[Dshield] NetSky observation

jayjwa jayjwa at atr2.ath.cx
Tue Feb 24 05:11:22 GMT 2004



On Fri, 20 Feb 2004, Pete Cap wrote:

> Hey Jayjwa,
>
> Anything singular about the packet trace or is it just your typical SYN?
>
> Regards,
>
> Pete
>
> jayjwa <jayjwa at atr2.ath.cx> wrote:
>
>
> On Thu, 19 Feb 2004, Paul Marsh wrote:
> > I've seen it in a long time. Yesterday 5 viri stopped at my perimeter
> > today it's stopped 2. How is everyone else making out, has it quieted
> > down? I read some where (can't remember where) that it's possible that
> > NetSky was created by an AV insider? Is NetSky a good worm or are we
> > just waiting for the second shoe to drop?
>
> Very quite here worm-wise, but what I AM seeing is ALOT of people scanning
> for MyDoom ports, most likely due to the client for the MyDoom proxy being
> released, in executable form no less. That gives the kids something to
> play with, I see the same patterns hitting the Doom ports, over and over
> and over... It's really amazing how frequently- I dare say port 3127 gets
> probed at least 3-4 times a minute. I got a good packet dump yesterday.



I still had the dump laying around. =)
(See attachment)

Note the differences between some of the packets...
I still haven't seen any worms this week (other than some old Swen copies
still floating around ).


-Jay

-------------- next part --------------
Frame 1 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 12:40:14.909521000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 82.177.69.160 (82.177.69.160), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x8b89 (35721)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 115
    Protocol: TCP (0x06)
    Header checksum: 0x970f (correct)
    Source: 82.177.69.160 (82.177.69.160)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 3066 (3066), Dst Port: 3127 (3127), Seq: 179303688, Ack: 0, Len: 0
    Source port: 3066 (3066)
    Destination port: 3127 (3127)
    Sequence number: 179303688
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 64240
    Checksum: 0x8b16 (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 8b 89 40 00 73 06 97 0f 52 b1 45 a0   E..0.. at .s...R.E.
0020  40 b3 0c 2b 0b fa 0c 37 0a af f5 08 00 00 00 00   @..+...7........
0030  70 02 fa f0 8b 16 00 00 02 04 05 b4 01 01 04 02   p...............

Frame 2 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 12:40:17.779525000
    Time delta from previous packet: 2.870004000 seconds
    Time since reference or first frame: 2.870004000 seconds
    Frame Number: 2
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 82.177.69.160 (82.177.69.160), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x8d5a (36186)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 115
    Protocol: TCP (0x06)
    Header checksum: 0x953e (correct)
    Source: 82.177.69.160 (82.177.69.160)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 3066 (3066), Dst Port: 3127 (3127), Seq: 179303688, Ack: 0, Len: 0
    Source port: 3066 (3066)
    Destination port: 3127 (3127)
    Sequence number: 179303688
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 64240
    Checksum: 0x8b16 (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 8d 5a 40 00 73 06 95 3e 52 b1 45 a0   E..0.Z at .s..>R.E.
0020  40 b3 0c 2b 0b fa 0c 37 0a af f5 08 00 00 00 00   @..+...7........
0030  70 02 fa f0 8b 16 00 00 02 04 05 b4 01 01 04 02   p...............

Frame 3 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 12:40:23.799523000
    Time delta from previous packet: 6.019998000 seconds
    Time since reference or first frame: 8.890002000 seconds
    Frame Number: 3
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 82.177.69.160 (82.177.69.160), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x90f9 (37113)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 115
    Protocol: TCP (0x06)
    Header checksum: 0x919f (correct)
    Source: 82.177.69.160 (82.177.69.160)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 3066 (3066), Dst Port: 3127 (3127), Seq: 179303688, Ack: 0, Len: 0
    Source port: 3066 (3066)
    Destination port: 3127 (3127)
    Sequence number: 179303688
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 64240
    Checksum: 0x8b16 (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 90 f9 40 00 73 06 91 9f 52 b1 45 a0   E..0.. at .s...R.E.
0020  40 b3 0c 2b 0b fa 0c 37 0a af f5 08 00 00 00 00   @..+...7........
0030  70 02 fa f0 8b 16 00 00 02 04 05 b4 01 01 04 02   p...............

