Skip to content Skip to sidebar Skip to footer
Home / How to Read Tcpdump Output in Linux With Vpn Connected

How to Read Tcpdump Output in Linux With Vpn Connected

Post a Comment

S – SYN (Start Connexion)
. – No Flag Fix
P – PSH (Push Data)
F – FIN (Finish Connection)
R – RST (Reset Connectedness)

"ack" means acknowledge, "win" means "sliding windows", "mss" means "maximum segment size", "nop" ways "no functioning".

Flags are some combination of Due south (SYN), F (FIN), P (PUSH), R (RST), Westward (ECN CWR) or E (ECN-Echo),
or a single '.' (no flags)

Selective Acknowledgment Permitted (SackOK): This selection just says that selective acknowledgments are permitted for this connection. SackOK must exist included in the TCP options in both the SYN and SYN/ACK packets during the TCP iii-mode handshake, or it cannot be used. SackOK should not announced in any other packets.

The three-way handshake is simply the source host and the destination host requesting a connection, and then confirming to each other that a connection has been made. As mentioned in a higher place, to open a session a client determines a local source port and an Initial Sequence Number (ISN). The ISN is
a randomly determined integer betwixt 0 and 4,294,967,295. Communicating hosts exchange ISNs during connection initialization. Each host sets two counters: sequence and acknowledgement. In the context of a unmarried TCP parcel, the sequence number is prepare by the sending host, and the acknowledgement number is set by the receiving host.

Host A sends a TCPSYNchronize packet to Host B
Host B receives A'southward SYN
Host B sends aSYNchronize-ACKnowledgement
Host A receives B'southSYN-ACK
Host A sendsACKnowledge
Host B receivesACK.
TCP socket connexion is ESTABLISHED.
tcp iii-way handshake,syn,syn-ack,ack
TCP Three Way Handshake (SYN,SYN-ACK,ACK) – See more at this URL:

[[e-mail protected] CP1:0]# tcpdump -i Mgmt host 172.16.1.53
tcpdump: verbose output suppressed, apply -five or -vv for full protocol decode
listening on Mgmt, link-blazon EN10MB (Ethernet), capture size 96 bytes
09:37:38.370763 IP x.ix.twenty.fourteen > 172.16.1.53: ICMP repeat asking, id ane, seq 3, length 40
09:37:38.372210 IP 172.16.i.53 > ten.9.20.14: ICMP echo reply, id one, seq three, length xl
09:37:39.365648 IP 10.ix.twenty.xiv > 172.16.1.53: ICMP repeat request, id 1, seq 4, length 40
09:37:39.366558 IP 172.16.i.53 > 10.9.200.14: ICMP echo respond, id 1, seq 4, length 40
09:37:40.363506 IP 10.9.20.14 > 172.16.1.53: ICMP repeat request, id 1, seq v, length 40
09:37:40.364318 IP 172.sixteen.1.53 > x.nine.20.xiv: ICMP echo reply, id one, seq v, length 40
09:37:41.361947 IP 10.ix.20.fourteen > 172.16.i.53: ICMP echo request, id 1, seq vi, length 40
09:37:41.362771 IP 172.16.ane.53 > 10.ix.twenty.14: ICMP echo reply, id 1, seq vi, length xl

[[email protected]:0]# tcpdump -five -nn -i Mgmt host 172.xvi.1.53
tcpdump: listening on Mgmt, link-type EN10MB (Ethernet), capture size 96 bytes
09:38:29.232691 IP (tos 0x0, ttl 126, id 5783, kickoff 0, flags [none], proto: ICMP (1), length: threescore) x.9.20.14 > 172.xvi.1.53: ICMP echo request, id ane, seq 7, length forty
09:38:29.233395 IP (tos 0x0, ttl 127, id 4146, start 0, flags [none], proto: ICMP (1), length: 60) 172.16.1.53 > ten.9.20.14: ICMP repeat answer, id 1, seq 7, length xl
09:38:xxx.222653 IP (tos 0x0, ttl 126, id 5788, beginning 0, flags [none], proto: ICMP (1), length: sixty) x.9.20.fourteen > 172.16.1.53: ICMP echo request, id one, seq 8, length twoscore
09:38:30.223565 IP (tos 0x0, ttl 127, id 4147, commencement 0, flags [none], proto: ICMP (one), length: 60) 172.16.i.53 > 10.nine.20.xiv: ICMP echo reply, id one, seq 8, length 40
09:38:31.220764 IP (tos 0x0, ttl 126, id 5791, beginning 0, flags [none], proto: ICMP (1), length: 60) 10.9.20.14 > 172.sixteen.1.53: ICMP echo request, id 1, seq ix, length 40
09:38:31.221607 IP (tos 0x0, ttl 127, id 4149, starting time 0, flags [none], proto: ICMP (one), length: sixty) 172.xvi.1.53 > 10.9.20.xiv: ICMP echo reply, id 1, seq 9, length 40
09:38:32.235355 IP (tos 0x0, ttl 126, id 5795, starting time 0, flags [none], proto: ICMP (1), length: 60) 10.ix.20.14 > 172.16.1.53: ICMP echo request, id 1, seq x, length 40
09:38:32.236151 IP (tos 0x0, ttl 127, id 4152, offset 0, flags [none], proto: ICMP (1), length: lx) 172.16.1.53 > 10.9.twenty.14: ICMP repeat respond, id 1, seq x, length 40

