These examples in this post bases on Checkpoint Firewalls. In other platform, the output and
command options may have a difference.
Table of Contents
ToggleBasic TCPDUMP Commands:
Flags:
. – No Flag Set
P – PSH (Push Data)
F – FIN (Finish Connection)
R – RST (Reset Connection)
or a single ’.’ (no flags)
Three-way Handshake:
a randomly determined integer between 0 and 4,294,967,295. Communicating hosts exchange ISNs during connection initialization. Each host sets two counters: sequence and acknowledgement. In the context of a single TCP packet, the sequence number is set by the sending host, and the acknowledgement number is set by the receiving host.
Host B receives A’s SYN
Host B sends a SYNchronize-ACKnowledgement
Host A receives B’s SYN-ACK
Host A sends ACKnowledge
Host B receives ACK.
TCP socket connection is ESTABLISHED.
tcp three-way handshake,syn,syn-ack,ack
TCP Three Way Handshake (SYN,SYN-ACK,ACK) – See more at this URL:
Commands and Outputs Examples:
1. ICMP Example
[Expert@ CP1:0]#tcpdump -i Mgmt host 172.16.1.53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on Mgmt, link-type EN10MB (Ethernet), capture size 96 bytes 09:37:38.370763 IP 10.9.20.14 > 172.16.1.53: ICMP echo request, id 1, seq 3, length 40 09:37:38.372210 IP 172.16.1.53 > 10.9.20.14: ICMP echo reply, id 1, seq 3, length 40 09:37:39.365648 IP 10.9.20.14 > 172.16.1.53: ICMP echo request, id 1, seq 4, length 40 09:37:39.366558 IP 172.16.1.53 > 10.9.200.14: ICMP echo reply, id 1, seq 4, length 40 09:37:40.363506 IP 10.9.20.14 > 172.16.1.53: ICMP echo request, id 1, seq 5, length 40 09:37:40.364318 IP 172.16.1.53 > 10.9.20.14: ICMP echo reply, id 1, seq 5, length 40 09:37:41.361947 IP 10.9.20.14 > 172.16.1.53: ICMP echo request, id 1, seq 6, length 40 09:37:41.362771 IP 172.16.1.53 > 10.9.20.14: ICMP echo reply, id 1, seq 6, length 40 [Expert@CP1:0]# tcpdump -v -nn -i Mgmt host 172.16.1.53 |
2. HTTPS Example
[Expert@Pub-cp2:0]# tcpdump -vvv -nn -i eth1-01 host 19.26.16.19
tcpdump: listening on eth1-01, link-type EN10MB (Ethernet), capture size 96 bytes 11:39:04.822700 IP (tos 0x0, ttl 126, id 7241, offset 0, flags [DF], proto: TCP (6), length: 52) 19.26.16.19.10747 > 19.26.16.24.443: S, cksum 0xea51 (correct), 2579834556:2579834556(0) win 8192 //SYN 11:39:04.826136 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto: TCP (6), length: 52) 19.26.16.24.443 > 19.26.16.19.10747: S, cksum 0x99db (correct), 487537799:487537799(0) ack 2579834557 win 5840 // SYN ACK 11:39:04.826153 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto: TCP (6), length: 52) 19.26.16.24.443 > 19.26.16.19.10747: S, cksum 0x99db (correct), 487537799:487537799(0) ack 2579834557 win 5840 // This packet is repeated SYN ACK 11:39:04.826926 IP (tos 0x0, ttl 125, id 7242, offset 0, flags [DF], proto: TCP (6), length: 52) 19.26.16.19.10747 > 10.9.1.25.443: ., cksum 0xd4d0 (correct), 