit in Hello options, enabling type 0x2007 NSSA External LSAs.
OSPFv3 for IPv4 prefix suppression: interface prefixes are omitted from Intra-Area-Prefix LSAs while transit links stay reachable.
OSPFv3 for IPv4 stub area bring-up with the E-bit cleared, blocking AS-External (0x4005) LSAs from entering the area.
OSPFv3 for IPv6 floods updated Router and Intra-Area-Prefix LSAs after a new IPv6 prefix is added to an interface.
OSPFv3 for IPv6 with the OSPFv3 authentication trailer using HMAC-SHA256 to protect packets between neighbors.
OSPFv3 for IPv6 broadcast DR/BDR election via Hellos before full adjacencies form with the elected DR.
OSPFv3 for IPv6 adjacency secured by IPsec ESP with null encryption, providing integrity without encryption.
OSPFv3 for IPv6 flooding war where routers continuously re-originate newer instances of the same LSA, an unstable condition.
OSPFv3 for IPv6 flooding Router, Network, Link, and Intra-Area-Prefix LSAs (0x2001/0x2002/0x0008/0x2009) describing topology and prefixes.
OSPFv3 for IPv6 Inter-Area-Prefix LSAs (0x2003) originated by an ABR advertising inter-area IPv6 prefixes.
OSPFv3 for IPv6 Inter-Area-Router LSAs (0x2004) advertising ASBR reachability across area boundaries.
OSPFv3 for IPv6 NSSA External LSAs (0x2007) with metric type N1 originated inside an NSSA area.
OSPFv3 for IPv6 NSSA External LSAs (0x2007) with metric type N2 inside an NSSA, translated to 0x4005 at the ABR.
OSPFv3 for IPv6 AS-External LSAs (0x4005) with metric type E1 flooded domain-wide for redistributed external IPv6 prefixes.
OSPFv3 for IPv6 AS-External LSAs (0x4005) with default metric type E2 flooded domain-wide for redistributed external IPv6 prefixes.
OSPFv3 for IPv6 Hellos fail to form adjacency due to broadcast vs point-to-point network-type mismatch between interfaces.
OSPFv3 for IPv6 neighbors stall in ExStart/Exchange because DBD interface MTU values disagree.
OSPFv3 for IPv6 deployment spanning multiple areas with an ABR originating Inter-Area-Prefix LSAs between backbone and non-zero areas.
OSPFv3 for IPv6 Non-Broadcast network-type adjacency using unicast Hellos to configured neighbors with DR election.
OSPFv3 for IPv6 Point-to-Multipoint network-type adjacency forming per-neighbor without DR/BDR.
OSPFv3 for IPv6 NSSA area bring-up with the N-bit in Hello options, enabling NSSA External (0x2007) LSAs.
OSPFv3 for IPv6 prefix suppression omits interface prefixes from Intra-Area-Prefix LSAs while preserving transit reachability.
OSPFv3 for IPv6 stub area bring-up with the E-bit cleared, blocking AS-External (0x4005) LSAs from the area.
OSPFv3 for IPv6 virtual link tunneled across non-backbone area 1 to reconnect an ABR to backbone area 0.
OTV intra-site IS-IS Hello exchange between edge devices, electing the site's Authoritative Edge Device for the overlay.
OTV intra-site Hello mismatch scenario where site-identifier or VLAN misconfiguration prevents proper AED election.
OTV MAC address advertisement via IS-IS Link State PDUs, distributing learned unicast MACs to remote edge devices in the overlay.
OTV overlay adjacency initialization between edge devices, establishing IS-IS neighborship over the transport network.
OTV-encapsulated IPv4 data traffic traversing the overlay between sites, extending Layer 2 VLANs across the IP transport.
OTV-encapsulated IPv6 data traffic crossing the overlay, providing Layer 2 extension for IPv6 hosts between sites.
ICMPv6 Packet Too Big message returned by a router when an IPv6 datagram exceeds the next-hop MTU, driving Path MTU Discovery on the source.
Cisco PAgP (Port Aggregation Protocol) hello exchange between switches negotiating EtherChannel bundle membership on participating links.
PIM-SM/Bidir IPv4 ASM with Auto-RP Announce and Discovery messages distributing RP-to-group mappings via 224.0.1.39/.40.
PIM-SM IPv4 ASM source registration to the RP where there are no active receivers, leading the RP to send Register-Stop back to the DR.
PIM-SM IPv4 ASM receiver-side (*,G) Join/Prune messages sent toward the RP to build the shared tree.
PIM-SM IPv4 ASM SPT switchover where the last-hop router joins (S,G) and prunes (*,G) toward the RP after traffic thresholds are crossed.
PIM Bidir IPv4 Designated Forwarder election with Offer, Winner, Backoff, and Pass messages on a multi-access segment.
PIM Bidir IPv4 (*,G) Join/Prune messages building the bidirectional shared tree toward the RPA through elected DFs.
PIM IPv4 Bootstrap Router (BSR) distributing RP-set via Candidate-RP advertisements and BSR messages for ASM and Bidir ranges.
PIM-DM IPv4 Assert messages exchanged on a multi-access LAN to elect a single forwarder for an (S,G) to eliminate duplicate multicast traffic.
PIM-DM IPv4 flood-and-prune behavior with Prune messages removing unwanted branches and Graft/Graft-Ack restoring them on receiver join.
PIM IPv4 initial Hello exchange on a multi-access segment establishing neighbor relationships and DR election.
PIM-SSM IPv4 (S,G) Join/Prune messages sent toward the source to build the shortest-path tree directly, bypassing any RP.
Legacy PIM version 1 IPv4 query messages (encapsulated over IGMP type 0x14) used for neighbor and RP discovery in early PIM deployments.
Legacy PIM version 1 IPv4 RP-Reachability messages announcing RP liveness to downstream routers in the pre-BSR era.
PIM-SM IPv6 ASM (*,G) Join/Prune toward an embedded-RP address derived from the IPv6 group itself, no explicit RP configuration needed.
PIM-SM IPv6 ASM source Register to the RP with no active receivers, causing the RP to return a Register-Stop to the DR.
PIM-SM IPv6 ASM receiver-side (*,G) Join/Prune messages sent toward the RP to build the shared tree.
PIM-SM IPv6 ASM SPT switchover: last-hop router joins (S,G) and prunes (*,G) toward the RP after data thresholds are crossed.
PIM Bidir IPv6 Designated Forwarder election using Offer, Winner, Backoff, and Pass messages on a multi-access segment.
PIM Bidir IPv6 (*,G) Join/Prune messages building the bidirectional shared tree toward the RPA via elected DFs.
