[Dshield] OK, packet guys, what about 43919 then?

Tom Liston tliston at premmag.com
Wed Feb 4 15:16:15 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'd be willing to bet foldin' money that the WIN size on this is 55808.

- -TL

On 3 Feb 2004 at 18:53, Johannes B. Ullrich wrote:

> 
> looks just like a regular SYN packet.
> 
> 
> > 4 IP Version 4 (normal)
> > 5 IP header is 20 bytes (good, not options)
> > 00 TOS is 0 (normal)
> > 00 30 packet size 48 bytes (- 20 for IP header leaves 18 bytes)
> > ** ** packet id. may be helpful to have.
> > 40 00 no fragmentation here
> > **    TTL? why obfuscate it?
> > 06    ok. its tcp
> > ** ** header checksum. I guess it was valid?
> > ** ** ** ** source ip
> > QQ RR SS TT target ip
> 
> now we enter the TCP header
> 
> > ** ** why hide the source port? maybe it will tell use something about
> > the origin? e.g. is it a well known port?
> 
> > AB 8F ok. target port is 43919
> > ** ** ** ** sequence number? is it 'ok'?
> > 00 00 00 00 ack number 0. So I assume this was a SYN packet?
> > 7 TCP header is 7 32 bit words long. We got options!
> > 0 02 ok. SYN flag set.
> > ** ** ** ** why hid the window and checksum setting? checksum doesnt say
> > much. but the window may give hints 00 00 ok. URG pointer is set to 0.
> > thats fine
> 
> now the fun part... tcp options.
> 
> > 02 04 05 64 maximum segment size is 0x0564 = 1380... thats normal value.
> > 01 01    NOP NOP 04 02      SACK
> 
> > 
> > C. Crowley
> > 
> > 
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> -- 
> CTO SANS Internet Storm Center               http://isc.sans.org
> phone: (617) 837 2807                          jullrich at sans.org 
> 
> contact details: http://johannes.homepc.org/contact.htm
> 
> 
> __________ NOD32 1.615 (20040202) Information __________
> 
> This message was checked by NOD32 antivirus system.
> http://www.nod32.com
> 
> 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Public key - http://www.hackbusters.net/pgp.txt

iD8DBQFAIQy/o6r9fhzAJkoRAhLsAJ49NUcjFr1xcPAly+/O0X//F/ds2QCgx4ab
SikFp2n+jdees3potswWZTM=
=9S+A
-----END PGP SIGNATURE-----




More information about the list mailing list