2579834557:2579834557(0) ack 487537800 win 256 //ACK 11:39:06.883076 IP (tos 0x0, ttl 125, id 7243, offset 0, flags [DF], proto: TCP (6), length: 42) 19.26.16.19.10747 > 10.9.1.25.443: P, cksum 0xb101 (correct), 0:2(2) ack 1 win 256 11:39:06.883285 IP (tos 0x0, ttl 63, id 16050, offset 0, flags [DF], proto: TCP (6), length: 40) 19.26.16.24.443 > 19.26.16.19.10747: ., cksum 0xf14d (correct), 1:1(0) ack 3 win 46 11:39:07.048713 IP (tos 0x0, ttl 125, id 7244, offset 0, flags [DF], proto: TCP (6), length: 42) 19.26.16.19.10747 > 10.9.1.25.443: P, cksum 0xb0ff (correct), 2:4(2) ack 1 win 256 11:39:07.048905 IP (tos 0x0, ttl 63, id 16051, offset 0, flags [DF], proto: TCP (6), length: 40) 19.26.16.24.443 > 19.26.16.19.10747: ., cksum 0xf14b (correct), 1:1(0) ack 5 win 46 11:39:07.199352 IP (tos 0x0, ttl 125, id 7245, offset 0, flags [DF], proto: TCP (6), length: 42) 19.26.16.19.10747 > 10.9.1.25.443: P, cksum 0xb0fd (correct), 4:6(2) ack 1 win 256 11:39:07.199883 IP (tos 0x0, ttl 63, id 16052, offset 0, flags [DF], proto: TCP (6), length: 40) 19.26.16.24.443 > 19.26.16.19.10747: ., cksum 0xf149 (correct), 1:1(0) ack 7 win 46 11:39:07.342045 IP (tos 0x0, ttl 125, id 7246, offset 0, flags [DF], proto: TCP (6), length: 42) 19.26.16.19.10747 > 10.9.1.25.443: P, cksum 0xb0fb (correct), 6:8(2) ack 1 win 256 11:39:07.342228 IP (tos 0x0, ttl 63, id 16053, offset 0, flags [DF], proto: TCP (6), length: 40) 19.26.16.24.443 > 19.26.16.19.10747: ., cksum 0xf147 (correct), 1:1(0) ack 9 win 46 11:39:07.492210 IP (tos 0x0, ttl 125, id 7247, offset 0, flags [DF], proto: TCP (6), length: 42) 19.26.16.19.10747 > 10.9.1.25.443: P, cksum 0xb0f9 (correct), 8:10(2) ack 1 win 256 11:39:07.492407 IP (tos 0x0, ttl 63, id 16054, offset 0, flags [DF], proto: TCP (6), length: 40) 19.26.16.24.443 > 19.26.16.19.10747: ., cksum 0xf145 (correct), 1:1(0) ack 11 win 46 11:39:07.634867 IP (tos 0x0, ttl 125, id 7248, offset 0, flags [DF], proto: TCP (6), length: 42) 19.26.16.19.10747 > 10.9.1.25.443: P, cksum 0xb0f7 (correct), 10:12(2) ack 1 win 256 11:39:07.635119 IP (tos 0x0, ttl 63, id 16055, offset 0, flags [DF], proto: TCP (6), length: 40) 19.26.16.24.443 > 19.26.16.19.10747: ., cksum 0xf143 (correct), 1:1(0) ack 13 win 46 11:39:07.635269 IP (tos 0x0, ttl 63, id 16056, offset 0, flags [DF], proto: TCP (6), length: 40) 19.26.16.24.443 > 19.26.16.19.10747: F, cksum 0xf142 (correct), 1:1(0) ack 13 win 46 11:39:07.635864 IP (tos 0x0, ttl 125, id 7249, offset 0, flags [DF], proto: TCP (6), length: 40) 19.26.16.19.10747 > 10.9.1.25.443: ., cksum 0xbe08 (correct), 12:12(0) ack 2 win 256 11:39:07.635927 IP (tos 0x0, ttl 125, id 7250, offset 0, flags [DF], proto: TCP (6), length: 40) 19.26.16.19.10747 > 10.9.1.25.443: F, cksum 0xbe07 (correct), 12:12(0) ack 2 win 256 11:39:07.636058 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto: TCP (6), length: 40) 19.26.16.24.443 > 19.26.16.19.10747: ., cksum 0xf141 (correct), 2:2(0) ack 14 win 46 |
