[Dshield] OK, packet guys, what about 43919 then?

Pete Cap peteoutside at yahoo.com
Wed Feb 4 00:45:50 GMT 2004


Johannes' kung fu is stronger than mine...I can derive nothing from it (other than yes, it appears to be a vanilla SYN) and you can't really do traffic analysis on one packet :)
 
Is there any followup traffic?  Anything else from the same IP?
Do you ever get strange TCP flags (syn/fin, etc.)?
Are you acking these or dropping them?
etc.
 
Regards,
Pete


"Johannes B. Ullrich" <jullrich at sans.org> wrote:

looks just like a regular SYN packet.


> 4 IP Version 4 (normal)
> 5 IP header is 20 bytes (good, not options)
> 00 TOS is 0 (normal)
> 00 30 packet size 48 bytes (- 20 for IP header leaves 18 bytes)
> ** ** packet id. may be helpful to have.
> 40 00 no fragmentation here
> ** TTL? why obfuscate it?
> 06 ok. its tcp
> ** ** header checksum. I guess it was valid?
> ** ** ** ** source ip
> QQ RR SS TT target ip

now we enter the TCP header

> ** ** why hide the source port? maybe it will tell use something about the origin? e.g. is it a well known port?

> AB 8F ok. target port is 43919
> ** ** ** ** sequence number? is it 'ok'?
> 00 00 00 00 ack number 0. So I assume this was a SYN packet?
> 7 TCP header is 7 32 bit words long. We got options!
> 0 02 ok. SYN flag set.
> ** ** ** ** why hid the window and checksum setting? checksum doesnt say much. but the window may give hints
> 00 00 ok. URG pointer is set to 0. thats fine

now the fun part... tcp options.

> 02 04 05 64 maximum segment size is 0x0564 = 1380... thats normal value.
> 01 01 NOP NOP
> 04 02 SACK

> 
> C. Crowley
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 837 2807 jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm


> ATTACHMENT part 1.2 application/pgp-signature name=signature.asc
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list


---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!


More information about the list mailing list