PIM IPv6 Bootstrap Router (BSR) distributing RP-set via Candidate-RP advertisements and BSR messages for ASM and Bidir group ranges.
PIM IPv6 initial Hello exchange between routers establishing neighbor relationships and DR election on a link.
PIM-SSM IPv6 (S,G) Join/Prune messages sent toward the source to build the SPT directly, without any RP involvement.
Classic ICMP Echo Request and Echo Reply exchange used to verify end-to-end IP reachability and round-trip latency.
POP3 CAPA command returning the server's advertised capability list (STLS, USER, UIDL, SASL) to the client.
POP3 client negotiates UTF-8 capability with server using the CAPA and UTF8 commands, enabling internationalized mailbox handling before authentication.
pop3_list_retr: Unresolved-endpoint POP3 session: DNS lookup, TCP 3-way handshake, USER/PASS login, LIST mailbox, RETR message, and TCP teardown (FIN,ACK).
POP3 NOOP keepalive attempt returning an error response, illustrating server-side rejection of the no-op command, likely due to session or state issues.
POP3 STAT command exchange where the client queries mailbox size and message count, and the server returns the current mailbox statistics.
POP3 minimal session showing the server greeting banner followed by an immediate QUIT, demonstrating connection setup and graceful teardown without mail transfer.
PPP link where CHAP authentication fails: the authenticator returns Failure after validating the peer's response.
PPP negotiation in which the peer refuses CHAP via LCP Configure-Reject/Nak, forcing a different auth method or teardown.
PPP link bring-up with successful CHAP authentication, followed by NCP (IPCP) negotiation to bring up IP.
PPP IPCP negotiation where one side sends Protocol-Reject for IPCP, preventing IP from coming up over the link.
PPP link bring-up with no authentication configured: LCP opens and NCPs negotiate immediately.
PPP link where PAP authentication fails: the authenticator returns Authenticate-Nak and the link is torn down.
PPP negotiation where the peer refuses PAP via LCP Configure-Reject/Nak, refusing to use the cleartext method.
PPP link bring-up with successful PAP authentication (Authenticate-Ack), followed by NCP negotiation.
PPP LCP negotiation where Protocol Field Compression is rejected via Configure-Reject, so PFC is not used on the link.
802.11 power-save exchange: iPhone client probes and authenticates to Cisco AP, reassociates successfully, then toggles Null-function 'STA will stay up' frames and exchanges QoS Data / Block Ack action frames.
pvst_bpdu: SW1 emits RSTP Topology Change BPDUs to both the Cisco PVST+ and IEEE STP multicast groups, the basic per-VLAN PVST+ BPDU format.
pvst_topo_change: SW3 triggers topology change with STP TCNs and Config BPDUs; SW1 (root) acknowledges by sending Config BPDUs and then RSTP Topology Change floods to PVST+.
pvst_uplinkfast: UplinkFast on SW-C: SW-C sends STP Config BPDUs, then on uplink failure injects multiple RSTP Topology Change BPDUs toward PVST+ to flush upstream MAC tables quickly.
Wired egress of iPhone 6 traffic under 'alloy' QoS profile: DSCP markings observed on the WLC uplink validate that wireless UP-to-DSCP translation preserves the intended class of service.
Over-the-air 802.11 QoS Data frames from iPhone 6 tagged per 'alloy' profile; UP/TID values on the WLAN confirm how the client marks upstream traffic before WLC remapping.
Wired capture of iPhone 6 traffic under 'bronze' QoS profile showing DSCP values exiting the WLC to verify UP-to-DSCP mapping policy on the wired side.
802.11 QoS Data frames from iPhone 6 with 'bronze' profile applied; TID/priority values captured over-the-air confirm the client's upstream WMM marking.
Wired DSCP values for iPhone 6 traffic under 'gold' QoS profile, verifying that the WLC translates wireless UP into the expected DSCP class on egress.
Over-the-air QoS Data from iPhone 6 on 'gold' profile; captured TID/WMM access-category values document client upstream marking before WLC policy applies.
Wired DSCP capture for iPhone 6 'platinum' QoS profile, confirming voice-class mapping between the wireless UP and the DSCP value placed on the wire.
802.11 QoS Data from iPhone 6 under 'platinum' profile; over-the-air TID/priority shows the client's voice-grade WMM marking upstream.
Wired DSCP values for iPhone 6 'silver' QoS profile, verifying WLC UP-to-DSCP translation on the wired egress path.
Over-the-air QoS Data from iPhone 6 on 'silver' profile with TID/priority values showing client WMM marking upstream before WLC remapping.
Wired capture showing DSCP markings applied by the WLC for Bittium SD41 traffic under 'alloy' QoS profile on the wired egress.
Over-the-air 802.11 QoS Data from Bittium SD41 under 'alloy' profile documenting client-side WMM UP/TID values.
Wired DSCP capture for Bittium SD41 traffic under 'bronze' profile to validate UP-to-DSCP mapping on the WLC.
Bittium SD41 over-the-air QoS Data with 'bronze' profile; TID and WMM access category confirm upstream wireless marking.
Wired DSCP values for Bittium SD41 traffic under 'gold' profile, verifying WLC QoS mapping for video-class service.
802.11 QoS Data from Bittium SD41 on 'gold' profile; WMM access-category values captured over-the-air for upstream traffic.
Wired DSCP capture for Bittium SD41 'platinum' voice-grade QoS profile showing expected voice-class markings on egress.
Over-the-air 802.11 QoS Data from Bittium SD41 under 'platinum' profile with voice TID/priority values from the client.
Wired DSCP values for Bittium SD41 under 'silver' QoS profile verifying WLC UP-to-DSCP remap on the wire.
802.11 QoS Data from Bittium SD41 with 'silver' profile; captured WMM UP/TID show upstream client marking.
Wired DSCP values on the WLC egress for Boeing BLK1 device under 'alloy' QoS profile, validating policy mapping.
Over-the-air 802.11 QoS Data from Boeing BLK1 under 'alloy' profile; TID/priority confirms WMM upstream marking.
Wired capture of Boeing BLK1 DSCP markings under 'bronze' profile to confirm WLC UP-to-DSCP translation.
802.11 QoS Data from Boeing BLK1 under 'bronze' profile; WMM access-category values document client upstream marking.
Boeing BLK1 traffic under 'gold' QoS profile captured on the wired side with DSCP values verifying video-class mapping.
Over-the-air QoS Data from Boeing BLK1 under 'gold' profile; TID/priority show video-grade WMM marking.
Wired DSCP capture for Boeing BLK1 under 'platinum' voice profile, verifying voice-class mapping on WLC egress.