[[electronic mail protected]:0]# tcpdump -vvv -nn -i eth1-01 host 19.26.16.19
tcpdump: listening on eth1-01, link-blazon EN10MB (Ethernet), capture size 96 bytes
11:39:04.822700 IP (tos 0x0, ttl 126, id 7241, start 0, flags [DF], proto: TCP (6), length: 52) 19.26.xvi.xix.10747 > xix.26.sixteen.24.443: S, cksum 0xea51 (correct), 2579834556:2579834556(0) win 8192   //SYN
xi:39:04.826136 IP (tos 0x0, ttl  63, id 0, outset 0, flags [DF], proto: TCP (6), length: 52) nineteen.26.sixteen.24.443 > 19.26.16.19.10747: S, cksum 0x99db (correct), 487537799:487537799(0) ack 2579834557 win 5840  // SYN ACK
11:39:04.826153 IP (tos 0x0, ttl  63, id 0, offset 0, flags [DF], proto: TCP (vi), length: 52) nineteen.26.sixteen.24.443 > xix.26.16.19.10747: S, cksum 0x99db (correct), 487537799:487537799(0) ack 2579834557 win 5840  // This parcel is repeated SYN ACK
xi:39:04.826926 IP (tos 0x0, ttl 125, id 7242, kickoff 0, flags [DF], proto: TCP (half dozen), length: 52) 19.26.xvi.19.10747 > 10.9.one.25.443: ., cksum 0xd4d0 (correct), 2579834557:2579834557(0) ack 487537800 win 256  //ACK
xi:39:06.883076 IP (tos 0x0, ttl 125, id 7243, kickoff 0, flags [DF], proto: TCP (six), length: 42) xix.26.16.19.10747 > ten.ix.i.25.443: P, cksum 0xb101 (correct), 0:2(2) ack ane win 256
11:39:06.883285 IP (tos 0x0, ttl  63, id 16050, beginning 0, flags [DF], proto: TCP (6), length: 40) xix.26.sixteen.24.443 > 19.26.16.19.10747: ., cksum 0xf14d (correct), 1:1(0) ack 3 win 46
11:39:07.048713 IP (tos 0x0, ttl 125, id 7244, commencement 0, flags [DF], proto: TCP (half-dozen), length: 42) 19.26.16.xix.10747 > ten.9.ane.25.443: P, cksum 0xb0ff (correct), 2:iv(2) ack 1 win 256
11:39:07.048905 IP (tos 0x0, ttl  63, id 16051, offset 0, flags [DF], proto: TCP (6), length: 40) 19.26.sixteen.24.443 > 19.26.16.19.10747: ., cksum 0xf14b (correct), 1:ane(0) ack 5 win 46
xi:39:07.199352 IP (tos 0x0, ttl 125, id 7245, outset 0, flags [DF], proto: TCP (six), length: 42) 19.26.sixteen.19.10747 > 10.9.one.25.443: P, cksum 0xb0fd (correct), 4:6(ii) ack one win 256
11:39:07.199883 IP (tos 0x0, ttl  63, id 16052, first 0, flags [DF], proto: TCP (6), length: 40) xix.26.16.24.443 > 19.26.16.nineteen.10747: ., cksum 0xf149 (correct), 1:1(0) ack 7 win 46
11:39:07.342045 IP (tos 0x0, ttl 125, id 7246, starting time 0, flags [DF], proto: TCP (6), length: 42) 19.26.sixteen.xix.10747 > ten.9.1.25.443: P, cksum 0xb0fb (correct), 6:8(ii) ack 1 win 256
eleven:39:07.342228 IP (tos 0x0, ttl  63, id 16053, offset 0, flags [DF], proto: TCP (6), length: 40) xix.26.16.24.443 > 19.26.16.19.10747: ., cksum 0xf147 (correct), i:i(0) ack 9 win 46
11:39:07.492210 IP (tos 0x0, ttl 125, id 7247, offset 0, flags [DF], proto: TCP (six), length: 42) xix.26.16.19.10747 > 10.9.1.25.443: P, cksum 0xb0f9 (correct), 8:ten(2) ack ane win 256
11:39:07.492407 IP (tos 0x0, ttl  63, id 16054, offset 0, flags [DF], proto: TCP (half-dozen), length: twoscore) 19.26.xvi.24.443 > 19.26.16.19.10747: ., cksum 0xf145 (correct), one:i(0) ack eleven win 46
eleven:39:07.634867 IP (tos 0x0, ttl 125, id 7248, get-go 0, flags [DF], proto: TCP (6), length: 42) 19.26.16.xix.10747 > ten.9.i.25.443: P, cksum 0xb0f7 (correct), ten:12(2) ack ane win 256
11:39:07.635119 IP (tos 0x0, ttl  63, id 16055, showtime 0, flags [DF], proto: TCP (vi), length: 40) 19.26.xvi.24.443 > 19.26.16.xix.10747: ., cksum 0xf143 (right), 1:one(0) ack 13 win 46
11:39:07.635269 IP (tos 0x0, ttl  63, id 16056, offset 0, flags [DF], proto: TCP (6), length: 40) nineteen.26.16.24.443 > 19.26.16.19.10747: F, cksum 0xf142 (correct), ane:1(0) ack 13 win 46
xi:39:07.635864 IP (tos 0x0, ttl 125, id 7249, starting time 0, flags [DF], proto: TCP (vi), length: 40) xix.26.16.19.10747 > ten.9.one.25.443: ., cksum 0xbe08 (correct), 12:12(0) ack 2 win 256
11:39:07.635927 IP (tos 0x0, ttl 125, id 7250, offset 0, flags [DF], proto: TCP (6), length: 40) 19.26.16.nineteen.10747 > 10.9.i.25.443: F, cksum 0xbe07 (correct), 12:12(0) ack 2 win 256
11:39:07.636058 IP (tos 0x0, ttl  63, id 0, commencement 0, flags [DF], proto: TCP (6), length: xl) 19.26.16.24.443 > 19.26.16.xix.10747: ., cksum 0xf141 (correct), ii:2(0) ack 14 win 46




