[Dshield] OK, packet guys, what about 43919 then?
peteoutside at yahoo.com
Wed Feb 4 00:45:50 GMT 2004
Johannes' kung fu is stronger than mine...I can derive nothing from it (other than yes, it appears to be a vanilla SYN) and you can't really do traffic analysis on one packet :)
Is there any followup traffic? Anything else from the same IP?
Do you ever get strange TCP flags (syn/fin, etc.)?
Are you acking these or dropping them?
"Johannes B. Ullrich" <jullrich at sans.org> wrote:
looks just like a regular SYN packet.
> 4 IP Version 4 (normal)
> 5 IP header is 20 bytes (good, not options)
> 00 TOS is 0 (normal)
> 00 30 packet size 48 bytes (- 20 for IP header leaves 18 bytes)
> ** ** packet id. may be helpful to have.
> 40 00 no fragmentation here
> ** TTL? why obfuscate it?
> 06 ok. its tcp
> ** ** header checksum. I guess it was valid?
> ** ** ** ** source ip
> QQ RR SS TT target ip
now we enter the TCP header
> ** ** why hide the source port? maybe it will tell use something about the origin? e.g. is it a well known port?
> AB 8F ok. target port is 43919
> ** ** ** ** sequence number? is it 'ok'?
> 00 00 00 00 ack number 0. So I assume this was a SYN packet?
> 7 TCP header is 7 32 bit words long. We got options!
> 0 02 ok. SYN flag set.
> ** ** ** ** why hid the window and checksum setting? checksum doesnt say much. but the window may give hints
> 00 00 ok. URG pointer is set to 0. thats fine
now the fun part... tcp options.
> 02 04 05 64 maximum segment size is 0x0564 = 1380... thats normal value.
> 01 01 NOP NOP
> 04 02 SACK
> C. Crowley
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 837 2807 jullrich at sans.org
contact details: http://johannes.homepc.org/contact.htm
> ATTACHMENT part 1.2 application/pgp-signature name=signature.asc
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
More information about the list