Snort mailing list archives

Re: need help to learn reading

From: John Sage <jsage () finchhaven com>
Date: Sun, 02 Dec 2001 21:03:32 -0800

Jagi:

Jagi wrote:

This is a sample packet I've captured on my home LAN. Unfortunately I don't
know how to read it. I just couldn't find any references how to understand
some of the numbers etc...  (if you have some good links please let me
know).

Thanks.

12/02-16:35:33.457780 10.0.0.2:32778 -> 10.0.0.3:80



month/day-hour:minute:second.fraction source_host:source_port ->
   destination_host:destination_port

 TCP TTL:64 TOS:0x0 ID:31501 IpLen:20 DgmLen:52 DF

protocol (TCP) Time-To-Live:64 Type-Of-Service:0x0 hexidecimal (no flagsset..)

   IP ID:31501 IP header length: 20 bytes Total Datagram Length: 52 bytes
   Don't Fragment flag set

 ***A**** Seq: 0x4DAE3581 Ack: 0x4BE7F3B5 Win: 0x2D40 TcpLen: 32



Of the six TCP flags, only the ACK(nowledge) flag is set

TCP Seq(uence number):0x4DAE3581 hexidecimal = 1303262593 decimal...

TCP Ack(nowledgement number):0x4BE7F3B5 hexidecimal = 1273492405 decimal...

Window advertisement: 0x2d40 hexidecimal = 11584 decimal

TCP header length = 32 bytes

TCP Options (3) => NOP NOP TS: 18542 69178866

TCP options = 2 NOP's (no operations - for padding) Time Stamp: 18542uh.. what's that space doing in there...




Anyway, so it's like that..

What does *that* all mean? See "TCP/IP Illustrated", vol.1, RW Stevens,1994 Addison-Wesley-Longman, pub.



Buy it at {*} fatbrain:

http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0201633469&vm=



HTH..

- John


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

need help to learn reading Jagi (Dec 02)
- Re: need help to learn reading John Sage (Dec 02)