[Dshield] OK, packet guys, what about 43919 then?

Johannes B. Ullrich jullrich at sans.org
Tue Feb 3 23:53:36 GMT 2004


looks just like a regular SYN packet.


> 4 IP Version 4 (normal)
> 5 IP header is 20 bytes (good, not options)
> 00 TOS is 0 (normal)
> 00 30 packet size 48 bytes (- 20 for IP header leaves 18 bytes)
> ** ** packet id. may be helpful to have.
> 40 00 no fragmentation here
> **    TTL? why obfuscate it?
> 06    ok. its tcp
> ** ** header checksum. I guess it was valid?
> ** ** ** ** source ip
> QQ RR SS TT target ip

now we enter the TCP header

> ** ** why hide the source port? maybe it will tell use something about the origin? e.g. is it a well known port?

> AB 8F ok. target port is 43919
> ** ** ** ** sequence number? is it 'ok'?
> 00 00 00 00 ack number 0. So I assume this was a SYN packet?
> 7 TCP header is 7 32 bit words long. We got options!
> 0 02 ok. SYN flag set.
> ** ** ** ** why hid the window and checksum setting? checksum doesnt say much. but the window may give hints
> 00 00 ok. URG pointer is set to 0. thats fine

now the fun part... tcp options.

> 02 04 05 64 maximum segment size is 0x0564 = 1380... thats normal value.
> 01 01    NOP NOP
> 04 02      SACK

> 
> C. Crowley
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040203/d561c931/attachment.bin


More information about the list mailing list