Frame 4 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 13:05:14.149521000
    Time delta from previous packet: 1490.349998000 seconds
    Time since reference or first frame: 1499.240000000 seconds
    Frame Number: 4
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 62.147.35.16 (62.147.35.16), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0xf72d (63277)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 111
    Protocol: TCP (0x06)
    Header checksum: 0x6619 (correct)
    Source: 62.147.35.16 (62.147.35.16)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 1184 (1184), Dst Port: 3127 (3127), Seq: 1112139139, Ack: 0, Len: 0
    Source port: 1184 (1184)
    Destination port: 3127 (3127)
    Sequence number: 1112139139
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 8760
    Checksum: 0x7949 (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 f7 2d 40 00 6f 06 66 19 3e 93 23 10   E..0.- at .o.f.>.#.
0020  40 b3 0c 2b 04 a0 0c 37 42 49 e5 83 00 00 00 00   @..+...7BI......
0030  70 02 22 38 79 49 00 79 02 04 05 b4 01 01 04 02   p."8yI.y........

Frame 5 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 13:05:16.679517000
    Time delta from previous packet: 2.529996000 seconds
    Time since reference or first frame: 1501.769996000 seconds
    Frame Number: 5
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 62.147.35.16 (62.147.35.16), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0xf889 (63625)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 111
    Protocol: TCP (0x06)
    Header checksum: 0x64bd (correct)
    Source: 62.147.35.16 (62.147.35.16)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 1184 (1184), Dst Port: 3127 (3127), Seq: 1112139139, Ack: 0, Len: 0
    Source port: 1184 (1184)
    Destination port: 3127 (3127)
    Sequence number: 1112139139
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 8760
    Checksum: 0x79c2 (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 f8 89 40 00 6f 06 64 bd 3e 93 23 10   E..0.. at .o.d.>.#.
0020  40 b3 0c 2b 04 a0 0c 37 42 49 e5 83 00 00 00 00   @..+...7BI......
0030  70 02 22 38 79 c2 00 00 02 04 05 b4 01 01 04 02   p."8y...........

Frame 6 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 13:41:06.209515000
    Time delta from previous packet: 2149.529998000 seconds
    Time since reference or first frame: 3651.299994000 seconds
    Frame Number: 6
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 66.149.138.198 (66.149.138.198), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0xff80 (65408)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 110
    Protocol: TCP (0x06)
    Header checksum: 0xf30d (correct)
    Source: 66.149.138.198 (66.149.138.198)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 3637 (3637), Dst Port: 3127 (3127), Seq: 77213396, Ack: 0, Len: 0
    Source port: 3637 (3637)
    Destination port: 3127 (3127)
    Sequence number: 77213396
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 64240
    Checksum: 0x201b (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 ff 80 40 00 6e 06 f3 0d 42 95 8a c6   E..0.. at .n...B...
0020  40 b3 0c 2b 0e 35 0c 37 04 9a 2e d4 00 00 00 00   @..+.5.7........
0030  70 02 fa f0 20 1b 00 00 02 04 05 b4 01 01 04 02   p... ...........

Frame 7 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 13:41:09.139520000
    Time delta from previous packet: 2.930005000 seconds
    Time since reference or first frame: 3654.229999000 seconds
    Frame Number: 7
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 66.149.138.198 (66.149.138.198), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x01ac (428)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 110
    Protocol: TCP (0x06)
    Header checksum: 0xf0e2 (correct)
    Source: 66.149.138.198 (66.149.138.198)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 3637 (3637), Dst Port: 3127 (3127), Seq: 77213396, Ack: 0, Len: 0
    Source port: 3637 (3637)
    Destination port: 3127 (3127)
    Sequence number: 77213396
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 64240
    Checksum: 0x201b (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 01 ac 40 00 6e 06 f0 e2 42 95 8a c6   E..0.. at .n...B...
0020  40 b3 0c 2b 0e 35 0c 37 04 9a 2e d4 00 00 00 00   @..+.5.7........
0030  70 02 fa f0 20 1b 00 00 02 04 05 b4 01 01 04 02   p... ...........