3. SSH Example
[Expert@Pub-CP1:0]# tcpdump -v -nn -i Mgmt host 172.16.1.53 tcpdump: listening on Mgmt, link-type EN10MB (Ethernet), capture size 96 bytes 09:46:34.443382 IP (tos 0x0, ttl 126, id 7173, offset 0, flags [DF], proto: TCP (6), length: 52) 10.9.2.14.50831 > 172.16.1.53.22: S, cksum 0xac58 (correct), 3232602545:3232602545(0) win 8192 09:46:34.444081 IP (tos 0x0, ttl 127, id 6889, offset 0, flags [DF], proto: TCP (6), length: 52) 172.16.1.53.22 > 10.9.2.14.50831: S, cksum 0xb937 (correct), 41283738:41283738(0) ack 3232602546 win 8192 09:46:34.444916 IP (tos 0x0, ttl 126, id 7175, offset 0, flags [DF], proto: TCP (6), length: 40) 10.9.2.14.50831 > 172.16.1.53.22: ., cksum 0x190b (correct), ack 1 win 256 09:46:34.452567 IP (tos 0x0, ttl 127, id 6893, offset 0, flags [DF], proto: TCP (6), length: 73) 172.16.1.53.22 > 10.9.2.14.50831: P, cksum 0x1960 (correct), 1:34(33) ack 1 win 256 09:46:34.647359 IP (tos 0x0, ttl 126, id 7180, offset 0, flags [DF], proto: TCP (6), length: 40) 10.9.2.14.50831 > 172.16.1.53.22: ., cksum 0x18ea (correct), ack 34 win 256 09:46:35.764373 IP (tos 0x0, ttl 126, id 7184, offset 0, flags [DF], proto: TCP (6), length: 41) 10.9.2.14.50831 > 172.16.1.53.22: P, cksum 0x15e1 (correct), 1:2(1) ack 34 win 256 09:46:35.764610 IP (tos 0x0, ttl 128, id 9109, offset 0, flags [DF], proto: TCP (6), length: 40) 172.16.1.53.22 > 10.9.2.14.50831: R, cksum 0x19f6 (correct), 41283772:41283772(0) win 0 |
4. FTP Example
[Expert@Pub-CP1:0]# tcpdump -v -nn -i Mgmt host 172.16.1.53 tcpdump: listening on Mgmt, link-type EN10MB (Ethernet), capture size 96 bytes 09:47:11.477696 IP (tos 0x0, ttl 126, id 30923, offset 0, flags [none], proto: TCP (6), length: 44) 10.9.2.14.50864 > 172.16.1.53.21: S, cksum 0xebe1 (correct), 2535345973:2535345973(0) win 32120 09:47:11.479045 IP (tos 0x0, ttl 127, id 6954, offset 0, flags [DF], proto: TCP (6), length: 44) 172.16.1.53.21 > 10.9.2.14.50864: S, cksum 0x31a2 (correct), 3764401990:3764401990(0) ack 2535345974 win 8192 09:47:11.480173 IP (tos 0x0, ttl 126, id 30925, offset 0, flags [none], proto: TCP (6), length: 40) 10.9.2.14.50864 > 172.16.1.53.21: ., cksum 0xebe6 (correct), ack 1 win 32120 09:47:11.480858 IP (tos 0x0, ttl 127, id 6955, offset 0, flags [DF], proto: TCP (6), length: 40) 172.16.1.53.21 > 10.9.2.14.50864: ., cksum 0x695f (correct), ack 1 win 65535 09:47:11.690070 IP (tos 0x0, ttl 127, id 6959, offset 0, flags [DF], proto: TCP (6), length: 334) 172.16.1.53.21 > 10.9.2.14.50864: P 1:295(294) ack 1 win 65535 09:47:11.690579 IP (tos 0x0, ttl 126, id 30926, offset 0, flags [none], proto: TCP (6), length: 40) 10.9.2.14.50864 > 172.16.1.53.21: ., cksum 0xebe6 (correct), ack 295 win 31826 09:47:13.470582 IP (tos 0x0, ttl 126, id 30933, offset 0, flags [none], proto: TCP (6), length: 46) 