[Intrusions] tcpdump results
Donald Cunningham
cunningham70 at yahoo.com
Thu Oct 7 15:05:02 GMT 2004
Hi Scott,
The instance of tcpdump that captured these traces
was:
tcpdump -s 200 -n -w - -F filter. The filter
contains "ip" causing this portion of the IDS to
capture the first 200 bits of all IP traffic. Since
the -S switch is missing the result will contain
relative sequence numbers. Not that I'm trying to
argue the point but I believe the number directly
after the . ack flag is the relative sequence number
for the tcp sequence.
Thanks anyway.
Don
--- opiesan <opiesan at opiesan.com> wrote:
> Hello Don.
>
> I'm not a TCP/IP guru but I believe the numbers
> within the curly braces are the beginning and ending
> TCP sequence numbers. Sequence numbers is one of the
> mechanisms TCP uses to guarantee reliable packet
> delivery. To fully explain what your output is
> saying, it might help to send the exact tcpdump
> command you used. Hope this clarifies things
> somewhat.
>
> Scott
>
>
> ---- Donald Cunningham <cunningham70 at yahoo.com>
> wrote:
> >
> > Hello all,
> >
> > I'm seeing some tcpdump results I don't fully
> > understand. Would one of you kindly point me to a
> > reference that will help me understand the output
> of
> > the traces shown below. In particular I don't
> > understand the part of the trace within the curly
> > braces:
> >
> > 09:16:21.486544 local.ip.address.1494 >
> > remote.ip.address.80: . ack 128341 win 48990
> > <nop,nop,sack sack 1 {136621:138001} > (DF)
> >
> > 09:16:21.486546 local.ip.address.1494 >
> > remote.ip.address.80: . ack 128341 win 48990
> > <nop,nop,sack sack 1 {136621:139381} > (DF)
> >
> > 09:16:21.487166 local.ip.address.1494 >
> > remote.ip.address.80: . ack 128341 win 48990
> > <nop,nop,sack sack 1 {136621:140761} > (DF)
> >
> > 09:16:21.487293 local.ip.address.1494 >
> > remote.ip.address.80: . ack 128341 win 48990
> > <nop,nop,sack sack 1 {136621:142141} > (DF)
> >
> >
> > I know, I know... but I've RTFManpage and it
> didn't
> > help.
> >
> > Thanks,
> >
> > Don
> >
> >
> >
> > _______________________________
> > Do you Yahoo!?
> > Declare Yourself - Register online to vote today!
> > http://vote.yahoo.com
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> >
> >
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail
More information about the Intrusions
mailing list