[[email protected]:0]# tcpdump -v -nn -i Mgmt host 172.16.1.53
tcpdump: listening on Mgmt, link-type EN10MB (Ethernet), capture size 96 bytes
09:46:34.443382 IP (tos 0x0, ttl 126, id 7173, outset 0, flags [DF], proto: TCP (6), length: 52) 10.9.2.14.50831 > 172.16.ane.53.22: S, cksum 0xac58 (correct), 3232602545:3232602545(0) win 8192
09:46:34.444081 IP (tos 0x0, ttl 127, id 6889, offset 0, flags [DF], proto: TCP (6), length: 52) 172.16.one.53.22 > ten.9.ii.14.50831: Southward, cksum 0xb937 (correct), 41283738:41283738(0) ack 3232602546 win 8192
09:46:34.444916 IP (tos 0x0, ttl 126, id 7175, starting time 0, flags [DF], proto: TCP (half dozen), length: 40) 10.9.2.14.50831 > 172.16.1.53.22: ., cksum 0x190b (correct), ack 1 win 256
09:46:34.452567 IP (tos 0x0, ttl 127, id 6893, offset 0, flags [DF], proto: TCP (6), length: 73) 172.16.1.53.22 > ten.9.2.14.50831: P, cksum 0x1960 (correct), one:34(33) ack 1 win 256
09:46:34.647359 IP (tos 0x0, ttl 126, id 7180, offset 0, flags [DF], proto: TCP (6), length: 40) 10.9.two.xiv.50831 > 172.16.i.53.22: ., cksum 0x18ea (right), ack 34 win 256
09:46:35.764373 IP (tos 0x0, ttl 126, id 7184, offset 0, flags [DF], proto: TCP (6), length: 41) 10.9.2.fourteen.50831 > 172.16.1.53.22: P, cksum 0x15e1 (correct), 1:2(i) ack 34 win 256
09:46:35.764610 IP (tos 0x0, ttl 128, id 9109, offset 0, flags [DF], proto: TCP (6), length: xl) 172.16.1.53.22 > 10.9.two.14.50831: R, cksum 0x19f6 (correct), 41283772:41283772(0) win 0