10.9.2.14.50864 > 172.16.1.53.21: P, cksum 0x02bf (correct), 1:7(6) ack 295 win 32120 09:47:13.472164 IP (tos 0x0, ttl 127, id 6963, offset 0, flags [DF], proto: TCP (6), length: 81) 172.16.1.53.21 > 10.9.2.14.50864: P, cksum 0xc94d (correct), 295:336(41) ack 7 win 65529 09:47:13.472557 IP (tos 0x0, ttl 126, id 30934, offset 0, flags [none], proto: TCP (6), length: 40) 10.9.2.14.50864 > 172.16.1.53.21: ., cksum 0xeaba (correct), ack 336 win 32079 09:47:13.473093 IP (tos 0x0, ttl 127, id 6965, offset 0, flags [DF], proto: TCP (6), length: 40) 172.16.1.53.21 > 10.9.2.14.50864: F, cksum 0x680f (correct), 336:336(0) ack 7 win 65529 09:47:13.473336 IP (tos 0x0, ttl 126, id 30936, offset 0, flags [none], proto: TCP (6), length: 40) 10.9.2.14.50864 > 172.16.1.53.21: ., cksum 0xea90 (correct), ack 337 win 32120 09:47:13.489842 IP (tos 0x0, ttl 126, id 30939, offset 0, flags [none], proto: TCP (6), length: 40) 10.9.2.14.50864 > 172.16.1.53.21: F, cksum 0xea8f (correct), 7:7(0) ack 337 win 32120 09:47:13.490369 IP (tos 0x0, ttl 127, id 6967, offset 0, flags [DF], proto: TCP (6), length: 40) 172.16.1.53.21 > 10.9.2.14.50864: ., cksum 0x680e (correct), ack 8 win 65529 09:47:14.836964 IP (tos 0x0, ttl 126, id 19859, offset 0, flags [DF], proto: TCP (6), length: 112) 10.9.16.48.58884 > 172.16.1.53.445: P 1912308033:1912308105(72) ack 3052976289 win 258 09:47:14.836979 IP (tos 0x0, ttl 126, id 19860, offset 0, flags [DF], proto: TCP (6), length: 112) 10.9.16.48.58884 > 172.16.1.53.445: P 72:144(72) ack 1 win 258 09:47:14.837677 IP (tos 0x0, ttl 127, id 6970, offset 0, flags [DF], proto: TCP (6), length: 40) 172.16.1.53.445 > 10.9.16.48.58884: ., cksum 0x9ad5 (correct), ack 144 win 258 09:47:14.837693 IP (tos 0x0, ttl 127, id 6971, offset 0, flags [DF], proto: TCP (6), length: 112) 172.16.1.53.445 > 10.9.16.48.58884: P 1:73(72) ack 144 win 258 09:47:14.837700 IP (tos 0x0, ttl 127, id 6972, offset 0, flags [DF], proto: TCP (6), length: 112) 172.16.1.53.445 > 10.9.16.48.58884: P 73:145(72) ack 144 win 258 09:47:14.838389 IP (tos 0x0, ttl 126, id 19870, offset 0, flags [DF], proto: TCP (6), length: 40) 10.9.16.48.58884 > 172.16.1.53.445: ., cksum 0x9a46 (correct), ack 145 win 257 09:47:14.838843 IP (tos 0x0, ttl 126, id 19872, offset 0, flags [DF], proto: TCP (6), length: 40) 10.9.16.48.58884 > 172.16.1.53.445: R, cksum 0x9b43 (correct), 144:144(0) ack 145 win 0 |
5. FTPS example
[Expert@Pub:0]# tcpdump -v -n -i eth1-01 host 12.25.20.4 tcpdump: listening on eth1-01, link-type EN10MB (Ethernet), capture size 96 bytes 10:59:02.525754 IP (tos 0x0, ttl 39, id 26220, offset 0, flags [none], proto: TCP (6), length: 60) 12.25.20.4.62712 > 19.26.16.5.ftps: S, cksum 0xd8cb (correct), 1970824717:1970824717(0) win 65535 10:59:02.526420 IP (tos 0x0, ttl 127, id 32480, offset 0, flags [DF], proto: TCP (6), length: 60) 19.26.16.5.ftps > 12.25.20.4.62712: S, cksum 