Frame 8 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 13:41:15.859518000
    Time delta from previous packet: 6.719998000 seconds
    Time since reference or first frame: 3660.949997000 seconds
    Frame Number: 8
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 66.149.138.198 (66.149.138.198), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x05ac (1452)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 110
    Protocol: TCP (0x06)
    Header checksum: 0xece2 (correct)
    Source: 66.149.138.198 (66.149.138.198)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 3637 (3637), Dst Port: 3127 (3127), Seq: 77213396, Ack: 0, Len: 0
    Source port: 3637 (3637)
    Destination port: 3127 (3127)
    Sequence number: 77213396
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 64240
    Checksum: 0x201b (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 05 ac 40 00 6e 06 ec e2 42 95 8a c6   E..0.. at .n...B...
0020  40 b3 0c 2b 0e 35 0c 37 04 9a 2e d4 00 00 00 00   @..+.5.7........
0030  70 02 fa f0 20 1b 00 00 02 04 05 b4 01 01 04 02   p... ...........

Frame 9 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 13:55:57.109521000
    Time delta from previous packet: 881.250003000 seconds
    Time since reference or first frame: 4542.200000000 seconds
    Frame Number: 9
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 80.11.16.24 (80.11.16.24), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0xe00e (57358)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 112
    Protocol: TCP (0x06)
    Header checksum: 0x7db8 (correct)
    Source: 80.11.16.24 (80.11.16.24)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 3312 (3312), Dst Port: 3127 (3127), Seq: 989915287, Ack: 0, Len: 0
    Source port: 3312 (3312)
    Destination port: 3127 (3127)
    Sequence number: 989915287
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 16384
    Checksum: 0xcf96 (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 e0 0e 40 00 70 06 7d b8 50 0b 10 18   E..0.. at .p.}.P...
0020  40 b3 0c 2b 0c f0 0c 37 3b 00 e8 97 00 00 00 00   @..+...7;.......
0030  70 02 40 00 cf 96 89 c8 02 04 05 b4 01 01 04 02   p. at .............

Frame 10 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 15:02:46.399526000
    Time delta from previous packet: 4009.290005000 seconds
    Time since reference or first frame: 8551.490005000 seconds
    Frame Number: 10
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 68.119.220.231 (68.119.220.231), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0xe6fb (59131)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 110
    Protocol: TCP (0x06)
    Header checksum: 0xb78f (correct)
    Source: 68.119.220.231 (68.119.220.231)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 3069 (3069), Dst Port: 3127 (3127), Seq: 1985220473, Ack: 0, Len: 0
    Source port: 3069 (3069)
    Destination port: 3127 (3127)
    Sequence number: 1985220473
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 16384
    Checksum: 0xeb08 (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 e6 fb 40 00 6e 06 b7 8f 44 77 dc e7   E..0.. at .n...Dw..
0020  40 b3 0c 2b 0b fd 0c 37 76 54 0f 79 00 00 00 00   @..+...7vT.y....
0030  70 02 40 00 eb 08 4b d8 02 04 05 b4 01 01 04 02   p. at ...K.........

Frame 11 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 15:02:49.359522000
    Time delta from previous packet: 2.959996000 seconds
    Time since reference or first frame: 8554.450001000 seconds
    Frame Number: 11
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 68.119.220.231 (68.119.220.231), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0xe86e (59502)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 110
    Protocol: TCP (0x06)
    Header checksum: 0xb61c (correct)
    Source: 68.119.220.231 (68.119.220.231)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 3069 (3069), Dst Port: 3127 (3127), Seq: 1985220473, Ack: 0, Len: 0
    Source port: 3069 (3069)
    Destination port: 3127 (3127)
    Sequence number: 1985220473
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 16384
    Checksum: 0x36e1 (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 e8 6e 40 00 6e 06 b6 1c 44 77 dc e7   E..0.n at .n...Dw..
0020  40 b3 0c 2b 0b fd 0c 37 76 54 0f 79 00 00 00 00   @..+...7vT.y....
0030  70 02 40 00 36 e1 00 00 02 04 05 b4 01 01 04 02   p. at .6...........

Frame 12 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 15:02:55.369516000
    Time delta from previous packet: 6.009994000 seconds
    Time since reference or first frame: 8560.459995000 seconds
    Frame Number: 12
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 68.119.220.231 (68.119.220.231), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0xea7f (60031)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 110
    Protocol: TCP (0x06)
    Header checksum: 0xb40b (correct)
    Source: 68.119.220.231 (68.119.220.231)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 3069 (3069), Dst Port: 3127 (3127), Seq: 1985220473, Ack: 0, Len: 0
    Source port: 3069 (3069)
    Destination port: 3127 (3127)
    Sequence number: 1985220473
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 16384
    Checksum: 0x36e1 (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 ea 7f 40 00 6e 06 b4 0b 44 77 dc e7   E..0.. at .n...Dw..
0020  40 b3 0c 2b 0b fd 0c 37 76 54 0f 79 00 00 00 00   @..+...7vT.y....
0030  70 02 40 00 36 e1 00 00 02 04 05 b4 01 01 04 02   p. at .6...........