802.11 QoS Data from Boeing BLK1 under 'platinum' profile with voice TID/priority shown over-the-air.
Wired capture of Boeing BLK1 DSCP under 'silver' QoS profile validating WLC UP-to-DSCP policy.
Over-the-air QoS Data from Boeing BLK1 'silver' profile with WMM TID values showing upstream client marking.
Cisco 3602 UWGB workgroup bridge wired capture under 'alloy' 1:1 QoS profile; DSCP preserved end-to-end through the UWGB.
Over-the-air 802.11 QoS Data through Cisco 3602 UWGB under 'alloy' 1:1 profile; WMM TID mirrors wired DSCP class.
Wired DSCP capture via Cisco 3602 UWGB 'alloy' profile with RFC 4594 scavenger mapping, verifying CS1 demotion of low-priority traffic.
Wired DSCP markings through Cisco 3602 UWGB under 'alloy' profile using RFC 4594 mapping; DSCP classes align with RFC-defined service classes.
Over-the-air QoS Data via Cisco 3602 UWGB under RFC 4594 'alloy' profile; WMM UP/TID match RFC 4594-derived access categories.
Wired WLC egress DSCP values for LG Nexus 5X under 'alloy' QoS profile, verifying UP-to-DSCP mapping.
Over-the-air 802.11 QoS Data from LG Nexus 5X under 'alloy' profile; WMM TID shows upstream client marking.
LG Nexus 5X wired DSCP capture under 'bronze' QoS profile on WLC egress.
802.11 QoS Data from LG Nexus 5X under 'bronze' profile with WMM UP/TID captured over-the-air.
Wired capture of LG Nexus 5X DSCP under 'gold' QoS profile verifying video-class mapping.
Over-the-air QoS Data from LG Nexus 5X under 'gold' profile; WMM access-category shows video-grade upstream marking.
Wired DSCP for LG Nexus 5X 'platinum' profile verifying voice-class (EF) marking on WLC egress.
802.11 QoS Data from LG Nexus 5X under 'platinum' profile with voice TID/priority captured over-the-air.
Wired WLC egress DSCP for LG Nexus 5X under 'silver' QoS profile, validating policy.
Over-the-air QoS Data from LG Nexus 5X 'silver' profile; WMM TID values document upstream client marking.
Samsung Note 5 wired DSCP capture under 'alloy' QoS profile on WLC egress verifying UP-to-DSCP mapping.
Over-the-air 802.11 QoS Data from Samsung Note 5 under 'alloy' profile; WMM TID shows upstream marking.
Wired DSCP capture for Samsung Note 5 under 'bronze' QoS profile validating WLC QoS remap.
802.11 QoS Data from Samsung Note 5 under 'bronze' profile; TID/priority captured over-the-air.
Samsung Note 5 wired DSCP values under 'gold' QoS profile verifying video-class mapping.
Over-the-air QoS Data from Samsung Note 5 'gold' profile with WMM video-access-category markings.
Wired DSCP capture for Samsung Note 5 'platinum' voice profile verifying EF voice-class on WLC egress.
802.11 QoS Data from Samsung Note 5 under 'platinum' profile with voice TID captured over-the-air.
Wired WLC egress DSCP for Samsung Note 5 'silver' QoS profile validating UP-to-DSCP policy.
Over-the-air QoS Data from Samsung Note 5 'silver' profile; WMM UP/TID document client upstream marking.
Wired QoS roaming scenario over EoIP mobility tunnel between WLCs; ICMP Echo Request/Reply pairs validate reachability and DSCP preservation across the mobility tunnel.
Over-the-air companion to the EoIP roaming test: 802.11 data frames on the BSS during an inter-WLC roam carried via EoIP mobility tunnel.
IPv4 QoS sample showing specialty IP Precedence markings (Internetwork Control, Network Control) on forwarded traffic.
IPv4 DSCP markings from RFC 4594 configuration guidelines applied across multiple service classes (voice, video, data, control).
RSVP Path and Resv signaling reserving bandwidth for a VoIP flow, followed by marked voice media packets traversing the reserved path.
IPv4 TCP three-way handshake negotiating ECN capability using ECE/CWR flags and ECT codepoints in the IP header.
IPv4 TCP ECN in action: router marks CE codepoint on congestion; receiver echoes ECE, sender reduces rate and signals CWR.
IPv6 DSCP markings following RFC 4594 service-class guidelines across voice, video, data, and control flows.
RADIUS authentication between NAS and AAA Server: Access-Request followed by Access-Reject (credentials failure).
RADIUS authentication between NAS and AAA Server: Access-Request followed by Access-Accept granting user access.
Reverse ARP request and reply, where a station broadcasts its MAC address asking the network for its assigned IPv4 address (legacy bootstrap mechanism).
RBSCP (Rate-Based Satellite Control Protocol) tunnel capture used to accelerate TCP over long-delay satellite links.
Microsoft RDP session establishment for Windows login: TCP/3389 connection, X.224, MCS, and security negotiation complete successfully.
ICMP Redirect message informing a host of a better first-hop router for a specific destination on the local subnet.
RESTCONF DELETE request to remove a device resource from the controller, expecting a 204 No Content success response.
RESTCONF DELETE request to remove a service resource from the controller, expecting a 204 No Content success response.
RESTCONF GET retrieving the cli-type leaf of a device resource, returning a JSON/XML representation over HTTPS.
RESTCONF GET retrieving the full device resource tree with all configured and operational data.
RESTCONF GET retrieving the load-balancer configuration subtree of a device resource.
RESTCONF GET retrieving a load-balancer service resource from the controller.
RESTCONF HEAD request on a device resource, returning headers only to probe existence and metadata without the body.
RESTCONF PATCH request adding content to an existing service resource via a partial update.
RESTCONF POST creating a new device resource under the devices collection, expecting a 201 Created response.
RESTCONF POST invoking the sync-from action RPC on a device to pull configuration from the live device into the controller.
RESTCONF PUT replacing the cli-type leaf of a device resource with a new value.
RIPng initial exchange over IPv6 UDP 521 with Request and Response messages seeding the IPv6 routing tables between neighbors.
RIPng Response messages advertising a reachable IPv6 prefix with a valid metric (under 16) between neighbors.
RIPng Response messages advertising an unreachable IPv6 prefix with metric 16 (infinity) to trigger route poisoning.
RIPv1 initial exchange over IPv4 UDP 520 with broadcast Request and Response messages populating initial routing tables.
RIPv1 Response messages advertising a reachable IPv4 network with a valid hop-count metric (under 16).
