[Dshield] TCP/3389 (MS Terminal Services) Probes

Bruce & Roma ecarew2531 at rogers.com
Sun Mar 7 16:32:37 GMT 2004


Good Morning;

Chris Breton was looking for some packet captures of Port 3389
probes.  I have included below a packet capture from my segment
of the Rogers cable network on 6 Mar.  This includes full packet
capture and statistics.

Cheers,

Bruce


Frame 1 (62 bytes on wire, 62 bytes captured)
     Arrival Time: Mar  6, 2004 20:28:33.424999000
     Frame Number: 1
     Packet Length: 62 bytes
     Capture Length: 62 bytes

Internet Protocol, Src Addr: 218.106.166.50 (218.106.166.50), Dst Addr: 
24.103.x.x
     Version: 4
     Header length: 20 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
         0000 00.. = Differentiated Services Codepoint: Default (0x00)
         .... ..0. = ECN-Capable Transport (ECT): 0
         .... ...0 = ECN-CE: 0
     Total Length: 48
     Identification: 0x7029 (28713)
     Flags: 0x04
         .1.. = Don't fragment: Set
         ..0. = More fragments: Not set
     Fragment offset: 0
     Time to live: 101
     Protocol: TCP (0x06)
     Header checksum: 0xb712 (correct)
     Source: 218.106.166.50 (218.106.166.50)
     Destination: 24.103.x.x (24.103.x.x)
Transmission Control Protocol, Src Port: 2275 (2275), Dst Port: 3389 
(3389), Seq: 2908790642, Ack: 0, Len: 0
     Source port: 2275 (2275)
     Destination port: 3389 (3389)
     Sequence number: 2908790642
     Header length: 28 bytes
     Flags: 0x0002 (SYN)
         0... .... = Congestion Window Reduced (CWR): Not set
         .0.. .... = ECN-Echo: Not set
         ..0. .... = Urgent: Not set
         ...0 .... = Acknowledgment: Not set
         .... 0... = Push: Not set
         .... .0.. = Reset: Not set
         .... ..1. = Syn: Set
         .... ...0 = Fin: Not set
     Window size: 65535
     Checksum: 0x31a0 (correct)
     Options: (8 bytes)
         Maximum segment size: 1460 bytes
         NOP
         NOP
         SACK permitted

0000  00 80 c6 fe 3f 37 00 00 77 94 6a 22 08 00 45 00   ....?7..w.j"..E.
0010  00 30 70 29 40 00 65 06 b7 12 da 6a a6 32 18 67   .0p)@.e....j.2xx
0020  X X 08 e3 0d 3d ad 60 9f 72 00 00 00 00 70 02   xx...=.`.r....p.
0030  ff ff 31 a0 00 00 02 04 05 b4 01 01 04 02         ..1...........

Frame 2 (62 bytes on wire, 62 bytes captured)
     Arrival Time: Mar  6, 2004 20:28:36.342000000
     Time delta from previous packet: 2.917001000 seconds
     Time since reference or first frame: 2.917001000 seconds
     Frame Number: 2
     Packet Length: 62 bytes
     Capture Length: 62 bytes
Internet Protocol, Src Addr: 218.106.166.50 (218.106.166.50), Dst Addr: 
24.103.x.x (24.103.x.x)
     Version: 4
     Header length: 20 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
         0000 00.. = Differentiated Services Codepoint: Default (0x00)
         .... ..0. = ECN-Capable Transport (ECT): 0
         .... ...0 = ECN-CE: 0
     Total Length: 48
     Identification: 0x7066 (28774)
     Flags: 0x04
         .1.. = Don't fragment: Set
         ..0. = More fragments: Not set
     Fragment offset: 0
     Time to live: 101
     Protocol: TCP (0x06)
     Header checksum: 0xb6d5 (correct)
     Source: 218.106.166.50 (218.106.166.50)
     Destination: 24.103.x.x (24.103.x.x)
Transmission Control Protocol, Src Port: 2275 (2275), Dst Port: 3389 
(3389), Seq: 2908790642, Ack: 0, Len: 0
     Source port: 2275 (2275)
     Destination port: 3389 (3389)
     Sequence number: 2908790642
     Header length: 28 bytes
     Flags: 0x0002 (SYN)
         0... .... = Congestion Window Reduced (CWR): Not set
         .0.. .... = ECN-Echo: Not set
         ..0. .... = Urgent: Not set
         ...0 .... = Acknowledgment: Not set
         .... 0... = Push: Not set
         .... .0.. = Reset: Not set
         .... ..1. = Syn: Set
         .... ...0 = Fin: Not set
     Window size: 65535
     Checksum: 0x31a0 (correct)
     Options: (8 bytes)
         Maximum segment size: 1460 bytes
         NOP
         NOP
         SACK permitted

