Monday, 30 January 2012

How to Read Tcpdump output

Let us see how can we read the tcpdump output by checking what each term means.

Let us take a sample output of a tcpdump
20:08:41.313149 ctechz.blogspot.1086 > 192.168.0.22.80: S 1192278531:1192278531(0) win 1638

14:18:49.519284  ------------> This is the time stamp in the format of two digits for hours, two digits for minutes,  two digits for seconds, and six digits for fractional parts of a second.

ctechz.blogspot ---------------> This is the source host name. The default behavior is to resolve the hostname but you can turn it off with the tcpdump -n option.If you don't see a DNS name the IP will appear. something like IP computer name.

1086 ------> This is the source port number or port service.

> ----------> This is a marker to indicate direction flow going from source to destination.

192.168.0.22  ----------> This is the destination hostname or ip address.

80 ------------> This is the destination port number or maybe it will be translated ad HTTP.

S ---------> This is the tcp flag. The S represents a SYN Flag

1192278531:1192278531(0)  ------------> This is the beginning TCP sequence number: ending TCP sequence number(data bytes). Sequence numbers are used by TCP to order the data received. The initial sequence number(ISN)is selected as a unique number to mark the first byte of data.  The ending sequence number is the beginning sequence plus the number of bytes being sent with this TCP segment.In this case there were zero bytes sent, the beginning and the ending sequence number's are the same. It will also has an acknowledgment(ack) number.

win 1638 --------------> This is the receiving buffer size in bytes of rootwars.org for this connection.



TCP       Flag                 Flag Meaning
Flag     Representation   
        

  SYN                     S                          Session established request which
                                                      is the first part of any TCP
                                                     connection( 3 way handshake ). 

ACK                      ack                    Ack flag is generally used to
                                                   acknowledge the receipt of data 
                                                 from the sender. Might be in 
                                               conjunction with other flags.

FIN                         F                    Fin flag is generally used to
                                                    indicate the sender's intention 
                                                   to gracefully terminate the 
                                                   sending host's connection 
                                                    to the receiving host. 

RESET                    R                   Reset flag is generally used 
                                                    to indicate the sender's 
                                                  intention to immediately abort
                                                 the existing connection with the 
                                                  receiving host.

PUSH                     P                      Push flag is generally used to
                                                     immediately "push" data from the
                                                     sending host to the receiving host.
                                                    This is for application like 
                                                   telnet where response time 
                                                   is a primary concern. 

URGENT              urg                 urgent flag is generally used
                                                  to mean that there is "urgent" 
                                                data that takes precedence over
                                               other data.

Placeholder          .                      If the connection does not have a
                                                  SYN,FIN,RESET, or PUSH flag,set a 
                                                  placeholder ( a period:.) will be found 
                                                  after the destination port.

like the IP header, the TCP (Transmission Control Protocol) header stores information about the packet:


  • Source Port
  • Destination Port
  • Sequence Number
  • Acknowledgement Number
  • Data Offset
  • Flags
  • Window
  • Checksum
  • Urgent Pointer
  • Options
  • Padding
 A packet contains all these above informations.


No comments:

Post a Comment