[Intrusions] tcpdump results

bschnzl at cotse.net bschnzl at cotse.net
Thu Oct 7 19:33:19 GMT 2004 

Hi all...

The short answer is that these are sequence numbers.  The selective 
ack method is being used in this conversation.  The remote station 
may be connected through a satellite link (high bandwidth, high 
latency).

tcpdump.org (who maintain the software) has made changes to the order 
and labeling formats across versions.  Other indications drop the 
braces and separate the numbers with two "dots".  Also, windump and 
snoop have there own minor format differences.  To properly answer 
this, it would be easier to have the raw binary libpcap file.

The -w switch will save raw packets to a file to be read at a later 
time.  These files can be used by ethereal (or tethereal) et al.  
Today, Dana Webber has mentioned the expanded labeling of this 
package.  If you have these files you can use any libpcap frontend 
(like tcpdump, or ethereal) to reformat the analysis of the same 
packet.

Perhaps the most useful switch is the -X which shows the packets in 
hex, with the ascii rendered to the right.  Tethereal will do the 
same with the -x switch.  Ethereal puts the hex in the bottom box.  
This is the benefit of reformating the output available by saving to 
a libpcap file.

Using the hex output will show you if the curly braces are the 
sequence numbers.  In TCP, each byte is numbered.  Generally, tcpdump 
will compute the ending sequence number by the amount of payload 
bytes in the packet, and display the both the first and last sequence 
number in the packet, as well as the difference.  Look in the hex 
output for 0002 15AD, 0002 1B12, et cetera.

The header fields won't move, but the methods behind filling those 
fields adjusts with technology (RFC 2018, et al).

enjoy...

B.

On 6 Oct 2004, this text appeared purporting to belong to opiesan

From:           	opiesan <opiesan at opiesan.com>
To:             	"Intrusions List (GCIA Practicals)" <intrusions at lists.sans.org>
Subject:        	Re: [Intrusions] tcpdump results
Date sent:      	Wed, 06 Oct 2004 22:03:05 -0400 (EDT)
Send reply to:  	"Intrusions List \(GCIA Practicals\)" <intrusions at lists.sans.org>
	<mailto:intrusions-request at lists.sans.org?subject=unsubscribe>
	<mailto:intrusions-request at lists.sans.org?subject=subscribe>
Keywords:       	
> Hello Don. 
> 
> I'm not a TCP/IP guru but I believe the numbers within the curly braces
> are the beginning and ending TCP sequence numbers. Sequence numbers is one
> of the mechanisms TCP uses to guarantee reliable packet delivery. To fully
> explain what your output is saying, it might help to send the exact
> tcpdump command you used. Hope this clarifies things somewhat. 
> 
> Scott 
> 
> 
> ---- Donald Cunningham <cunningham70 at yahoo.com> wrote:
> >
> > Hello all,
> > 
> > I'm seeing some tcpdump results I don't fully
> > understand.  Would one of you kindly point me to a
> > reference that will help me understand the output of
> > the traces shown below.  In particular I don't
> > understand the part of the trace within the curly
> > braces:
> > 
> > 09:16:21.486544 local.ip.address.1494 >
> > remote.ip.address.80: . ack 128341 win 48990
> > <nop,nop,sack sack 1 {136621:138001} > (DF)
> > 
> > 09:16:21.486546 local.ip.address.1494 >
> > remote.ip.address.80: . ack 128341 win 48990
> > <nop,nop,sack sack 1 {136621:139381} > (DF)
> > 
> > 09:16:21.487166 local.ip.address.1494 >
> > remote.ip.address.80: . ack 128341 win 48990
> > <nop,nop,sack sack 1 {136621:140761} > (DF)
> > 
> > 09:16:21.487293 local.ip.address.1494 >
> > remote.ip.address.80: . ack 128341 win 48990
> > <nop,nop,sack sack 1 {136621:142141} > (DF)
> > 
> > 
> > I know, I know... but I've RTFManpage and it didn't
> > help.
> > 
> > Thanks,
> > 
> > Don
> > 
> > 
> > 		
> > _______________________________
> > Do you Yahoo!?
> > Declare Yourself - Register online to vote today!
> > http://vote.yahoo.com
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> > 
> > 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions


Bill Scherr IV, GSEC, GCIA
EWA / Information & Infrastructure Technologies
National Guard Regional Technology Center / Norwich Campus
Northfield, VT  05663
802-485-1962

More information about the Intrusions mailing list