0xdbb7 (correct), 2713847003:2713847003(0) ack 1970824718 win 8192 10:59:02.570606 IP (tos 0x0, ttl 38, id 26433, offset 0, flags [none], proto: TCP (6), length: 52) 12.25.20.4.62712 > 12.17.3.59.ftps: ., cksum 0xa43c (correct), ack 2713847004 win 4096 10:59:02.906868 IP (tos 0x0, ttl 46, id 22227, offset 0, flags [none], proto: TCP (6), length: 98) 12.25.20.4.62712 > 12.17.3.59.ftps: P 0:58(58) ack 1 win 2047 10:59:02.908200 IP (tos 0x0, ttl 127, id 32486, offset 0, flags [DF], proto: TCP (6), length: 1476) 19.26.16.5.ftps > 12.25.20.4.62712: . 1:1425(1424) ack 59 win 261 10:59:02.908216 IP (tos 0x0, ttl 127, id 32487, offset 0, flags [DF], proto: TCP (6), length: 245) 19.26.16.5.ftps > 12.25.20.4.62712: P 1425:1618(193) ack 59 win 261 10:59:02.949626 IP (tos 0x0, ttl 47, id 2661, offset 0, flags [none], proto: TCP (6), length: 40) 12.25.20.4.62712 > 12.17.3.59.ftps: ., cksum 0xfe5b (correct), ack 1 win 2047 10:59:02.968018 IP (tos 0x0, ttl 46, id 63635, offset 0, flags [none], proto: TCP (6), length: 366) 12.25.20.4.62712 > 12.17.3.59.ftps: P 58:384(326) ack 1618 win 2047 10:59:02.972322 IP (tos 0x0, ttl 46, id 41339, offset 0, flags [none], proto: TCP (6), length: 40) 12.25.20.4.62712 > 12.17.3.59.ftps: F, cksum 0xf6c3 (correct), 384:384(0) ack 1618 win 2047 10:59:02.972387 IP (tos 0x0, ttl 46, id 33795, offset 0, flags [none], proto: TCP (6), length: 40) 12.25.20.4.62712 > 12.17.3.59.ftps: ., cksum 0xf6c3 (correct), ack 1618 win 2047 10:59:02.972523 IP (tos 0x0, ttl 127, id 32489, offset 0, flags [DF], proto: TCP (6), length: 52) 19.26.16.5.ftps > 12.25.20.4.62712: ., cksum 0x1e55 (correct), ack 386 win 260 10:59:02.972737 IP (tos 0x0, ttl 127, id 32490, offset 0, flags [DF], proto: TCP (6), length: 52) 19.26.16.5.ftps > 12.25.20.4.62712: F, cksum 0x1e54 (correct), 1618:1618(0) ack 386 win 260 10:59:03.015360 IP (tos 0x0, ttl 46, id 24500, offset 0, flags [none], proto: TCP (6), length: 40) 12.25.20.4.62712 > 12.17.3.59.ftps: ., cksum 0xf6c2 (correct), ack 1619 win 2047 |
6. SQL Example
[Expert@Pub-CP1:0]# tcpdump -i eth1-02.104 host 172.16.1.2 10:39:52.671997 IP 172.16.1.2.19209 > 10.9.10.252.ms-sql-s: S 3761967874:3761967874(0) win 8192 10:39:52.673393 IP 10.9.10.252.ms-sql-s > 172.16.1.2.19209: S 4159880273:4159880273(0) ack 3761967875 win 8192 10:39:52.673743 IP 172.16.1.2.19209 > 10.9.10.252.ms-sql-s: . ack 1 win 256 10:39:52.673970 IP 172.16.1.2.19209 > 10.9.10.252.ms-sql-s: P 1:48(47) ack 1 win 256 10:39:52.674791 IP 10.9.10.252.ms-sql-s > 172.16.1.2.19209: P 1:44(43) ack 48 win 256 10:39:52.675230 IP 172.16.1.2.19209 > 10.9.10.252.ms-sql-s: P 48:151(103) ack 44 win 256 10:39:52.675570 IP 10.9.10.252.ms-sql-s > 172.16.1.2.19209: P 44:661(617) ack 151 win 256 10:39:52.676104 IP 172.16.1.2.19209 > 10.9.10.252.ms-sql-s: P 151:357(206) ack 661 win 254 10:39:52.676980 IP 10.9.10.252.ms-sql-s > 172.16.1.2.19209: P 661:728(67) ack 357 win 255 10:39:52.677889 IP 172.16.1.2.19209 > 10.9.10.252.ms-sql-s: P 357:714(357) ack 728 win 253 10:39:52.680064 IP 10.9.10.252.ms-sql-s > 172.16.1.2.19209: P 728:1141(413) ack 714 win 254 10:39:52.681073 IP 172.16.1.2.19209 > 10.9.10.252.ms-sql-s: P 714:866(152) ack 1141 win 252 10:39:52.681402 IP 10.9.10.252.ms-sql-s > 172.16.1.2.19209: P 1141:1510(369) ack 866 win 253 |
