Let us see how can we read the tcpdump output by checking what each term means.
Let us take a sample output of a tcpdump
20:08:41.313149 ctechz.blogspot.1086 > 192.168.0.22.80: S 1192278531:1192278531(0) win 1638
14:18:49.519284 ------------> This is the time stamp in the format of two digits for hours, two digits for minutes, two digits for seconds, and six digits for fractional parts of a second.
ctechz.blogspot ---------------> This is the source host name. The default behavior is to resolve the hostname but you can turn it off with the tcpdump -n option.If you don't see a DNS name the IP will appear. something like IP computer name.
1086 ------> This is the source port number or port service.
> ----------> This is a marker to indicate direction flow going from source to destination.
192.168.0.22 ----------> This is the destination hostname or ip address.
80 ------------> This is the destination port number or maybe it will be translated ad HTTP.
S ---------> This is the tcp flag. The S represents a SYN Flag
1192278531:1192278531(0) ------------> This is the beginning TCP sequence number: ending TCP sequence number(data bytes). Sequence numbers are used by TCP to order the data received. The initial sequence number(ISN)is selected as a unique number to mark the first byte of data. The ending sequence number is the beginning sequence plus the number of bytes being sent with this TCP segment.In this case there were zero bytes sent, the beginning and the ending sequence number's are the same. It will also has an acknowledgment(ack) number.
win 1638 --------------> This is the receiving buffer size in bytes of rootwars.org for this connection.
TCP Flag Flag Meaning
Flag Representation
SYN S Session established request which
is the first part of any TCP
connection( 3 way handshake ).
is the first part of any TCP
connection( 3 way handshake ).
ACK ack Ack flag is generally used to
acknowledge the receipt of data
from the sender. Might be in
conjunction with other flags.
from the sender. Might be in
conjunction with other flags.
FIN F Fin flag is generally used to
indicate the sender's intention
to gracefully terminate the
sending host's connection
to the receiving host.
indicate the sender's intention
to gracefully terminate the
sending host's connection
to the receiving host.
RESET R Reset flag is generally used
to indicate the sender's
intention to immediately abort
the existing connection with the
receiving host.
to indicate the sender's
intention to immediately abort
the existing connection with the
receiving host.
PUSH P Push flag is generally used to
immediately "push" data from the
sending host to the receiving host.
This is for application like
telnet where response time
is a primary concern.
telnet where response time
is a primary concern.
URGENT urg urgent flag is generally used
to mean that there is "urgent"
data that takes precedence over
other data.
to mean that there is "urgent"
data that takes precedence over
other data.
Placeholder . If the connection does not have a
SYN,FIN,RESET, or PUSH flag,set a
placeholder ( a period:.) will be found
after the destination port.
like the IP header, the TCP (Transmission Control Protocol) header stores information about the packet:
like the IP header, the TCP (Transmission Control Protocol) header stores information about the packet:
- Source Port
- Destination Port
- Sequence Number
- Acknowledgement Number
- Data Offset
- Flags
- Window
- Checksum
- Urgent Pointer
- Options
- Padding
A packet contains all these above informations.
No comments:
Post a Comment