Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 75919 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Tcpdump - any experts to explain exactly what the output means?

Louis-M

I have a tcpdump where I'm not getting the reply I expect from the remote device. I'm just wondering what certain parts mean eg [.] , nop, nop etc

Logs are as follows:

14:41:29.534774 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [S.], seq 3781070632, ack 3003906911, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 133182370 ecr 104989], length 0

14:41:29.534826 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [S.], seq 3781070632, ack 3003906911, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 133182370 ecr 104989], length 0

14:41:29.624576 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [.], ack 1, win 516, options [nop,nop,TS val 133182378 ecr 104997,nop,nop,sack 1 {1377:2164}], length 0

14:41:29.624606 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [.], ack 1, win 516, options [nop,nop,TS val 133182378 ecr 104997,nop,nop,sack 1 {1377:2164}], length 0

14:41:34.615679 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133182878 ecr 104997], length 0

14:41:34.615697 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133182878 ecr 104997], length 0

14:41:34.916109 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133182908 ecr 104997], length 0

14:41:34.916132 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133182908 ecr 104997], length 0

14:41:35.516652 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133182968 ecr 104997], length 0

14:41:35.516669 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133182968 ecr 104997], length 0

14:41:36.723812 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133183088 ecr 104997], length 0

14:41:36.723818 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133183088 ecr 104997], length 0

14:41:39.115565 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133183328 ecr 104997], length 0

14:41:39.115579 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133183328 ecr 104997], length 0

14:41:43.916919 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133183808 ecr 104997], length 0

14:41:43.916930 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [F.], seq 1, ack 1, win 516, options [nop,nop,TS val 133183808 ecr 104997], length 0

14:41:53.522107 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [R.], seq 2, ack 1, win 0, length 0

14:41:53.522114 IP 10.1.2.20.http-alt > 10.1.38.140.43175: Flags [R.], seq 2, ack 1, win 0, length 0



This thread was automatically locked due to age.
Parents
  • 0

    The TCP flags are explained in the tcpdump manpage: "Flags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or `.' (ACK), or `none' if no flags are set.".

    And the TCP options are for example mentioned here: https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml
    nop (No-Operation) has no meaning and seems to be used for aligning the other options. TS val is a timestamp.

  • 0 in reply to reinerh

    Looking at the UTM, some devices can have their own formatting. In the case of the UTM, the "." is an ACK

    So:

    [S]- SYN
    [S.] - SYN-ACK
    [.] - ACK

    [F]- FYN
    [F.] - FYN-ACK

    [R] - RST
    [R.] - RST-ACK

     

    You are correct, what we are not seeing in the above is the first packet getting sent from the host to the server (The SYN)

    We then see a SYN-ACK from the server to the client but no ACK from the client. The server resends again but still no reply. And then it closes down the connection.
    Taking the above into account, traffic is flowing in one direction but is being blocked (by the FW at the remote end) as the UTM is clearly showing it responding and the UTM FW logs is also allowing it to pass.

Reply
  • 0 in reply to reinerh

    Looking at the UTM, some devices can have their own formatting. In the case of the UTM, the "." is an ACK

    So:

    [S]- SYN
    [S.] - SYN-ACK
    [.] - ACK

    [F]- FYN
    [F.] - FYN-ACK

    [R] - RST
    [R.] - RST-ACK

     

    You are correct, what we are not seeing in the above is the first packet getting sent from the host to the server (The SYN)

    We then see a SYN-ACK from the server to the client but no ACK from the client. The server resends again but still no reply. And then it closes down the connection.
    Taking the above into account, traffic is flowing in one direction but is being blocked (by the FW at the remote end) as the UTM is clearly showing it responding and the UTM FW logs is also allowing it to pass.

Children
No Data
Unfiltered HTML