[[e-mail protected]:0]# tcpdump -five -nn -i Mgmt host 172.16.1.53
tcpdump: listening on Mgmt, link-blazon EN10MB (Ethernet), capture size 96 bytes
09:47:11.477696 IP (tos 0x0, ttl 126, id 30923, offset 0, flags [none], proto: TCP (6), length: 44) 10.ix.ii.14.50864 > 172.16.1.53.21: Southward, cksum 0xebe1 (correct), 2535345973:2535345973(0) win 32120
09:47:xi.479045 IP (tos 0x0, ttl 127, id 6954, showtime 0, flags [DF], proto: TCP (6), length: 44) 172.16.one.53.21 > 10.nine.2.14.50864: S, cksum 0x31a2 (right), 3764401990:3764401990(0) ack 2535345974 win 8192
09:47:11.480173 IP (tos 0x0, ttl 126, id 30925, offset 0, flags [none], proto: TCP (half-dozen), length: 40) 10.9.2.14.50864 > 172.sixteen.1.53.21: ., cksum 0xebe6 (correct), ack 1 win 32120
09:47:11.480858 IP (tos 0x0, ttl 127, id 6955, offset 0, flags [DF], proto: TCP (6), length: 40) 172.sixteen.1.53.21 > 10.9.2.xiv.50864: ., cksum 0x695f (correct), ack 1 win 65535
09:47:11.690070 IP (tos 0x0, ttl 127, id 6959, commencement 0, flags [DF], proto: TCP (half-dozen), length: 334) 172.16.1.53.21 > 10.nine.two.xiv.50864: P 1:295(294) ack ane win 65535
09:47:11.690579 IP (tos 0x0, ttl 126, id 30926, kickoff 0, flags [none], proto: TCP (six), length: 40) 10.ix.two.14.50864 > 172.16.1.53.21: ., cksum 0xebe6 (right), ack 295 win 31826
09:47:xiii.470582 IP (tos 0x0, ttl 126, id 30933, starting time 0, flags [none], proto: TCP (6), length: 46) 10.9.2.xiv.50864 > 172.16.1.53.21: P, cksum 0x02bf (correct), 1:seven(six) ack 295 win 32120
09:47:thirteen.472164 IP (tos 0x0, ttl 127, id 6963, beginning 0, flags [DF], proto: TCP (vi), length: 81) 172.16.i.53.21 > 10.ix.two.14.50864: P, cksum 0xc94d (correct), 295:336(41) ack 7 win 65529
09:47:13.472557 IP (tos 0x0, ttl 126, id 30934, offset 0, flags [none], proto: TCP (6), length: twoscore) 10.9.2.14.50864 > 172.16.i.53.21: ., cksum 0xeaba (correct), ack 336 win 32079
09:47:thirteen.473093 IP (tos 0x0, ttl 127, id 6965, offset 0, flags [DF], proto: TCP (6), length: forty) 172.16.i.53.21 > 10.9.2.14.50864: F, cksum 0x680f (correct), 336:336(0) ack seven win 65529
09:47:13.473336 IP (tos 0x0, ttl 126, id 30936, offset 0, flags [none], proto: TCP (6), length: 40) 10.ix.2.14.50864 > 172.16.1.53.21: ., cksum 0xea90 (right), ack 337 win 32120
09:47:xiii.489842 IP (tos 0x0, ttl 126, id 30939, get-go 0, flags [none], proto: TCP (6), length: 40) ten.9.two.14.50864 > 172.xvi.i.53.21: F, cksum 0xea8f (correct), seven:7(0) ack 337 win 32120
09:47:xiii.490369 IP (tos 0x0, ttl 127, id 6967, offset 0, flags [DF], proto: TCP (6), length: 40) 172.16.1.53.21 > 10.nine.2.14.50864: ., cksum 0x680e (correct), ack 8 win 65529
09:47:14.836964 IP (tos 0x0, ttl 126, id 19859, offset 0, flags [DF], proto: TCP (6), length: 112) 10.9.16.48.58884 > 172.16.1.53.445: P 1912308033:1912308105(72) ack 3052976289 win 258
09:47:14.836979 IP (tos 0x0, ttl 126, id 19860, offset 0, flags [DF], proto: TCP (six), length: 112) 10.9.16.48.58884 > 172.sixteen.i.53.445: P 72:144(72) ack 1 win 258
09:47:14.837677 IP (tos 0x0, ttl 127, id 6970, offset 0, flags [DF], proto: TCP (6), length: 40) 172.xvi.1.53.445 > 10.9.16.48.58884: ., cksum 0x9ad5 (right), ack 144 win 258
09:47:14.837693 IP (tos 0x0, ttl 127, id 6971, offset 0, flags [DF], proto: TCP (6), length: 112) 172.16.1.53.445 > 10.9.xvi.48.58884: P 1:73(72) ack 144 win 258
09:47:xiv.837700 IP (tos 0x0, ttl 127, id 6972, offset 0, flags [DF], proto: TCP (6), length: 112) 172.16.i.53.445 > 10.ix.16.48.58884: P 73:145(72) ack 144 win 258
09:47:fourteen.838389 IP (tos 0x0, ttl 126, id 19870, get-go 0, flags [DF], proto: TCP (six), length: 40) 10.9.16.48.58884 > 172.16.1.53.445: ., cksum 0x9a46 (right), ack 145 win 257
09:47:14.838843 IP (tos 0x0, ttl 126, id 19872, offset 0, flags [DF], proto: TCP (six), length: twoscore) ten.9.16.48.58884 > 172.16.1.53.445: R, cksum 0x9b43 (correct), 144:144(0) ack 145 win 0


[[email protected]:0]# tcpdump -v -due north -i eth1-01 host 12.25.20.4
tcpdump: listening on eth1-01, link-type EN10MB (Ethernet), capture size 96 bytes
10:59:02.525754 IP (tos 0x0, ttl  39, id 26220, beginning 0, flags [none], proto: TCP (6), length: 60) 12.25.20.four.62712 > 19.26.16.5.ftps: S, cksum 0xd8cb (correct), 1970824717:1970824717(0) win 65535
ten:59:02.526420 IP (tos 0x0, ttl 127, id 32480, get-go 0, flags [DF], proto: TCP (six), length: lx) 19.26.16.5.ftps > 12.25.20.four.62712: Due south, cksum 0xdbb7 (correct), 2713847003:2713847003(0) ack 1970824718 win 8192
ten:59:02.570606 IP (tos 0x0, ttl  38, id 26433, offset 0, flags [none], proto: TCP (vi), length: 52) 12.25.20.4.62712 > 12.17.3.59.ftps: ., cksum 0xa43c (correct), ack 2713847004 win 4096
10:59:02.906868 IP (tos 0x0, ttl  46, id 22227, offset 0, flags [none], proto: TCP (half dozen), length: 98) 12.25.20.4.62712 > 12.17.3.59.ftps: P 0:58(58) ack 1 win 2047
10:59:02.908200 IP (tos 0x0, ttl 127, id 32486, offset 0, flags [DF], proto: TCP (6), length: 1476) nineteen.26.16.five.ftps > 12.25.20.iv.62712: . one:1425(1424) ack 59 win 261
10:59:02.908216 IP (tos 0x0, ttl 127, id 32487, start 0, flags [DF], proto: TCP (6), length: 245) xix.26.sixteen.5.ftps > 12.25.20.four.62712: P 1425:1618(193) ack 59 win 261
ten:59:02.949626 IP (tos 0x0, ttl  47, id 2661, first 0, flags [none], proto: TCP (6), length: xl) 12.25.xx.4.62712 > 12.17.iii.59.ftps: ., cksum 0xfe5b (correct), ack 1 win 2047
10:59:02.968018 IP (tos 0x0, ttl  46, id 63635, offset 0, flags [none], proto: TCP (6), length: 366) 12.25.twenty.4.62712 > 12.17.three.59.ftps: P 58:384(326) ack 1618 win 2047
10:59:02.972322 IP (tos 0x0, ttl  46, id 41339, starting time 0, flags [none], proto: TCP (six), length: 40) 12.25.xx.4.62712 > 12.17.three.59.ftps: F, cksum 0xf6c3 (correct), 384:384(0) ack 1618 win 2047
ten:59:02.972387 IP (tos 0x0, ttl  46, id 33795, offset 0, flags [none], proto: TCP (half-dozen), length: forty) 12.25.20.4.62712 > 12.17.3.59.ftps: ., cksum 0xf6c3 (correct), ack 1618 win 2047
10:59:02.972523 IP (tos 0x0, ttl 127, id 32489, outset 0, flags [DF], proto: TCP (6), length: 52) xix.26.16.5.ftps > 12.25.twenty.four.62712: ., cksum 0x1e55 (correct), ack 386 win 260
10:59:02.972737 IP (tos 0x0, ttl 127, id 32490, offset 0, flags [DF], proto: TCP (6), length: 52) 19.26.16.five.ftps > 12.25.20.4.62712: F, cksum 0x1e54 (right), 1618:1618(0) ack 386 win 260
10:59:03.015360 IP (tos 0x0, ttl  46, id 24500, offset 0, flags [none], proto: TCP (half dozen), length: 40) 12.25.20.4.62712 > 12.17.3.59.ftps: ., cksum 0xf6c2 (correct), ack 1619 win 2047