RIPv1 Response messages advertising an unreachable IPv4 network with metric 16 (infinity) to poison the route.
RIPv2 initial exchange over UDP 520 with multicast 224.0.0.9 Request/Response messages authenticated using MD5 keyed hashing.
rip_v2_init_noauth: R1 and R2 exchange RIPv2 Requests and Responses via the RIP multicast group (224.0.0.9) with no authentication, completing initial route advertisement.
rip_v2_init_text: R1 and R2 bring up a RIPv2 adjacency over the RIP multicast group using plaintext password authentication; Requests are followed by Responses carrying routes.
rip_v2_init_ucast_bcast: R2 issues a broadcast RIPv2 Request then Responses are sent both via broadcast and unicast (R1 to R2), illustrating mixed RIP neighbor update styles.
rip_v2_reach_vlsm: R1 and R2 multicast RIPv2 Responses advertising reachable VLSM prefixes, showing that RIPv2 (unlike RIPv1) carries subnet masks per route.
rip_v2_unreach: R1 and R2 flood many RIPv2 Responses on the RIP multicast group, poisoning unreachable prefixes with metric 16 as part of RIP's triggered-update convergence.
Inter-controller L2 roam with basic 802.1X: wired capture of CAPWAP control/data and RADIUS EAP exchange; full reauth successful with no FT key caching.
Over-the-air inter-AP L2 roam with basic 802.1X: Open Auth, Reassociation Response Successful, then full 4-way EAPOL key handshake after EAP reauth.
Inter-controller L2 roam with 802.11r FT over-the-air, wired side: CAPWAP exchange and PMK-R1 distribution; no full RADIUS round-trip required thanks to FT.
Over-the-air 802.11r FT (OTA) inter-AP L2 roam: FT Auth algorithm in Auth frames followed by Reassociation Successful — no EAPOL 4-way after roam.
Inter-controller L2 roam with 802.11r FT over-the-DS: wired CAPWAP and FT Action frames exchanged between APs via the distribution system.
Over-the-air 802.11r FT (OTDS) L2 roam: client sends FT Action Request through current AP, receives Reassociation Successful at target AP.
Inter-controller L2 roam with open authentication, wired side: CAPWAP mobility exchange, no EAPOL or RADIUS since SSID is open.
Over-the-air open-auth L2 roam: Open System Authentication Successful, Reassociation Response Successful, then immediate data traffic — no key handshake.
Inter-controller L2 roam with WEP encryption, wired: CAPWAP mobility exchange; WEP uses static keys so no EAPOL handshake needed.
Over-the-air WEP L2 roam: Open System Auth Successful and Reassociation Successful; WEP static key reused across roam, no 4-way handshake.
Inter-controller L2 roam with WPA2-PSK and 802.11r FT over-the-air, wired: CAPWAP exchange; no full 4-way handshake thanks to FT PMK-R1.
Over-the-air WPA2-PSK FT (OTA) L2 roam: FT Auth Request/Response carry MIC/RSNIE, Reassociation Successful — no 4-way EAPOL post-roam.
Inter-controller WPA2-PSK FT over-the-DS L2 roam, wired: FT Action frames tunneled through distribution system between current and target APs.
Over-the-air WPA2-PSK FT (OTDS) L2 roam: client sends FT Action Request via current AP, gets Reassociation Successful at target AP — fast roam.
Inter-controller L2 roam with plain WPA2-PSK (no FT), wired: CAPWAP mobility exchange triggering full EAPOL 4-way handshake on the WLAN.
Over-the-air WPA2-PSK L2 roam without FT: Open Auth, Reassociation Successful, then full 4-way EAPOL key handshake before data resumes.
Inter-controller L3 roam with basic 802.1X, wired: CAPWAP plus mobility anchor/foreign EoIP tunnel between WLCs; full RADIUS EAP reauth.
Over-the-air L3 roam with basic 802.1X: Open Auth, Reassociation Successful, full EAP/EAPOL handshake; client traffic tunneled back to anchor WLC.
Inter-controller L3 roam with 802.11r FT over-the-air, wired: CAPWAP and mobility tunnel setup; PMK-R1 cached so no full RADIUS reauth.
Over-the-air 802.11r FT (OTA) L3 roam: FT Auth frames then Reassociation Successful; subsequent traffic tunneled to anchor WLC via EoIP.
Inter-controller L3 roam with 802.11r FT over-the-DS, wired: FT Action frames and CAPWAP mobility tunnel; no full EAP round-trip.
Over-the-air 802.11r FT (OTDS) L3 roam: FT Action Request via current AP, Reassociation Successful at target — fast roam across subnets.
Inter-controller L3 roam with open auth, wired: CAPWAP plus mobility tunnel between anchor/foreign WLCs for the client session.
Over-the-air open-auth L3 roam: Open Auth Successful and Reassociation Successful; no keys needed, client traffic tunneled to anchor WLC.
Inter-controller L3 roam with WEP, wired: CAPWAP plus EoIP mobility tunnel; static WEP keys reused, no key handshake.
Over-the-air WEP L3 roam: Open Auth Successful, Reassociation Successful; encrypted data tunneled back via mobility anchor.
Inter-controller L3 roam WPA2-PSK with 802.11r FT over-the-air, wired: CAPWAP and mobility anchor tunnel; FT avoids full 4-way handshake.
Over-the-air WPA2-PSK FT (OTA) L3 roam: FT Auth exchange and Reassociation Successful; no full EAPOL handshake required.
Inter-controller WPA2-PSK FT over-the-DS L3 roam, wired: FT Action frames via DS and CAPWAP mobility tunnel between WLCs.
Over-the-air WPA2-PSK FT (OTDS) L3 roam: client FT Action Request through current AP, Reassociation Successful at target AP — fast roam.
Inter-controller L3 roam with plain WPA2-PSK, wired: CAPWAP plus mobility tunnel; full 4-way EAPOL handshake on WLAN triggers re-keying.
Over-the-air WPA2-PSK L3 roam without FT: Open Auth, Reassociation Successful, full 4-way EAPOL key handshake, then tunneled traffic.
Intra-WLC roam leveraging 802.11k: client Probe, Open Auth Successful, Association Successful, then Radio Measurement Action Neighbor Report Request/Response for AP list.
Intra-controller roam with open auth: Probe, Open Auth Successful, Reassociation Successful — clean handoff between APs sharing one WLC.
Intra-controller roam with WEP: Open Auth Successful and Reassociation Successful; static key reused so no EAPOL handshake follows.
Intra-WLC WPA2-Enterprise 802.11r FT over-the-air, wired: CAPWAP exchange; PMK-R1 delivered to target AP for fast reauth.
