[Intrusions] tcpdump results

Donald Cunningham cunningham70 at yahoo.com
Thu Oct 7 15:36:24 GMT 2004 

Oops... My Bad.  Make that the first 200 BYTES of IP
traffic.  Not 200 bits.

--- Donald Cunningham <cunningham70 at yahoo.com> wrote:

> Hi Scott,
> 
> The instance of tcpdump that captured these traces
> was:
> tcpdump -s 200 -n  -w - -F filter.  The filter
> contains "ip" causing this portion of the IDS to
> capture the first 200 bits of all IP traffic.  Since
> the -S switch is missing the result will contain
> relative sequence numbers.  Not that I'm trying to
> argue the point but I believe the number directly
> after the . ack flag is the relative sequence number
> for the tcp sequence.
> 
> Thanks anyway.
> 
> Don
> 
> 
> --- opiesan <opiesan at opiesan.com> wrote:
> 
> > Hello Don. 
> > 
> > I'm not a TCP/IP guru but I believe the numbers
> > within the curly braces are the beginning and
> ending
> > TCP sequence numbers. Sequence numbers is one of
> the
> > mechanisms TCP uses to guarantee reliable packet
> > delivery. To fully explain what your output is
> > saying, it might help to send the exact tcpdump
> > command you used. Hope this clarifies things
> > somewhat. 
> > 
> > Scott 
> > 
> > 
> > ---- Donald Cunningham <cunningham70 at yahoo.com>
> > wrote:
> > >
> > > Hello all,
> > > 
> > > I'm seeing some tcpdump results I don't fully
> > > understand.  Would one of you kindly point me to
> a
> > > reference that will help me understand the
> output
> > of
> > > the traces shown below.  In particular I don't
> > > understand the part of the trace within the
> curly
> > > braces:
> > > 
> > > 09:16:21.486544 local.ip.address.1494 >
> > > remote.ip.address.80: . ack 128341 win 48990
> > > <nop,nop,sack sack 1 {136621:138001} > (DF)
> > > 
> > > 09:16:21.486546 local.ip.address.1494 >
> > > remote.ip.address.80: . ack 128341 win 48990
> > > <nop,nop,sack sack 1 {136621:139381} > (DF)
> > > 
> > > 09:16:21.487166 local.ip.address.1494 >
> > > remote.ip.address.80: . ack 128341 win 48990
> > > <nop,nop,sack sack 1 {136621:140761} > (DF)
> > > 
> > > 09:16:21.487293 local.ip.address.1494 >
> > > remote.ip.address.80: . ack 128341 win 48990
> > > <nop,nop,sack sack 1 {136621:142141} > (DF)
> > > 
> > > 
> > > I know, I know... but I've RTFManpage and it
> > didn't
> > > help.
> > > 
> > > Thanks,
> > > 
> > > Don
> > > 
> > > 
> > > 		
> > > _______________________________
> > > Do you Yahoo!?
> > > Declare Yourself - Register online to vote
> today!
> > > http://vote.yahoo.com
> > > _______________________________________________
> > > Intrusions mailing list
> > > Intrusions at lists.sans.org
> > >
> http://www.dshield.org/mailman/listinfo/intrusions
> > > 
> > > 
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> > 
> 
> 
> 		
> __________________________________
> Do you Yahoo!?
> Read only the mail you want - Yahoo! Mail SpamGuard.
> http://promotions.yahoo.com/new_mail 
> 


		
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail

More information about the Intrusions mailing list