Frame 13 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 17:12:53.509521000
    Time delta from previous packet: 7798.140005000 seconds
    Time since reference or first frame: 16358.600000000 seconds
    Frame Number: 13
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 68.95.7.172 (68.95.7.172), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x2558 (9560)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 108
    Protocol: TCP (0x06)
    Header checksum: 0x5087 (correct)
    Source: 68.95.7.172 (68.95.7.172)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 4028 (4028), Dst Port: 3127 (3127), Seq: 2887128895, Ack: 0, Len: 0
    Source port: 4028 (4028)
    Destination port: 3127 (3127)
    Sequence number: 2887128895
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 64170
    Checksum: 0x1065 (correct)
    Options: (8 bytes)
        Maximum segment size: 1426 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 25 58 40 00 6c 06 50 87 44 5f 07 ac   E..0%X at .l.P.D_..
0020  40 b3 0c 2b 0f bc 0c 37 ac 16 17 3f 00 00 00 00   @..+...7...?....
0030  70 02 fa aa 10 65 00 00 02 04 05 92 01 01 04 02   p....e..........

Frame 14 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 17:12:56.489514000
    Time delta from previous packet: 2.979993000 seconds
    Time since reference or first frame: 16361.579993000 seconds
    Frame Number: 14
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 68.95.7.172 (68.95.7.172), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x2675 (9845)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 108
    Protocol: TCP (0x06)
    Header checksum: 0x4f6a (correct)
    Source: 68.95.7.172 (68.95.7.172)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 4028 (4028), Dst Port: 3127 (3127), Seq: 2887128895, Ack: 0, Len: 0
    Source port: 4028 (4028)
    Destination port: 3127 (3127)
    Sequence number: 2887128895
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 64170
    Checksum: 0x1065 (correct)
    Options: (8 bytes)
        Maximum segment size: 1426 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 26 75 40 00 6c 06 4f 6a 44 5f 07 ac   E..0&u at .l.OjD_..
0020  40 b3 0c 2b 0f bc 0c 37 ac 16 17 3f 00 00 00 00   @..+...7...?....
0030  70 02 fa aa 10 65 00 00 02 04 05 92 01 01 04 02   p....e..........

Frame 15 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 17:13:02.619517000
    Time delta from previous packet: 6.130003000 seconds
    Time since reference or first frame: 16367.709996000 seconds
    Frame Number: 15
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 68.95.7.172 (68.95.7.172), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x29b8 (10680)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 108
    Protocol: TCP (0x06)
    Header checksum: 0x4c27 (correct)
    Source: 68.95.7.172 (68.95.7.172)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 4028 (4028), Dst Port: 3127 (3127), Seq: 2887128895, Ack: 0, Len: 0
    Source port: 4028 (4028)
    Destination port: 3127 (3127)
    Sequence number: 2887128895
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 64170
    Checksum: 0x1065 (correct)
    Options: (8 bytes)
        Maximum segment size: 1426 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 29 b8 40 00 6c 06 4c 27 44 5f 07 ac   E..0). at .l.L'D_..
0020  40 b3 0c 2b 0f bc 0c 37 ac 16 17 3f 00 00 00 00   @..+...7...?....
0030  70 02 fa aa 10 65 00 00 02 04 05 92 01 01 04 02   p....e..........

Frame 16 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 17:13:11.799516000
    Time delta from previous packet: 9.179999000 seconds
    Time since reference or first frame: 16376.889995000 seconds
    Frame Number: 16
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 24.128.185.171 (24.128.185.171), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x6885 (26757)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 110
    Protocol: TCP (0x06)
    Header checksum: 0x8539 (correct)
    Source: 24.128.185.171 (24.128.185.171)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: codasrv-se (2433), Dst Port: 3127 (3127), Seq: 1156113531, Ack: 0, Len: 0
    Source port: codasrv-se (2433)
    Destination port: 3127 (3127)
    Sequence number: 1156113531
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 64512
    Checksum: 0x28f9 (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 68 85 40 00 6e 06 85 39 18 80 b9 ab   E..0h. at .n..9....
0020  40 b3 0c 2b 09 81 0c 37 44 e8 e4 7b 00 00 00 00   @..+...7D..{....
0030  70 02 fc 00 28 f9 00 00 02 04 05 b4 01 01 04 02   p...(...........

