[Intrusions] tcpdump results
Judy Novak
judy.novak at sourcefire.com
Thu Oct 7 11:53:54 GMT 2004
Donald,
What you are seeing is the selective acknowledgment TCP option informing
of missing sequence numbers by acknowledging ones it has received supplying
the left and right edge sequence numbers of those - the numbers in the
braces. I don't
profess to understand the intracacies of selective acknowledgements, but
if you care to read up on them, take a look at:
http://www.faqs.org/rfcs/rfc2018.html
Judy
Donald Cunningham wrote:
>Hello all,
>
>I'm seeing some tcpdump results I don't fully
>understand. Would one of you kindly point me to a
>reference that will help me understand the output of
>the traces shown below. In particular I don't
>understand the part of the trace within the curly
>braces:
>
>09:16:21.486544 local.ip.address.1494 >
>remote.ip.address.80: . ack 128341 win 48990
><nop,nop,sack sack 1 {136621:138001} > (DF)
>
>09:16:21.486546 local.ip.address.1494 >
>remote.ip.address.80: . ack 128341 win 48990
><nop,nop,sack sack 1 {136621:139381} > (DF)
>
>09:16:21.487166 local.ip.address.1494 >
>remote.ip.address.80: . ack 128341 win 48990
><nop,nop,sack sack 1 {136621:140761} > (DF)
>
>09:16:21.487293 local.ip.address.1494 >
>remote.ip.address.80: . ack 128341 win 48990
><nop,nop,sack sack 1 {136621:142141} > (DF)
>
>
>I know, I know... but I've RTFManpage and it didn't
>help.
>
>Thanks,
>
>Don
>
>
>
>_______________________________
>Do you Yahoo!?
>Declare Yourself - Register online to vote today!
>http://vote.yahoo.com
>_______________________________________________
>Intrusions mailing list
>Intrusions at lists.sans.org
>http://www.dshield.org/mailman/listinfo/intrusions
>
>
>
More information about the Intrusions
mailing list