Over-the-air intra-WLC WPA2-Enterprise FT (OTA) roam: FT Auth frames then Reassociation Successful — no RADIUS round-trip.
Intra-WLC WPA2-Enterprise FT over-the-DS roam, wired: FT Action frames routed through DS; fast roam without full EAP.
Over-the-air intra-WLC WPA2-Enterprise FT (OTDS) roam: FT Action Request via current AP, Reassociation Successful at target — optimized for voice.
Intra-WLC WPA2-Enterprise roam without FT, wired: CAPWAP exchange and full RADIUS EAP reauth round-trip.
Over-the-air intra-WLC WPA2-Enterprise roam: Open Auth, Reassociation Successful, full EAP/EAPOL 4-way handshake — slower roam.
Intra-WLC roam with WPA2-PSK (no FT): Probe, Open Auth Successful, Reassociation Successful, then full 4-way EAPOL key handshake.
Intra-WLC WPA2-PSK 802.11r FT over-the-air, wired: CAPWAP control; FT PMK-R1 keying avoids 4-way handshake on WLAN.
Over-the-air intra-WLC WPA2-PSK FT (OTA) roam: FT Auth Request/Response and Reassociation Successful — fast roam, no EAPOL 4-way.
Intra-WLC WPA2-PSK FT over-the-DS roam, wired: FT Action frames over DS plus CAPWAP updates — fast secure handoff.
Over-the-air intra-WLC WPA2-PSK FT (OTDS) roam: client FT Action Request via current AP, Reassociation Successful at target AP.
Wired view of a client associating to a rogue AP: no CAPWAP seen for the rogue BSS, confirming the AP is not managed by the WLC.
Over-the-air rogue association: client probes, Open Auth Successful, Association Response Successful to rogue AP MAC 34:a8:4e:d2:bf:10, then data flows.
Wired rogue-detector AP scenario: AP forwards rogue client MAC/ARP observations back to the WLC over CAPWAP so the controller can classify the rogue.
Rogue containment on wired side: WLC instructs trusted AP via CAPWAP to transmit spoofed deauth/disassoc frames against the rogue AP and its clients.
Over-the-air rogue containment: trusted AP transmits spoofed Deauthentication/Disassociation frames to disrupt clients associated with the rogue BSS.
rpvst_bpdu: SW3 sends RSTP Topology Change BPDUs on both Cisco PVST+ and IEEE STP multicast addresses, illustrating Rapid PVST+ BPDU format.
rpvst_to_pvst: RPVST (SW4) interoperates with legacy PVST peer (SW3): SW4 floods RSTP Topology Change while SW3 answers with classic RSTP Proposals, later joining in Topology Change flooding.
rpvst_topo_change: Rapid PVST+ convergence: SW3 sends RSTP Proposals, SW1 (root) responds with RSTP Forwarding/Agreement, followed by RSTP Topology Change flooding to reconverge.
Berkeley rsh session fails: remote shell rejects the authentication or command, returning an error on the stderr channel.
Berkeley rsh remote command executes successfully: client connects on TCP/514, server runs command and returns output.
RSVP-TE Path/Resv signaling establishing a tunnel reserving 500 kbps, demonstrating successful admission control with the requested bandwidth.
Basic RSVP-TE LSP setup: ingress sends Path, egress replies with Resv carrying the label, and the tunnel becomes Up.
RSVP-TE Fast Reroute protecting an mLDP multicast LSP: backup tunnel is signaled to bypass a link/node for mcast traffic.
RSVP-TE Fast Reroute with next-hop (link) protection: a backup bypass LSP is signaled around the protected link.
RSVP-TE Fast Reroute with next-next-hop (node) protection: backup bypass LSP is signaled around the protected node.
RSVP-TE Fast Reroute protecting an L3VPN unicast LSP, ensuring sub-50ms failover for VPNv4 traffic over the TE backbone.
RSVP-TE signaling with zero bandwidth reservation: the LSP is set up without CAC, useful for best-effort TE paths.
RSVP-TE preemption scenario: a higher-priority LSP preempts an existing lower-priority tunnel via PathErr and teardown.
RSVP-TE tunnel teardown: ingress sends PathTear (and/or ResvTear) to gracefully remove the LSP state across all LSRs.
RTP voice stream using G.729 Annex A/B at 8 kbps with VAD/CNG silence suppression between endpoints.
RTP media stream carrying G.729a voice payload at 8 kbps between endpoints, showing the compressed-codec audio flow after call setup.
RTP multicast Land Mobile Radio 'holler' push-to-talk audio using G.711 u-law, with a transmitter streaming to the multicast group of receivers.
RTP multicast Land Mobile Radio 'hoot-n-holler' always-on intercom using G.711 u-law, streaming one-way audio to the multicast group.
RTP multicast Music-on-Hold stream from a CUCM MoH server to subscribed phones, delivering held-call audio over an IP multicast group.
SIP-negotiated RTP audio call using G.711 A-law encoding with 30 ms packetization, showing bidirectional voice flow between the endpoints.
SIP-negotiated RTP audio call using G.711 u-law with 10 ms packetization, yielding high packet rate and low latency between endpoints.
SIP-negotiated RTP audio call using G.711 u-law with the standard 20 ms packetization between endpoints.
SIP-negotiated RTP audio call using G.711 u-law with 30 ms packetization, reducing packet rate at the cost of slightly higher latency.
SIP video call carrying wideband G.722 audio and H.264 video over RTP between the endpoints.
SIP-negotiated RTP call using iLBC codec at 20 ms frames and 15.2 kbps, a loss-resilient narrowband voice stream.
SIP-negotiated RTP call using iLBC codec at 30 ms frames and 13.33 kbps for efficient loss-resilient voice.
SIP-negotiated RTP call using the adaptive iSAC wideband codec between the endpoints.
SIP-negotiated RTP call using the Opus codec, delivering adaptive wideband audio between endpoints.
SCCP phone initializing against a Cisco CallManager Express (CME), exchanging registration and keepalive messages to become active.
SCCP out-of-band DTMF signalling: the phone reports keypad digits to CUCM via KeypadButton messages rather than in the RTP stream.
SCCP-controlled FXS analog gateway accepting an inbound call, with CUCM driving OffHook, CallInfo and media setup toward the analog port.
SCCP-controlled FXS analog gateway placing an outbound call, with CUCM sending dialed digits and opening RTP media channels.
SCCP registration of an FXS analog voice port with CUCM, including RegisterReq, capabilities exchange and LineStatReq for each port.