Frame 17 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 17:13:14.709517000
    Time delta from previous packet: 2.910001000 seconds
    Time since reference or first frame: 16379.799996000 seconds
    Frame Number: 17
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 24.128.185.171 (24.128.185.171), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x6b6b (27499)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 110
    Protocol: TCP (0x06)
    Header checksum: 0x8253 (correct)
    Source: 24.128.185.171 (24.128.185.171)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: codasrv-se (2433), Dst Port: 3127 (3127), Seq: 1156113531, Ack: 0, Len: 0
    Source port: codasrv-se (2433)
    Destination port: 3127 (3127)
    Sequence number: 1156113531
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 64512
    Checksum: 0x28f9 (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 6b 6b 40 00 6e 06 82 53 18 80 b9 ab   E..0kk at .n..S....
0020  40 b3 0c 2b 09 81 0c 37 44 e8 e4 7b 00 00 00 00   @..+...7D..{....
0030  70 02 fc 00 28 f9 00 00 02 04 05 b4 01 01 04 02   p...(...........

Frame 18 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 17:13:20.749520000
    Time delta from previous packet: 6.040003000 seconds
    Time since reference or first frame: 16385.839999000 seconds
    Frame Number: 18
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 24.128.185.171 (24.128.185.171), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x70f7 (28919)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 110
    Protocol: TCP (0x06)
    Header checksum: 0x7cc7 (correct)
    Source: 24.128.185.171 (24.128.185.171)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: codasrv-se (2433), Dst Port: 3127 (3127), Seq: 1156113531, Ack: 0, Len: 0
    Source port: codasrv-se (2433)
    Destination port: 3127 (3127)
    Sequence number: 1156113531
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 64512
    Checksum: 0x28f9 (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 70 f7 40 00 6e 06 7c c7 18 80 b9 ab   E..0p. at .n.|.....
0020  40 b3 0c 2b 09 81 0c 37 44 e8 e4 7b 00 00 00 00   @..+...7D..{....
0030  70 02 fc 00 28 f9 00 00 02 04 05 b4 01 01 04 02   p...(...........

Frame 19 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 17:23:32.099525000
    Time delta from previous packet: 611.350005000 seconds
    Time since reference or first frame: 16997.190004000 seconds
    Frame Number: 19
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 200.44.212.87 (200.44.212.87), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x908c (37004)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 109
    Protocol: TCP (0x06)
    Header checksum: 0x93d9 (correct)
    Source: 200.44.212.87 (200.44.212.87)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 4210 (4210), Dst Port: 3127 (3127), Seq: 350566004, Ack: 0, Len: 0
    Source port: 4210 (4210)
    Destination port: 3127 (3127)
    Sequence number: 350566004
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 16384
    Checksum: 0xf1ba (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 90 8c 40 00 6d 06 93 d9 c8 2c d4 57   E..0.. at .m....,.W
0020  40 b3 0c 2b 10 72 0c 37 14 e5 36 74 00 00 00 00   @..+.r.7..6t....
0030  70 02 40 00 f1 ba 00 00 02 04 05 b4 01 01 04 02   p. at .............

Frame 20 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 17:23:35.129515000
    Time delta from previous packet: 3.029990000 seconds
    Time since reference or first frame: 17000.219994000 seconds
    Frame Number: 20
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 200.44.212.87 (200.44.212.87), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x9279 (37497)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 109
    Protocol: TCP (0x06)
    Header checksum: 0x91ec (correct)
    Source: 200.44.212.87 (200.44.212.87)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 4210 (4210), Dst Port: 3127 (3127), Seq: 350566004, Ack: 0, Len: 0
    Source port: 4210 (4210)
    Destination port: 3127 (3127)
    Sequence number: 350566004
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 16384
    Checksum: 0xf1ba (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 92 79 40 00 6d 06 91 ec c8 2c d4 57   E..0.y at .m....,.W
0020  40 b3 0c 2b 10 72 0c 37 14 e5 36 74 00 00 00 00   @..+.r.7..6t....
0030  70 02 40 00 f1 ba 00 00 02 04 05 b4 01 01 04 02   p. at .............