6. SQL Instance



[[email protected]:0]# tcpdump -i eth1-02.104 host 172.xvi.one.two
10:39:52.671997 IP 172.16.1.2.19209 > 10.9.10.252.ms-sql-s: S 3761967874:3761967874(0) win 8192
ten:39:52.673393 IP ten.nine.10.252.ms-sql-s > 172.16.1.two.19209: S 4159880273:4159880273(0) ack 3761967875 win 8192
10:39:52.673743 IP 172.16.1.2.19209 > 10.9.10.252.ms-sql-south: . ack ane win 256
10:39:52.673970 IP 172.16.one.ii.19209 > 10.nine.10.252.ms-sql-s: P 1:48(47) ack i win 256
10:39:52.674791 IP ten.ix.10.252.ms-sql-south > 172.16.one.two.19209: P 1:44(43) ack 48 win 256
10:39:52.675230 IP 172.sixteen.i.2.19209 > 10.nine.10.252.ms-sql-s: P 48:151(103) ack 44 win 256
x:39:52.675570 IP 10.nine.10.252.ms-sql-south > 172.16.ane.2.19209: P 44:661(617) ack 151 win 256
10:39:52.676104 IP 172.xvi.1.2.19209 > x.9.10.252.ms-sql-s: P 151:357(206) ack 661 win 254
ten:39:52.676980 IP 10.9.ten.252.ms-sql-s > 172.16.1.ii.19209: P 661:728(67) ack 357 win 255
ten:39:52.677889 IP 172.xvi.ane.2.19209 > 10.9.10.252.ms-sql-s: P 357:714(357) ack 728 win 253
x:39:52.680064 IP 10.9.10.252.ms-sql-south > 172.16.ane.2.19209: P 728:1141(413) ack 714 win 254
10:39:52.681073 IP 172.16.i.2.19209 > 10.ix.10.252.ms-sql-s: P 714:866(152) ack 1141 win 252
10:39:52.681402 IP x.nine.10.252.ms-sql-south > 172.sixteen.one.2.19209: P 1141:1510(369) ack 866 win 253

A problem SQL session :



[[electronic mail protected]:0]# tcpdump -i eth1-02.104 host 172.16.1.2
11:03:28.691563 IP 172.16.1.2.19451 > x.nine.10.252.ms-sql-s: S 3948339855:3948339855(0) win 8192
11:03:28.692264 IP 10.9.x.252.ms-sql-due south > 172.16.1.2.19451: S 909862134:909862134(0) ack 3948339856 win 8192
xi:03:28.692795 IP 172.sixteen.1.2.19451 > x.ix.x.252.ms-sql-s: . ack ane win 256
xi:03:28.693041 IP 172.16.1.2.19451 > 10.9.10.252.ms-sql-s: P one:48(47) ack 1 win 256
11:03:28.998541 IP 172.16.1.2.19451 > x.9.10.252.ms-sql-due south: P 1:48(47) ack i win 256
11:03:29.606984 IP 172.16.1.2.19451 > 10.9.ten.252.ms-sql-southward: P 1:48(47) ack 1 win 256
eleven:03:30.808145 IP 172.sixteen.1.2.19451 > ten.9.10.252.ms-sql-s: P 1:48(47) ack 1 win 256
11:03:31.692318 IP 10.9.10.252.ms-sql-s > 172.16.1.two.19451: Southward 909862134:909862134(0) ack 3948339856 win 8192
xi:03:31.692610 IP 172.16.1.2.19451 > 10.nine.10.252.ms-sql-s: . ack ane win 256
xi:03:32.025035 IP 172.16.i.2.19451 > 10.9.10.252.ms-sql-southward: P one:48(47) ack 1 win 256
11:03:33.226224 IP 172.16.1.2.19451 > x.9.10.252.ms-sql-south: P 1:48(47) ack i win 256
11:03:35.628622 IP 172.16.1.2.19451 > 10.nine.10.252.ms-sql-due south: P 1:48(47) ack i win 256
11:03:37.690075 IP 10.9.10.252.ms-sql-s > 172.sixteen.1.ii.19451: South 909862134:909862134(0) ack 3948339856 win 65535
11:03:37.690422 IP 172.16.1.2.19451 > ten.9.10.252.ms-sql-s: . ack one win 256
11:03:40.449096 IP 172.16.one.2.19451 > 10.ix.x.252.ms-sql-s: P 1:48(47) ack i win 256
11:03:43.681010 IP 172.16.1.ii.19451 > ten.ix.10.252.ms-sql-s: F 48:48(0) ack 1 win 256  //Terminate packets
11:03:49.690374 IP 10.9.ten.252.ms-sql-s > 172.16.1.2.19451: R 909862135:909862135(0) win 0 // Reset Packets