SCCP hardware conference bridge handling a three-party conference, with CUCM allocating the conference resource and mixing RTP streams.
SCCP registration of a hardware conference bridge DSP resource with CUCM, announcing conference capabilities.
SCCP hardware voice gateway registering with CUCM over a TLS-secured signalling channel for encrypted control plane.
SCCP hardware Media Termination Point bridging two RTP streams under CUCM control, used for transcoding/DTMF interworking.
SCCP registration of a hardware MTP (Media Termination Point) DSP resource with CUCM, advertising MTP capabilities.
SCCP hardware MTP acting as a Trusted Relay Point, anchoring RTP for a call under CUCM control for policy enforcement.
SCCP hardware transcoder converting between codecs (e.g., G.711 and G.729) for a call under CUCM control.
SCCP registration of a hardware transcoder DSP farm with CUCM, advertising supported codec conversion capabilities.
SCCP (Skinny) inbound call to an IP phone: CUCM sends CallInfo/Ringer, user goes off-hook, and RTP media channels open.
SCCP (Skinny) outbound call from an IP phone: OffHook, KeypadButton digits, then CUCM establishes RTP toward the far end.
SCCP Skinny phone registration with CUCM, including RegisterReq, version/capabilities exchange, softkey/button templates and line status.
TCP Chargen (RFC 864, port 19) service streaming a repeating character pattern to the connected client until disconnect.
TCP Daytime (RFC 867, port 13) service returning the current date/time as ASCII then closing the connection.
TCP Discard (RFC 863, port 9) service silently consuming and discarding all data sent by the client.
TCP Echo (RFC 862, port 7) service echoing each byte the client sends back over the same connection.
TCP Finger (RFC 1288, port 79) query returning user/login information to the requesting client.
UDP Chargen (RFC 864, port 19) service replying to each datagram with a randomly-sized character-pattern response.
UDP Discard (RFC 863, port 9) service silently dropping each datagram received, producing no response.
UDP Echo (RFC 862, port 7) service echoing each received datagram back to the sender unchanged.
SFTP download over SSH where after key exchange and authentication the client issues OPEN and READ operations to retrieve a file from the server.
SFTP upload over SSH, with the authenticated client using OPEN and WRITE operations to store a file on the server through the encrypted channel.
Basic SIP call using delayed-offer model where the callee returns SDP in a 183 Session Progress for early media, then 200 OK and ACK complete setup.
Basic SIP early-offer call: caller sends SDP in INVITE, callee replies 100 Trying, 180 Ringing, 200 OK with answer SDP, then ACK.
SIP call transfer using the legacy BYE/Also header: the transferor sends BYE with an Also URI, instructing the transferee to call the target.
SIP Call Progress Analysis flow where the gateway analyses answer tones/voice to distinguish human vs machine before proceeding.
SIP INFO method carrying DTMF digits out-of-band in the signalling channel between the endpoints during an active call.
SIP KPML DTMF reporting: subscriber NOTIFY messages carry Key Press Markup Language digit events after a SUBSCRIBE for kpml events.
DTMF via RTP Named Telephone Events per RFC 2833, with event packets interleaved in the audio stream negotiated over SIP/SDP.
DTMF via RTP Named Telephone Events per RFC 4733 (RFC 2833 successor), carrying digit events in-band alongside the audio stream.
Raw in-band DTMF tones carried directly in the G.711 RTP audio stream without any named-event or signalling encoding.
SIP call hold and resume using re-INVITE with a=sendonly/inactive then a=sendrecv SDP to pause and restart the media flow.
SIP consultative transfer: the transferor holds the first call, consults the target, then transfers using REFER or re-INVITE sequences.
SIP-initiated multicast paging: a page server streams G.711 audio to an RTP multicast group that paging-zone phones join.
SIP Message Waiting Indicator deactivation via NOTIFY with Messages-Waiting:no, turning off the phone's MWI lamp after voicemail retrieval.
SIP Message Waiting Indicator activation via NOTIFY with Messages-Waiting:yes for the message-summary event, lighting the phone's MWI lamp.
SIP OPTIONS in-dialog keepalive pings exchanged during an active session to verify peer liveness.
SIP OPTIONS out-of-dialog keepalive between SIP peers to verify reachability and exchange capabilities.
SIP reliable provisional responses (PRACK, RFC 3262) with delayed-offer: 183 Session Progress is ACKed by PRACK before 200 OK.
SIP reliable provisional responses (PRACK) with early-offer: 180 Ringing sent reliably and acknowledged by PRACK before 200 OK.
SIP reliable provisional responses (PRACK) with early-offer: 183 Session Progress sent reliably and acknowledged by PRACK before 200 OK.
SIP-based call recording using Cisco MediaSense-style Ora/Built-in-Bridge forking, with the gateway forking RTP to the recorder.
SIPREC (RFC 7866) call recording: the Session Recording Client sends INVITE with recording metadata to the SRS, which receives forked RTP.
SIP attended or blind transfer via REFER: the transferor sends REFER to the transferee with Refer-To the target, followed by NOTIFY sipfrag progress.
SIP REGISTER flow: UA authenticates to the registrar (likely with 401 Unauthorized challenge and digest credentials) and receives 200 OK binding its AOR.
SIP session timer refresh rejected with 422 Session Interval Too Small; UA re-INVITEs with a larger Session-Expires and succeeds.
SIP over TLS with SRTP media secured by AEAD_AES_128_GCM, negotiated via SDES in the encrypted SIP signalling.
SIP over TLS with SRTP media secured by AEAD_AES_256_GCM, negotiated via SDES in the encrypted SIP signalling.
SIP over TLS with SRTP media using AES_CM_128_HMAC_SHA1_32 crypto suite for encrypted audio with 32-bit auth tags.
SIP over TLS with SRTP media using AES_CM_128_HMAC_SHA1_80 crypto suite for encrypted audio with 80-bit auth tags.
Cisco CUBE network-based recording via XMF/MediaForking API, forking RTP from the CUBE to a recording server.
CUCM network-based recording via XMF/MediaForking, with CUCM instructing the phone or gateway to fork RTP to a recording server.
SMTP extended handshake where the client issues EHLO and the server replies with its supported ESMTP extensions such as SIZE, 8BITMIME, and STARTTLS.
SMTP legacy handshake using the HELO verb, showing basic mail-server identification without ESMTP extension advertisement.
SMTP NOOP keepalive exchange where the client sends NOOP and the server replies 250 OK, used to keep a connection alive without affecting mail state.
SMTP mail submission flow with MAIL FROM, RCPT TO, DATA, and message body followed by a 250 accepted response, showing end-to-end email delivery.