Frame 21 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 17:23:41.089516000
    Time delta from previous packet: 5.960001000 seconds
    Time since reference or first frame: 17006.179995000 seconds
    Frame Number: 21
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 200.44.212.87 (200.44.212.87), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x961e (38430)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 109
    Protocol: TCP (0x06)
    Header checksum: 0x8e47 (correct)
    Source: 200.44.212.87 (200.44.212.87)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 4210 (4210), Dst Port: 3127 (3127), Seq: 350566004, Ack: 0, Len: 0
    Source port: 4210 (4210)
    Destination port: 3127 (3127)
    Sequence number: 350566004
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 16384
    Checksum: 0xf1ba (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 96 1e 40 00 6d 06 8e 47 c8 2c d4 57   E..0.. at .m..G.,.W
0020  40 b3 0c 2b 10 72 0c 37 14 e5 36 74 00 00 00 00   @..+.r.7..6t....
0030  70 02 40 00 f1 ba 00 00 02 04 05 b4 01 01 04 02   p. at .............

Frame 22 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 17:29:23.409519000
    Time delta from previous packet: 342.320003000 seconds
    Time since reference or first frame: 17348.499998000 seconds
    Frame Number: 22
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 63.190.144.117 (63.190.144.117), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0xc268 (49768)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 111
    Protocol: TCP (0x06)
    Header checksum: 0x2c4e (correct)
    Source: 63.190.144.117 (63.190.144.117)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 2988 (2988), Dst Port: 3127 (3127), Seq: 2602015000, Ack: 0, Len: 0
    Source port: 2988 (2988)
    Destination port: 3127 (3127)
    Sequence number: 2602015000
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 64240
    Checksum: 0x1f0a (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 c2 68 40 00 6f 06 2c 4e 3f be 90 75   E..0.h at .o.,N?..u
0020  40 b3 0c 2b 0b ac 0c 37 9b 17 99 18 00 00 00 00   @..+...7........
0030  70 02 fa f0 1f 0a 00 00 02 04 05 b4 01 01 04 02   p...............

Frame 23 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 17:29:26.219518000
    Time delta from previous packet: 2.809999000 seconds
    Time since reference or first frame: 17351.309997000 seconds
    Frame Number: 23
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 63.190.144.117 (63.190.144.117), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0xc37f (50047)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 111
    Protocol: TCP (0x06)
    Header checksum: 0x2b37 (correct)
    Source: 63.190.144.117 (63.190.144.117)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 2988 (2988), Dst Port: 3127 (3127), Seq: 2602015000, Ack: 0, Len: 0
    Source port: 2988 (2988)
    Destination port: 3127 (3127)
    Sequence number: 2602015000
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 64240
    Checksum: 0x1f0a (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 c3 7f 40 00 6f 06 2b 37 3f be 90 75   E..0.. at .o.+7?..u
0020  40 b3 0c 2b 0b ac 0c 37 9b 17 99 18 00 00 00 00   @..+...7........
0030  70 02 fa f0 1f 0a 00 00 02 04 05 b4 01 01 04 02   p...............

Frame 24 (64 bytes on wire, 64 bytes captured)
    Arrival Time: Feb 19, 2004 17:29:32.549517000
    Time delta from previous packet: 6.329999000 seconds
    Time since reference or first frame: 17357.639996000 seconds
    Frame Number: 24
    Packet Length: 64 bytes
    Capture Length: 64 bytes
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 63.190.144.117 (63.190.144.117), Dst Addr: 64.179.12.43 (64.179.12.43)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0xc630 (50736)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 111
    Protocol: TCP (0x06)
    Header checksum: 0x2886 (correct)
    Source: 63.190.144.117 (63.190.144.117)
    Destination: 64.179.12.43 (64.179.12.43)
Transmission Control Protocol, Src Port: 2988 (2988), Dst Port: 3127 (3127), Seq: 2602015000, Ack: 0, Len: 0
    Source port: 2988 (2988)
    Destination port: 3127 (3127)
    Sequence number: 2602015000
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 64240
    Checksum: 0x1f0a (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 30 c6 30 40 00 6f 06 28 86 3f be 90 75   E..0.0 at .o.(.?..u
0020  40 b3 0c 2b 0b ac 0c 37 9b 17 99 18 00 00 00 00   @..+...7........
0030  70 02 fa f0 1f 0a 00 00 02 04 05 b4 01 01 04 02   p...............



More information about the list mailing list