A problem SQL session :
[Expert@Pub-CP1:0]# tcpdump -i eth1-02.104 host 172.16.1.2 11:03:28.691563 IP 172.16.1.2.19451 > 10.9.10.252.ms-sql-s: S 3948339855:3948339855(0) win 8192 11:03:28.692264 IP 10.9.10.252.ms-sql-s > 172.16.1.2.19451: S 909862134:909862134(0) ack 3948339856 win 8192 11:03:28.692795 IP 172.16.1.2.19451 > 10.9.10.252.ms-sql-s: . ack 1 win 256 11:03:28.693041 IP 172.16.1.2.19451 > 10.9.10.252.ms-sql-s: P 1:48(47) ack 1 win 256 11:03:28.998541 IP 172.16.1.2.19451 > 10.9.10.252.ms-sql-s: P 1:48(47) ack 1 win 256 11:03:29.606984 IP 172.16.1.2.19451 > 10.9.10.252.ms-sql-s: P 1:48(47) ack 1 win 256 11:03:30.808145 IP 172.16.1.2.19451 > 10.9.10.252.ms-sql-s: P 1:48(47) ack 1 win 256 11:03:31.692318 IP 10.9.10.252.ms-sql-s > 172.16.1.2.19451: S 909862134:909862134(0) ack 3948339856 win 8192 11:03:31.692610 IP 172.16.1.2.19451 > 10.9.10.252.ms-sql-s: . ack 1 win 256 11:03:32.025035 IP 172.16.1.2.19451 > 10.9.10.252.ms-sql-s: P 1:48(47) ack 1 win 256 11:03:33.226224 IP 172.16.1.2.19451 > 10.9.10.252.ms-sql-s: P 1:48(47) ack 1 win 256 11:03:35.628622 IP 172.16.1.2.19451 > 10.9.10.252.ms-sql-s: P 1:48(47) ack 1 win 256 11:03:37.690075 IP 10.9.10.252.ms-sql-s > 172.16.1.2.19451: S 909862134:909862134(0) ack 3948339856 win 65535 11:03:37.690422 IP 172.16.1.2.19451 > 10.9.10.252.ms-sql-s: . ack 1 win 256 11:03:40.449096 IP 172.16.1.2.19451 > 10.9.10.252.ms-sql-s: P 1:48(47) ack 1 win 256 11:03:43.681010 IP 172.16.1.2.19451 > 10.9.10.252.ms-sql-s: F 48:48(0) ack 1 win 256 //Finish packets 11:03:49.690374 IP 10.9.10.252.ms-sql-s > 172.16.1.2.19451: R 909862135:909862135(0) win 0 // Reset Packets |
7. A Problem Telnet Session
[Expert@Pub:0]# tcpdump -v -n -i eth1-01 host 19.26.16.129 tcpdump: listening on eth1-01, link-type EN10MB (Ethernet), capture size 96 bytes 11:17:59.759390 IP (tos 0x0, ttl 126, id 360, offset 0, flags [DF], proto: TCP (6), length: 52) 19.26.16.129.10329 > 19.26.16.24.telnet: S, cksum 0x8b11 (correct), 4098502333:4098502333(0) win 8192 11:18:02.756485 IP (tos 0x0, ttl 126, id 469, offset 0, flags [DF], proto: TCP (6), length: 52) 19.26.16.129.10329 > 19.26.16.24.telnet: S, cksum 0x8b11 (correct), 4098502333:4098502333(0) win 8192 11:18:08.760662 IP (tos 0x0, ttl 126, id 658, offset 0, flags [DF], proto: TCP (6), length: 48) 19.26.16.129.10329 > 19.26.16.24.telnet: S, cksum 0x9f20 (correct), 4098502333:4098502333(0) win 8192 |
Notes: 19.26.16.24 sent three Sync packets to 19.26.16.129, but received nothing back.