SMTP VRFY recipient verification returning a failure response, indicating the queried username does not exist or VRFY is disabled on the server.
SMTP VRFY recipient verification succeeding with a 250 response, confirming the queried user mailbox exists on the server.
SNMPv1 get/get-next polling: manager queries an OID and the agent returns the requested variable bindings.
SNMPv1 trap notification: agent asynchronously sends a trap PDU (generic/specific trap code) to the manager on UDP/162.
SNMPv2c GetRequest/GetBulk polling with community authentication; agent replies with the requested varbinds.
SNMPv2c trap (SNMPv2-Trap-PDU) sent from agent to manager on UDP/162 with community string.
SNMPv3 polling using noAuthNoPriv security level: engine discovery then GetRequest without authentication or encryption.
SNMPv3 polling with authPriv (SHA1 authentication, AES128 encryption) after initial engine-ID/boot discovery.
SNMPv3 polling with authNoPriv (SHA1 authentication, no encryption) after engine discovery.
SNMPv3 notification at noAuthNoPriv: agent sends SNMPv2-Trap-PDU in a v3 message with no auth/priv.
SNMPv3 trap with authPriv (SHA1/AES128): notification is authenticated and encrypted end-to-end.
SNMPv3 trap with authNoPriv (SHA1 authentication only): message is authenticated but not encrypted.
sr_bgp_ls_isis_init: R1 and R2 open a BGP session (OPEN, KEEPALIVE) then R2 floods BGP-LS UPDATEs carrying IS-IS link-state topology and Segment Routing info to R1.
sr_bgp_ls_ospf_init: R1 and R2 exchange BGP OPEN and a long stream of BGP-LS UPDATEs distributing OSPF-derived link-state topology and SR SIDs, ending with KEEPALIVEs.
sr_igp_isis_init: R1, R2 and R3 bring up IS-IS L2 adjacencies with HELLOs, exchange LSPs advertising SR capabilities/SIDs and synchronize databases via CSNP.
sr_igp_ospf_init: R2/R3/R4 form OSPF neighbors with Hellos, elect DR/BDR, exchange DB Descriptions, LS Requests and LS Updates carrying Segment Routing extensions.
sr_oam_reply_fail: R2 sends MPLS Echo Requests toward the LSPV loopback and R3 replies with MPLS Echo Replies indicating LSP trace failure (transit/label mismatch).
sr_oam_reply_ip: R2 issues MPLS Echo Requests (reply mode = IPv4 UDP) to the LSPV loopback; R4 returns MPLS Echo Replies verifying the SR LSP end-to-end.
sr_oam_reply_none: R2 sends repeated MPLS Echo Requests to the LSPV loopback with reply mode Do Not Reply; no responses are expected or received.
sr_oam_reply_rtr_alert: R2 issues MPLS Echo Requests with reply mode Router Alert; R4 returns MPLS Echo Replies confirming the SR LSP path.
sr_pcep_nopath_tunnel: R2 sends PCEP PCReq messages asking R1 (PCE) for an SR path; R1 returns PCRep NO-PATH responses indicating no feasible constrained path.
sr_pcep_stateful_init_noauth: R2 and R1 establish a stateful PCEP session with OPEN and Keepalive messages (no TCP MD5), then R2 begins sending PCRpt LSP state reports.
sr_pcep_stateful_tunnel: R2 asks PCE R1 for an SR tunnel path with PCReq, receives PCRep with an explicit path, and then reports LSP state back via stateful PCRpt.
sr_pcep_stateless_init_md5: R2 and R1 bring up a stateless PCEP session protected by TCP MD5, exchanging PCEP OPEN and Keepalive messages successfully.
sr_pcep_stateless_tunnel: R2 issues a stateless PCEP PCReq for an SR path and R1 (PCE) returns a PCRep carrying the computed ERO.
Cisco SRST credentials-service handshake where a secure phone downloads SRST certificate/credentials before failover registration.
Cisco SRST failover with secure (TLS/encrypted) phone registration to the SRST router when CUCM connectivity is lost.
srv6_fal2: R1/R2 maintain IS-IS P2P HELLO adjacencies (advertising SRv6 locators) while R6 pings R7 with ICMP Echo, verifying SRv6 Flex-Algo L2 data plane.
srv6_usid: R3/R5 exchange IS-IS L2 LSP/PSNP/HELLOs distributing SRv6 uSID locators; R7 pings R6 over IPv4 then IPv6 to verify uSID forwarding.
Stateless N+1 HA between WLCs: ICMP Echo Request/Reply keepalives between WLC C and WLC D plus 802.11 data frames on the BSS — standby WLC monitors active.
Stateless N:N HA between peer WLCs: mutual ICMP keepalive pairs between multiple controllers, each backing up a portion of the other's APs.
Stateless N+N:1 HA: ICMP keepalives among multiple active WLCs plus one common standby; Echo Replies validate standby reachability for failover.
storage_iscsi_chap_fail: iSCSI initiator and target exchange Login Command/Response pairs; the final server Login Response carries a CHAP authentication failure status, aborting login.
storage_iscsi_data_xfer: Established iSCSI session moves SCSI Read/Write via Command, Data-Ready-to-Transfer (R2T) and Response PDUs between initiator and target.
storage_iscsi_format_fs: Very large iSCSI session (~1600 PDUs) of Commands, R2T and Responses as the initiator formats a filesystem on the target LUN.
storage_iscsi_login_chap: iSCSI initiator completes a 4-step CHAP Login, runs SCSI Commands and Data-In reads, Text negotiations, then Logout and NOP keepalives.
storage_iscsi_login_nochap: iSCSI initiator performs a 2-step Login without CHAP, then exchanges SCSI Commands and Data-In PDUs, ending with Logout and NOP-Out keepalives.
storage_iscsi_sendtargets: iSCSI discovery session: initiator Logins to target, issues a Text Command with SendTargets=All, receives the target list and logs out.
storage_nfsv3_auth_fail: Client probes the NFSv3 MOUNT service with NULL and MNT calls; server replies MNT with an auth error (AUTH_ERROR/access denied) on each attempt.
storage_nfsv3_download: Client reads a file via NFSv3 using GETATTR and ACCESS RPCs; server returns attributes and permit status enabling the read.
storage_nfsv3_init: NFSv3 session bring-up via Portmap GETPORT lookups, MOUNT MNT, then NFS GETATTR, FSINFO, PATHCONF, FSSTAT and ACCESS calls to initialize the mount.
storage_nfsv3_perm_denied: Client queries Portmap and issues Mount MNT twice; server returns MNT responses denying access (permission denied export restriction).