vii. A Problem Telnet Session



[[electronic mail protected]:0]# tcpdump -v -n -i eth1-01 host 19.26.16.129
tcpdump: listening on eth1-01, link-type EN10MB (Ethernet), capture size 96 bytes
xi:17:59.759390 IP (tos 0x0, ttl 126, id 360, first 0, flags [DF], proto: TCP (6), length: 52) 19.26.sixteen.129.10329 > 19.26.sixteen.24.telnet: S, cksum 0x8b11 (correct), 4098502333:4098502333(0) win 8192
11:xviii:02.756485 IP (tos 0x0, ttl 126, id 469, get-go 0, flags [DF], proto: TCP (6), length: 52) 19.26.16.129.10329 > 19.26.16.24.telnet: S, cksum 0x8b11 (right), 4098502333:4098502333(0) win 8192
eleven:18:08.760662 IP (tos 0x0, ttl 126, id 658, offset 0, flags [DF], proto: TCP (6), length: 48) 19.26.16.129.10329 > 19.26.16.24.telnet: S, cksum 0x9f20 (correct), 4098502333:4098502333(0) win 8192

Notes: 19.26.16.24 sent three Sync packets to nineteen.26.16.129, but received null back.

4098502333:4098502333(0) means the sending TCP stack is setting 4098502333 as the initial synchronization number (ISN), and "0" (no) data is existence passed in this packet.

Generic TCP

Here'southward a line of output related to an SSH session. Note the-five parameter has been used, without information technology, the IP header information and some of the TCP information is not displayed.

22:24:18.910372IP( tos0×10,ttl64,id9792,beginning0,flags [DF],protoTCP  (half-dozen),length88 )
78.47.105.76.ssh >82.132.219.219.55495:Flags[P.],cksum0xcb29 (correct),seq 497880562:497880610,ack1593322765,win379,length48

So, let'south intermission down the components (bits and octets related to the IP header);

  • 22:24:xviii.910372 – the datagram'due south timestamp
  • IP ( tos0×10,ttl64,id9792,kickoff0,flags [DF],protoTCP (6),length88 ) – the layer three datagram'southward header fields and values;
    • tos0×10 – the IP TOS value (more than correctly in the present context, the DS and ECN fields (8bit, 2d octet)
    • ttl64 – the IP TTL value (8bit, 9th octet)
    • id9792 – mostly used for identifying the parts of a fragmented datagram; incremented by one with every packet sent (16bit, 5th and 6th octets)
    • showtime0 – the fragment offset, used with fragmented packets (13bits of the 7th and eighth octets)
    • flags [DF] – any IP flags set; [DF] for Don't Fragment and [MR] for More Fragments (3bits of the 7th octet)
    • protoTCP (6) – the higher layer (iv) protocol and it'southward number (8bits, tenth octet)
    • length88 – the entire IP packet length, including headers (16bits, tertiary and 4th octets)
  • 78.47.105.76.ssh – the source IP address and port
  • 82.132.219.219.55495 – the destination IP address and port
  • Flags [P.] – any TCP flags; a period '.' indicates an ACK
  • cksum0xcb29 (right) – the package'due south TCP checksum value
  • seq497880562:497880610 – the TCP parcel's sequence number
  • ack1593322765 – the TCP package's acknowledgement number
  • win379 – the source host's TCP window
  • length48 – the TCP packet length, including headers

Generic UDP

Information technology'southward odd how oftentimes people don't call back they even use UDP but we all do for Voice, Video, DNS, DHCP, NTP, VXLAN and the like.

Here's some output related to DNS. Request without-v;

22:54:40.769351IP78.47.105.76.6891 >213.133.100.100.domain: 28642+ AAAA? vps.allenz.eu. (31)

Response with-v, equally you tin run into, without it the IP header information and the UDP information is not displayed;

22:47:08.352707IP ( tos0×0,ttlthreescore,id1457,offset0,flags [none],protoUDP ( 17 ),length72 )
213.133.99.99.domain >78.47.105.76.16165: [udp sumok] 11711 ServFail q: A? 40.1.255.158.bl.tiopan.com. 0/0/0 (44)

So, let'southward break down the components of that last ane;

  • 22:47:08.352707 – the datagram'south timestamp
  • IP ( tos0×0,ttllx,id1457,first0,flags [none],protoUDP ( 17 ),length72 ) – the layer three datagram's header fields and values;
    • tos0×0 – the IP TOS value (more correctly in the present context, the DS and ECN fields (8bit, 2nd octet)
    • ttllx – the IP TTL value (8bit, 9th octet)
    • id1457 – generally used for identifying the parts of a fragmented datagram; incremented by one with every packet sent (16bit, 5th and 6th octets)
    • outset0 – the fragment offset, used with fragmented packets (13bits of the seventh and 8th octets)
    • flags [none] – any IP flags set; [DF] for Don't Fragment and [MR] for More than Fragments (3bits of the 7th octet)
    • protoUDP( 17 ) – the higher layer (four) protocol and it'southward number (8bits, 10th octet)
    • length72– the unabridged IP packet length, including headers (16bits, 3rd and 4th octets)
  • 213.133.99.99.domain – the source IP address and port
  • 78.47.105.76.16165 – the destination IP accost and port
  • [udp sumok]– the datagram's checksum status
  • Everything else relates to the DNS application response.