4098502333:4098502333(0) means the sending TCP stack is setting 4098502333 as the initial synchronization number (ISN), and “0” (no) data is being passed in this packet.
Generic TCP
78.47.105.76.ssh > 82.132.219.219.55495: Flags [P.], cksum 0xcb29 (correct), seq497880562:497880610, ack 1593322765, win 379, length 48
- 22:24:18.910372 – the datagram’s timestamp
- IP (tos 0×10, ttl 64, id 9792, offset 0, flags [DF], proto TCP (6), length 88) – the layer three datagram’s header fields and values;
- tos 0×10 – the IP TOS value (more correctly in the present context, the DS and ECN fields (8bit, 2nd octet)
- ttl 64 – the IP TTL value (8bit, 9th octet)
- id 9792 – mostly used for identifying the parts of a fragmented datagram; incremented by one with every packet sent (16bit, 5th and 6th octets)
- offset 0 – the fragment offset, used with fragmented packets (13bits of the 7th and 8th octets)
- flags [DF] – any IP flags set; [DF] for Don’t Fragment and [MR] for More Fragments (3bits of the 7th octet)
- proto TCP (6) – the higher layer (four) protocol and it’s number (8bits, 10th octet)
- length 88 – the entire IP packet length, including headers (16bits, 3rd and 4th octets)
- 78.47.105.76.ssh – the source IP address and port
- 82.132.219.219.55495 – the destination IP address and port
- Flags [P.] – any TCP flags; a period ‘.‘ indicates an ACK
- cksum 0xcb29 (correct) – the packet’s TCP checksum value
- seq 497880562:497880610 – the TCP packet’s sequence number
- ack 1593322765 – the TCP packet’s acknowledgement number
- win 379 – the source host’s TCP window
- length 48 – the TCP packet length, including headers
Generic UDP
213.133.99.99.domain > 78.47.105.76.16165: [udp sum ok] 11711 ServFail q: A? 40.1.255.158.bl.tiopan.com. 0/0/0 (44)
- 22:47:08.352707 – the datagram’s timestamp
- IP (tos 0×0, ttl 60, id 1457, offset 0, flags [none], proto UDP (17), length 72) – the layer three datagram’s header fields and values;
- tos 0×0 – the IP TOS value (more correctly in the present context, the DS and ECN fields (8bit, 2nd octet)
- ttl 60 – the IP TTL value (8bit, 9th octet)
- id 1457 – mostly used for identifying the parts of a fragmented datagram; incremented by one with every packet sent (16bit, 5th and 6th octets)
- offset 0 – the fragment offset, used with fragmented packets (13bits of the 7th and 8th octets)
- flags [none] – any IP flags set; [DF] for Don’t Fragment and [MR] for More Fragments (3bits of the 7th octet)
- proto UDP (17) – the higher layer (four) protocol and it’s number (8bits, 10th octet)
- length 72– the entire IP packet length, including headers (16bits, 3rd and 4th octets)
- 213.133.99.99.domain – the source IP address and port
- 78.47.105.76.16165 – the destination IP address and port
- [udp sum ok] – the datagram’s checksum status
- Everything else relates to the DNS application response.
Notes on the proto(col) Field
- ICMP (1)
- IGMP (2)
- GRE (47)
- ESP (50)
- VINES (83)
- EIGRP (88)
- ETHERIP (97)
- OSPF (89)
- VRRP (112)
- L2TP (115)
- SCTP (132)
Notes on Service Ports
- 0 to 1023 are reserved for well known applications
- 1024 to 49151 are registered (with IANA) ports
- 49152 to 65535 are user and dynamic ports (aka ephemeral or temporary)
Protocol Formatting
- ICMP
- ISAKMP
- ARP
- NTP
- DNS
- STP
- HSRP
- SNMP
- RADIUS
Client, Leap indicator: (0), Stratum 3 (secondary reference), poll 10s, precision -22
Root Delay: 0.020477, Root dispersion: 0.056991, Reference-ID: 83.137.98.96
…
Here are some Tcpdump Scenarios from Making a Connection with tcpdump, Part II
Scenario 1: Established Telnet Connection
#tcpdump -nn host 192.168.2.165 and port 23
- The requesting Host sends a synchronization flag (SYN) in a TCP segment to create a connection.
