Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 75915 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Tcpdump - any experts to explain exactly what the output means?

Louis-M

I have a tcpdump where I'm not getting the reply I expect from the remote device. I'm just wondering what certain parts mean eg [.] , nop, nop etc

Logs are as follows:

14:41:29.534774 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [S.], seq 3781070632, ack 3003906911, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 133182370 ecr 104989], length 0

14:41:29.534826 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [S.], seq 3781070632, ack 3003906911, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 133182370 ecr 104989], length 0

14:41:29.624576 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [.], ack 1, win 516, options [nop,nop,TS val 133182378 ecr 104997,nop,nop,sack 1 {1377:2164}], length 0

14:41:29.624606 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [.], ack 1, win 516, options [nop,nop,TS val 133182378 ecr 104997,nop,nop,sack 1 {1377:2164}], length 0

14:41:34.615679 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133182878 ecr 104997], length 0

14:41:34.615697 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133182878 ecr 104997], length 0

14:41:34.916109 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133182908 ecr 104997], length 0

14:41:34.916132 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133182908 ecr 104997], length 0

14:41:35.516652 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133182968 ecr 104997], length 0

14:41:35.516669 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133182968 ecr 104997], length 0

14:41:36.723812 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133183088 ecr 104997], length 0

14:41:36.723818 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133183088 ecr 104997], length 0

14:41:39.115565 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133183328 ecr 104997], length 0

14:41:39.115579 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133183328 ecr 104997], length 0

14:41:43.916919 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133183808 ecr 104997], length 0

14:41:43.916930 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133183808 ecr 104997], length 0

14:41:53.522107 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [R.], seq 2, ack 1, win 0, length 0

14:41:53.522114 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [R.], seq 2, ack 1, win 0, length 0



This thread was automatically locked due to age.
  • 0

    The TCP flags are explained in the tcpdump manpage: "Flags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or `.' (ACK), or `none' if no flags are set.".

    And the TCP options are for example mentioned here: https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml
    nop (No-Operation) has no meaning and seems to be used for aligning the other options. TS val is a timestamp.

  • 0

    seems you only capture answer packets from 10.1.2.20 to 10.1.38.140.

    which traffic you search for?

    whick capture command/filter do you use?

    possible capturing booth directions and compare "send to" and "received from" packets is more usefull.

    i use full packet capture to file and check the result within wireshark.

    tcpdump -i <interface> -s 65535 -w <some-file>


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to reinerh

    Looking at the UTM, some devices can have their own formatting. In the case of the UTM, the "." is an ACK

    So:

    [S]- SYN
    [S.] - SYN-ACK
    [.] - ACK

    [F]- FYN
    [F.] - FYN-ACK

    [R] - RST
    [R.] - RST-ACK

     

    You are correct, what we are not seeing in the above is the first packet getting sent from the host to the server (The SYN)

    We then see a SYN-ACK from the server to the client but no ACK from the client. The server resends again but still no reply. And then it closes down the connection.
    Taking the above into account, traffic is flowing in one direction but is being blocked (by the FW at the remote end) as the UTM is clearly showing it responding and the UTM FW logs is also allowing it to pass.

  • 0

    Hi Louis-M,

    I recommend dumping the trace to a file and using wireshark to analyze. There are many, many ways to display the packet flow and finding problems in large trace files.

    On the web you can find many tutorials to guide you if you are new to packet sniffing.

    The sniffing bible is this: https://www.amazon.de/Wireshark-Network-Analysis-Official-Certified/dp/1893939995 written by the goddes of packet analyzing!

     

    CS

     

    Sophos Certified Architect (UTM + XG)

Unfiltered HTML