storage_nfsv3_showmount: Client opens a TCP session to showmount/mountd, issues an RPC Call (dump exports) and gets an RPC Reply, then tears down with FIN,ACK.
storage_nfsv3_upload: Client creates and uploads a file via NFSv3 ACCESS, LOOKUP, CREATE, SETATTR, WRITE and COMMIT, with GETATTR polling and a final READ verification.
storage_smb_auth_fail: SMB1/SMB2 Negotiate succeeds but repeated SMB2 Session Setup exchanges never complete, with KeepAlives in between, indicating NTLM authentication failure.
storage_smb_badshare: After SMB negotiate and session setup, client repeatedly attempts Tree Connect which the server rejects (bad share name / STATUS_BAD_NETWORK_NAME), then logs off.
storage_smb_download: SMB2 session issues Create opens, Read operations and Close on a remote file, demonstrating a file download over an established tree.
storage_smb_init: Full SMB session setup: SMB1 to SMB2 Negotiate, Session Setup (NTLM), Tree Connect, Create/Ioctl exchanges, and teardown via Close, Tree Disconnect and Session Logoff.
storage_smb_upload: Large SMB2 session (~200 msgs) with Create, Notify, Write and Close operations uploading a file to the server share.
Stateless Transport Tunneling of IPv4 and IPv6 inner frames using a TCP-like header to leverage NIC offloads on overlay traffic.
Syslog messages sent with a local-use facility (local0-7) over UDP/514 from device to collector.
Syslog messages using the 'user' facility code, transported via UDP/514 to the log collector.
Syslog (RFC 3164) messages including the hostname field in the header along with the priority and timestamp.
Cisco syslog with hostname plus sequence number prefix, helping detect lost messages on UDP transport.
Cisco syslog with hostname, sequence number and XML-formatted message body for structured log parsing.
Syslog messages with hostname and XML-encoded message payload for structured ingestion by collectors.
Syslog delivered over TCP (RFC 6587) rather than UDP, providing reliable transport between sender and collector.
Syslog messages with XML-formatted payload, enabling structured fields to be parsed by the log receiver.
TACACS+ authentication START/REPLY/CONTINUE exchange between NAS and TACACS+ server, ending in PASS.
TACACS+ authorization REQUEST/RESPONSE between NAS and TACACS+ server granting the authenticated user command/service privileges.
Cisco TDP (Tag Distribution Protocol, pre-LDP) neighbor discovery and tag binding exchange establishing label forwarding state.
Telnet login fails: client connects to TCP/23, option negotiation occurs, but authentication is rejected and session closes.
Telnet login succeeds: client negotiates options on TCP/23, authenticates, and an interactive shell session is established.
TFTP Read Request (RRQ) download using UDP, with the server streaming DATA blocks and the client returning ACKs until the transfer completes.
TFTP Write Request (WRQ) upload using UDP, with the server acknowledging each DATA block sent by the client until the file is fully stored.
ICMP Timestamp Request and Reply exchange returning originate, receive, and transmit timestamps for time synchronization and one-way delay estimation.
UDP/ICMP traceroute using incrementing TTLs to elicit ICMP Time Exceeded from each hop, revealing the path to the destination.
Traceroute across an MPLS IPv4 core where LSRs return ICMP Time Exceeded with MPLS label-stack extensions, exposing label hops along the path.
Traceroute through an MPLS L3VPN (VPNv4) showing PE/P hops, ICMP Time Exceeded with label-stack extensions, and VRF-aware return path.
Traceroute through an MPLS L3VPN carrying IPv6 (6VPE/VPNv6), with ICMP Time Exceeded messages exposing MPLS label hops across the provider core.
Cisco UDLD in aggressive mode exchanges unidirectional link detection hellos; aggressive mode err-disables the port on loss to protect against one-way link faults.
Cisco UDLD in standard (normal) mode exchanges periodic neighbor hellos to detect unidirectional Ethernet links without forcing an err-disable on loss.
UDP-Lite over IPv4 flow where only a partial checksum covers the header and a portion of the payload, useful for loss-tolerant real-time media.
UDP-Lite over IPv6 flow with partial-checksum coverage, delivering loss-tolerant payloads where corrupted bytes may still be useful to the application.
RFB/VNC remote desktop login to a Windows host: version handshake, security type selection, auth, and ClientInit/ServerInit succeed.
VRRPv2 failover and preempt flow where the master fails, a backup promotes to master, then a higher-priority router preempts to reclaim mastership.
VRRPv2 initialization with multicast Advertisements on 224.0.0.18 electing the master router for the virtual IP address.
VRRPv3 failure and preempt flow supporting IPv4/IPv6, with master loss, backup takeover, and higher-priority preemption.
VRRPv3 initialization exchanging Advertisements to elect the master router for both IPv4 and IPv6 virtual addresses.
VTP version 2 summary and subset advertisements propagating a VLAN addition from the VTP server to clients, incrementing the domain revision.
VTP version 2 summary and subset advertisements propagating a VLAN deletion across the VTP domain, with an incremented configuration revision.
VTP version 3 advertisements carrying MST (Multiple Spanning Tree) region configuration updates across VTPv3 primary and secondary servers.
VTP version 3 advertisements propagating a VLAN addition from the VTPv3 primary server through the domain using authenticated summary and subset frames.
VTP version 3 advertisements propagating a VLAN deletion from the primary server to VTPv3 clients and secondary servers across the domain.
VTP version 3 initial domain bring-up with summary, subset, and request advertisements synchronizing VLAN database state between primary server and peers.
VXLAN overlay using multicast in the underlay for BUM traffic replication, flooding ARP and unknown unicast across VTEPs.
VXLAN overlay using head-end (unicast) replication, where the source VTEP unicasts encapsulated BUM traffic to each remote VTEP individually.
WCCP service group initialization with password-protected Here-I-Am and I-See-You negotiation between router and cache engines.
WCCP Removal Query exchange where the router probes a cache engine's liveness and removes it from the service group if unresponsive.
WCCP services 1/2/3 redirecting traffic from router to cache engine via GRE encapsulation for content and DNS optimization.
WCCP services 1/2/3 redirecting traffic using Layer 2 MAC rewrite instead of GRE, requiring cache engines to be L2-adjacent to the router.
WCCP web-cache service 0 redirecting HTTP traffic via GRE tunnel to the cache engine for content acceleration.
WCCP web-cache service 0 redirecting HTTP traffic using Layer 2 forwarding to the directly attached cache engine.
Wake-on-LAN magic packet: UDP/broadcast frame carrying the target MAC repeated 16 times wakes the sleeping host.