[Intrusions] tcpdump results
Smith, Donald
Donald.Smith at qwest.com
Thu Oct 7 14:47:26 GMT 2004
Donald.Smith at qwest.com GCIA
1st & 2nd rule of security.
While(access_required = 1) provideaccess(); else denyaccess();
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Dana Webber
> Sent: Wednesday, October 06, 2004 6:02 PM
> To: Intrusions List (GCIA Practicals)
> Subject: Re: [Intrusions] tcpdump results
>
>
> Ethereal is much easier to understand then tcpdump.
> The standard reference for IP is "Tcp Illustrated"
>
> On Wednesday 06 October 2004 17:16, Donald Cunningham wrote:
> > Hello all,
> >
> > I'm seeing some tcpdump results I don't fully
> > understand. Would one of you kindly point me to a
> > reference that will help me understand the output of
> > the traces shown below. In particular I don't
> > understand the part of the trace within the curly
> > braces:
> >
> > 09:16:21.486544 local.ip.address.1494 >
> > remote.ip.address.80: . ack 128341 win 48990
> > <nop,nop,sack sack 1 {136621:138001} > (DF)
Selective ack (sack) of data 136621 - 138001. This implies data has been
dropped but the system picked up some of it and is acking it.
When packets arrive out of sequence this allows the receiving side to
ack those packets it has seen.
> >
> > 09:16:21.486546 local.ip.address.1494 >
> > remote.ip.address.80: . ack 128341 win 48990
> > <nop,nop,sack sack 1 {136621:139381} > (DF)
> >
> > 09:16:21.487166 local.ip.address.1494 >
> > remote.ip.address.80: . ack 128341 win 48990
> > <nop,nop,sack sack 1 {136621:140761} > (DF)
> >
> > 09:16:21.487293 local.ip.address.1494 >
> > remote.ip.address.80: . ack 128341 win 48990
> > <nop,nop,sack sack 1 {136621:142141} > (DF)
> >
> >
> > I know, I know... but I've RTFManpage and it didn't
> > help.
> >
> > Thanks,
> >
> > Don
> >
> >
> >
> > _______________________________
> > Do you Yahoo!?
> > Declare Yourself - Register online to vote today!
> > http://vote.yahoo.com
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> >
> >
>
> --
> Dana Webber
> dana at dunrobin.dyn.dhs.org
> http://dunrobin.dyn.dhs.org
>
> Getting a computer system to work is like banging your head
> against a brick wall until the wall falls down.
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
>
More information about the Intrusions
mailing list