0000  00 80 c6 fe 3f 37 00 00 77 94 6a 22 08 00 45 00   ....?7..w.j"..E.
0010  00 30 70 66 40 00 65 06 b6 d5 da 6a a6 32 18 67   .0pf at .e....j.2.x
0020  X X 08 e3 0d 3d ad 60 9f 72 00 00 00 00 70 02   x....=.`.r....p.
0030  ff ff 31 a0 00 00 02 04 05 b4 01 01 04 02         ..1...........

Frame 3 (62 bytes on wire, 62 bytes captured)
     Arrival Time: Mar  6, 2004 20:28:42.372999000
     Time delta from previous packet: 6.030999000 seconds
     Time since reference or first frame: 8.948000000 seconds
     Frame Number: 3
     Packet Length: 62 bytes
     Capture Length: 62 bytes
Internet Protocol, Src Addr: 218.106.166.50 (218.106.166.50), Dst Addr: 
24.103.x.x (24.103.x.x)
     Version: 4
     Header length: 20 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
         0000 00.. = Differentiated Services Codepoint: Default (0x00)
         .... ..0. = ECN-Capable Transport (ECT): 0
         .... ...0 = ECN-CE: 0
     Total Length: 48
     Identification: 0x70dd (28893)
     Flags: 0x04
         .1.. = Don't fragment: Set
         ..0. = More fragments: Not set
     Fragment offset: 0
     Time to live: 101
     Protocol: TCP (0x06)
     Header checksum: 0xb65e (correct)
     Source: 218.106.166.50 (218.106.166.50)
     Destination: 24.103.x.x (24.103.x.x)
Transmission Control Protocol, Src Port: 2275 (2275), Dst Port: 3389 
(3389), Seq: 2908790642, Ack: 0, Len: 0
     Source port: 2275 (2275)
     Destination port: 3389 (3389)
     Sequence number: 2908790642
     Header length: 28 bytes
     Flags: 0x0002 (SYN)
         0... .... = Congestion Window Reduced (CWR): Not set
         .0.. .... = ECN-Echo: Not set
         ..0. .... = Urgent: Not set
         ...0 .... = Acknowledgment: Not set
         .... 0... = Push: Not set
         .... .0.. = Reset: Not set
         .... ..1. = Syn: Set
         .... ...0 = Fin: Not set
     Window size: 65535
     Checksum: 0x31a0 (correct)
     Options: (8 bytes)
         Maximum segment size: 1460 bytes
         NOP
         NOP
         SACK permitted

0000  00 80 c6 fe 3f 37 00 00 77 94 6a 22 08 00 45 00   ....?7..w.j"..E.
0010  00 30 70 dd 40 00 65 06 b6 5e da 6a a6 32 18 67   .0p. at .e..^.j.2.x
0020  X X 08 e3 0d 3d ad 60 9f 72 00 00 00 00 70 02   x....=.`.r....p.
0030  ff ff 31 a0 00 00 02 04 05 b4 01 01 04 02         ..1...........




More information about the list mailing list