Notes on the proto(col) Field

You can observe a full listing of protocol number assignments hither. Here's a few more you might know;

  • ICMP (1)
  • IGMP (2)
  • GRE (47)
  • ESP (50)
  • VINES (83)
  • EIGRP (88)
  • ETHERIP (97)
  • OSPF (89)
  • VRRP (112)
  • L2TP (115)
  • SCTP (132)

Notes on Service Ports

I'1000 certain you lot all know this but anyway, valid port numbers are 0 through to 65535. If you lot desire to live by IANA assignments (and we all should correct?);

  • 0 to1023are reserved for well known applications
  • 1024to49151are registered (with IANA) ports
  • 49152to65535are user and dynamic ports (aka ephemeral or temporary)

Protocol Formatting

tcpdump provides information formatting for the post-obit protocols amongst others (see Jens comments beneath for more information);

  • ICMP
  • ISAKMP
  • ARP
  • NTP
  • DNS
  • STP
  • HSRP
  • SNMP
  • RADIUS

Thanks again to Jens for this: If you see '[|proto]' at the end of the verbose output, e.yard. '[|radius]' the snap length is as well small for the application data to be captured;. just increase it (using the -s0  parameter) to encounter the consummate application information information.

Here'due south a few examples;

ARP: 22:45:47.220050 ARP, Ethernet (len vi), IPv4 (len 4), Asking who-has 78.47.108.52 tell 78.47.108.49, length 46

NTP (with-v);

78.47.105.76.ntp > 213.239.239.166.ntp: NTPv4, length 48
Customer, Leap indicator:  (0), Stratum three (secondary reference), poll 10s, precision -22
Root Delay: 0.020477, Root dispersion: 0.056991, Reference-ID: 83.137.98.96

DNS:213.133.99.99.domain > 78.47.105.76.16165: [udp sum ok] 11711 ServFail q: A? 40.1.255.158.bl.tiopan.com. 0/0/0 (44)

Here are some Tcpdump Scenarios from Making a Connection with tcpdump, Part II

Scenario 1: Established Telnet Connection

Using tcpdump we can analyze the PDUs that establish and cease a TCP/IP connection. TCP uses a special mechanism to open up and close connections. The tcpdump output below display data from different connection scenarios between host 192.168.ii.10 and 192.168.2.165. The following tcpdump command and options were used to generate output:

#tcpdump -nn host 192.168.two.165 and port 23

Before examining the output, let's take a detour and get a brief overview of TCP/IP connection management. This modest detour will assist those individuals who are new to protocols. To guarantee a reliable connection (startup and shutdown), TCP uses a method in which three messages are exchanged. The process is chosen a three-style-handshake. To startup a connectedness:

  • The requesting Host sends a synchronization flag (SYN) in a TCP segment to create a connection.
  • The receiving Host 192.168.ii.165 receives the SYN flag and returns an acquittance flag (ACK).
  • The requesting Host 192.168.two.10 receives the SYN flag and returns it's own ACK flag.

A similar handshake procedure is used to close a connexion using a finish flag (FIN).
To establish a connectedness, the sending host creates a segment containing the IP address and port number of the host it want to connect to. The segment contains a SYN flag and the sending hosts initial sequence number. Data is segmented earlier it is sent. The sequence numbers allow the segments to exist assembled in the correct order.

20:06:32.845356 192.168.2.ten.1249 > 192.168.2.165.23:
Due south 3263977215:3263977215(0) win 16384  (DF)

The receiving hosts responds with its ain SYN flag and its initial sequence number. This segment as well contains an ACK flag to acknowledge the sending host's SYN (segment 3263977215 +1). This type of acquittance is called expectational acknowledgment, because the receiver acknowledges the sequence number of the next segment it expects to receive.

xx:06:32.845725 192.168.2.165.23 > 192.168.2.x.1249: S
48495364:48495364(0) ack 3263977216 win 32120              
(DF)

The sending host acknowledges the SYN flag from the receiving host by sending another segment containing the . and ACK flags.

20:06:32.845921 192.168.2.ten.1249 > 192.168.2.165.23: . ack 1 win 17520
(DF)

And then far two flags, S and ., have been seen. There are five in total.

  • S: SYN (Synchronize sequence numbers – Connection establishment)
  • F: FIN (Ending of sending by sender – Connectedness termination)
  • R: RST (Reset connection)
  • P: PSH (Push data)
  • .: (No flag is set)

Scenario two: Closed Telnet Connection

To terminate a connection, a segment containing a FIN flag is sent from host 192.168.2.165 dorsum to the host with the open session.

20:07:32.916410 192.168.two.165.23 > 192.168.2.10.1249: F 147:147(0) ack
56 win 32120 (DF)

This may appear backwards, but trust me, it'south not. Think of where the session is open–this is the signal that is asking to close the connectedness. Host 192.168.two.10 acknowledges the FIN segment.

