Re: tcpdump interpretation

Wed, 09 Aug 2000 13:45:25 -0700 

> I noticed some traffic to my system (home system) and captured some with
> tcpdump.  This was a quick grab, so I didn't think to do anything other
> than `tcpdump -i eth1`.  In the listing below, I've substituted
> my_machine.org for my machine's name.  The traffic is NOT coming from my
> internal network.  Where can I find a listing of the flags FP and R?
> Any ideas as to what's happening here?
> 
> 
> 08:21:38.088650 < 10.1.12.50.https > my_machine.org.3520: FP 1196603461:119
> 6603484(23) ack 3231268890 win 18980 (DF)
> 08:21:38.088774 > my_machine.org.3520 > 10.1.12.50.https: R 3231268890:3231
> 268890(0) win 0
> 08:21:39.148463 < 10.1.12.50.https > my_machine.org.3513: FP 1196270970:119
> 6270993(23) ack 3230729531 win 18980 (DF)
> 08:21:39.148564 > my_machine.org.3513 > 10.1.12.50.https: R 3230729531:3230
> 729531(0) win 0
> 08:21:39.199042 < 10.1.12.50.https > my_machine.org.3519: FP 1196573126:119
> 6573149(23) ack 3224337197 win 18980 (DF)
> 08:21:39.199131 > my_machine.org.3519 > 10.1.12.50.https: R 3224337197:3224
> 337197(0) win 0
> 08:21:39.228687 < 10.1.12.50.https > my_machine.org.3518: FP 1196470666:119
> 6470689(23) ack 3222830199 win 18980 (DF)
> 08:21:39.228767 > my_machine.org.3518 > 10.1.12.50.https: R 3222830199:3222
> 830199(0) win 0
> 

Well from the looks of it your having a secure http transaction with
some site.. although next time you might want to use 


        tcpdump -qtni eth1


this will filter out most of the "Junk* from each transaction and will
stop namelookups on each ip (A huge timesaver for fast output.)

The R, P, F are all tcp control bits  (R = RST, P = PSH, F = FIN, S =
SYN)... if you were monitoring the initial setup stages of a tcp
connection in tcpdump, 
you would notice a S (Syn) flag sent, along with some other control
measures used to setup dialogue between the two tcp stacks.

If you really want to know about this stuff, here is a simple and brief
tutorial on tcp negotiation


        http://www.scit.wlv.ac.uk/~jphb/comms/tcp.html


or try the Original TCP RFC for even better reading :)


        http://www.cis.ohio-state.edu/htbin/rfc/rfc793.html


tcpdump if learned, can be very powerful in diagnosing problems, check
out the man page thoroughly, I'm sure you'll enjoy it.









Robert Soros
[EMAIL PROTECTED]
http://soros.ath.cx



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to