- The receiving Host 192.168.2.165 receives the SYN flag and returns an acknowledgment flag (ACK).
- The requesting Host 192.168.2.10 receives the SYN flag and returns it’s own ACK flag.
To establish a connection, the sending host creates a segment containing the IP address and port number of the host it want to connect to. The segment contains a SYN flag and the sending hosts initial sequence number. Data is segmented before it is sent. The sequence numbers allow the segments to be assembled in the correct order.
20:06:32.845356 192.168.2.10.1249 > 192.168.2.165.23:
S 3263977215:3263977215(0) win 16384 (DF)
20:06:32.845725 192.168.2.165.23 > 192.168.2.10.1249: S
48495364:48495364(0) ack 3263977216 win 32120
(DF)
20:06:32.845921 192.168.2.10.1249 > 192.168.2.165.23: . ack 1 win 17520
(DF)
- S: SYN (Synchronize sequence numbers – Connection establishment)
- F: FIN (Ending of sending by sender – Connection termination)
- R: RST (Reset connection)
- P: PSH (Push data)
- .: (No flag is set)
Scenario 2: Closed Telnet Connection
20:07:32.916410 192.168.2.165.23 > 192.168.2.10.1249: F 147:147(0) ack
56 win 32120 (DF)
20:07:32.916680 192.168.2.10.1249 > 192.168.2.165.23: . ack 148 win
17374 (DF)
20:07:32.928907 192.168.2.10.1249 > 192.168.2.165.23: F 56:56(0) ack 148
win 17374 (DF)
20:07:32.929121 192.168.2.165.23 > 192.168.2.10.1249: . ack 57 win 32120
(DF)
05:28:00.080798 192.168.2.10.1063 > 192.168.2.165.23:
S 3034008467:3034008467(0) win 16384 (DF)
05:28:00.080979 192.168.2.165.23 > 192.168.2.10.1063: R 0:0(0)
ack 3034008468 win 0
05:28:00.579420 192.168.2.10.1063 > 192.168.2.165.23: S
3034008467:3034008467(0) win 16384 (DF)
05:28:00.579524 192.168.2.165.23 > 192.168.2.10.1063: R 0:0(0) ack 1 win
0
05:28:01.080114 192.168.2.10.1063 &glt; 192.168.2.165.23: S
3034008467:3034008467(0) win 16384 (DF)
05:28:01.080225 192.168.2.165.23 > 192.168.2.10.1063: R 0:0(0) ack 1 win
0
Scenario 3: Telnet Connection Refused (tcp wrappers security used at host)
05:40:39.838710 192.168.2.10.1064 > 192.168.2.165.23: S
3223709294:3223709294(0) win 16384 (DF)
05:40:39.839045 192.168.2.165.23 > 192.168.2.10.1064: S
063202536:2063202536(0) ack 3223709295 win 32120 1460,nop,nop,sackOK> (DF)
05:40:39.839295 192.168.2.10.1064 > 192.168.2.165.23: . ack 1 win 17520
(DF)
05:40:44.852844 192.168.2.165.23 > 192.168.2.10.1064:
F 1:1(0) ack 1 win 32120 (DF)
05:40:44.853137 192.168.2.10.1064 > 192.168.2.165.23: . ack 2 win 17520
(DF)
05:40:44.855050 192.168.2.10.1064 > 192.168.2.165.23: F 1:1(0) ack 2 win
17520 (DF)
05:40:44.855176 192.168.2.165.23 > 192.168.2.10.1064: . ack 2 win 32120
(DF)
The reader may gain some insight into how systems are at risk from the trappings of tcpdump. Before a system hack is possible, some effort is expended to engineer the hack. An examination of the data from a system can provide the hacker with some insight into where efforts might provide the greatest chance of success.
Scenario 4: No Telnet Connection (host removed from the network)
05:55:21.557846 192.168.2.10.1065 > 192.168.2.165.23: S
3443876657:3443876657(0) win 16384 (DF)
05:55:24.560891 192.168.2.10.1065 > 192.168.2.165.23: S
3443876657:3443876657(0) win 16384 (DF)
05:55:30.569584 192.168.2.10.1065 > 192.168.2.165.23: S
3443876657:3443876657(0) win 16384 (DF)