20:07:32.916680 192.168.2.x.1249 > 192.168.2.165.23: . ack 148 win
17374 (DF)

And then host 192.168.ii.ten terminates it connection by sending a segment containing a FIN flag.

twenty:07:32.928907 192.168.ii.x.1249 > 192.168.2.165.23: F 56:56(0) ack 148
win 17374 (DF)

Host 192.168.2.165 acknowledges the segment.

20:07:32.929121 192.168.2.165.23 > 192.168.2.10.1249: . ack 57 win 32120
(DF)

Scenario 3: Telnet Connexion Refused (no service offered at the host)

To establish a connectedness, host 192.168.2.x sends a segment containing the IP address and port number of the host it desire to connect to. The segment contains a SYN flag and the sending hosts initial sequence number.

05:28:00.080798 192.168.2.10.1063 > 192.168.2.165.23:
S 3034008467:3034008467(0) win 16384  (DF)

Host 192.168.two.165 acknowledges the SYN from host 192.168.2.ten by sending another segment containing the R (connection reset) and ACK flags.

05:28:00.080979 192.168.2.165.23 > 192.168.ii.x.1063: R 0:0(0)
ack 3034008468 win 0

Host doesn't take no for answer and tries once more.

05:28:00.579420 192.168.2.x.1063 > 192.168.2.165.23: S
3034008467:3034008467(0) win 16384  (DF)

But it receives the same result from receiving host.

05:28:00.579524 192.168.2.165.23 > 192.168.2.10.1063: R 0:0(0) ack 1 win
0

A concluding attempt is made to establish a connexion.

05:28:01.080114 192.168.2.10.1063 &glt; 192.168.2.165.23: S
3034008467:3034008467(0) win 16384  (DF)

Simply three strikes in this brawl game. Sending host gives up.

05:28:01.080225 192.168.2.165.23 > 192.168.2.ten.1063: R 0:0(0) ack 1 win
0

Compare the outputs from an Plant Telnet Connection scenario and Telnet Connection Refusal scenario. The outputs from the receiving host are different. For the Telnet Connectedness Refusal scenario, the Telnet service was turned off at the receiving host using the /etc/inetd.conf file. If the service is not available, no connexion tin can be established. Annotation to self: unproblematic security measures turn off services not being used.

Scenario 3: Telnet Connection Refused (tcp wrappers security used at host)

The aforementioned opening equally before is used to establish a connection.

05:40:39.838710 192.168.2.x.1064 > 192.168.2.165.23: South
3223709294:3223709294(0) win 16384  (DF)

The receiving host responds with its own SYN flag and its initial sequence number. This segment also contains an ACK flag to acknowledge the sending hosts SYN (segment 3223709294 +1).

05:40:39.839045 192.168.2.165.23 > 192.168.ii.10.1064: S
063202536:2063202536(0) ack 3223709295 win 32120 1460,nop,nop,sackOK> (DF)

Host 192.168.2.ten acknowledges the SYN from host 192.168.2.165 past sending another segment, which contains the . and ACK flags.

05:40:39.839295 192.168.two.x.1064 > 192.168.2.165.23: . ack 1 win 17520
(DF)

Host 192.168.ii.165 responds with a segment containing a FIN flag–connection terminated. Something has told the receiving host no connection is allowed.

05:40:44.852844 192.168.2.165.23 > 192.168.ii.ten.1064:
F 1:1(0) ack i win 32120 (DF)

Host 192.168.2.ten has a no-flag-set up second acknowledgment.

05:40:44.853137 192.168.2.10.1064 > 192.168.2.165.23: . ack 2 win 17520
(DF)

Because a FIN flag segment was received, the connection must be terminated. So host 192.168.2.10 sends a FIN flag to cease the connection.

05:40:44.855050 192.168.2.10.1064 > 192.168.two.165.23: F i:1(0) ack ii win
17520 (DF)

Host 192.168.2.165 responds with a segment acknowledgment.

05:xl:44.855176 192.168.2.165.23 > 192.168.two.10.1064: . ack 2 win 32120
(DF)

Compare the outputs from an Establish Telnet Connectedness scenario and Telnet Connection Refusal (tcp wrappers) scenario. The outputs from the receiving host are different. In the Telnet Connection Refusal (tcp wrappers) scenario, tcp wrappers is enabled by adding the following line to the /etc/hosts.deny file:ALL:192.168.2.10. This means "deny all services to this host with address 192.168.2.ten". A similar connection test was done using a rule in iptables firewall. The resulting output was the same.
The reader may gain some insight into how systems are at take a chance from the trappings of tcpdump. Before a organization hack is possible, some effort is expended to engineer the hack. An test of the data from a organisation can provide the hacker with some insight into where efforts might provide the greatest risk of success.

Scenario 4: No Telnet Connectedness (host removed from the network)

Same opening, different scenario.

05:55:21.557846 192.168.2.10.1065 > 192.168.2.165.23: South
3443876657:3443876657(0) win 16384  (DF)

There'southward no response, so the sending host tries the same request once more.

05:55:24.560891 192.168.2.ten.1065 > 192.168.two.165.23: South
3443876657:3443876657(0) win 16384  (DF)

With still no response on the third endeavor, the three-strike rule comes into result. The sending host abandons the connectedness endeavour.

05:55:30.569584 192.168.2.x.1065 > 192.168.2.165.23: S
3443876657:3443876657(0) win 16384  (DF)

lampkinsxand1937.blogspot.com

Source: https://www.51sec.org/2014/07/24/understanding-tcpdump-output/

Post a Comment for "How to Read Tcpdump Output in Linux With Vpn Connected"