Tcpdump capture [Archive] - Screaming Electron Forums

bsdjunkie

March 18th, 2003, 18:55

What can you tell me about the following packet??

02:32:46.539097 x.x.x.x.2845 > y.y.y.y.23: SF 3570069217:3570069217(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)

:roll:

schotty

March 19th, 2003, 02:44

What can you tell me about the following packet??

02:32:46.539097 x.x.x.x.2845 > y.y.y.y.23: SF 3570069217:3570069217(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)

:roll:

at 02:32:46 someone from x.x.x.x port 2845 tried to ftp into y.y.y.y port 23

Kernel_Killer

March 19th, 2003, 03:54

Source used 2845 to telnet into destination. :?:

bsdjunkie

March 19th, 2003, 10:56

Ok, maybe i should get a little more specific on my question. What about this trace is "odd"? Should you see a packet like this in normal traffic?
BTW schotty, 23 isnt FTP :D

schotty

March 19th, 2003, 15:20

Ok, maybe i should get a little more specific on my question. What about this trace is "odd"? Should you see a packet like this in normal traffic?
BTW schotty, 23 isnt FTP :D

Doh, I meant that. I have a table of port lists that I always check. I was ftping some stuff last night, so maybe thats why I wrote that ...

I would have to answer the question you posed with no. IIRC (I dotn have tcpdump installed ATM to verify for sure, just going from memory) the TCP/IP commands are not quite right. The NOPs seem out of place for some reason.

Then again, I dont proclaim to be a security guru/God and I am going from memory ... Errors are bound to occur ;D

bsdjunkie

March 19th, 2003, 15:47

Ok, i think people are looking past the obvious currently. Hint: TCP Flags...
8)

soup4you2

March 20th, 2003, 09:29

SYN+FIN :?:

bsdjunkie

March 20th, 2003, 10:43

Yup, In normal traffic, Flags like Syn and Fin should not be set together.

Strog

March 20th, 2003, 12:09

Oh, Oh I know.

It was received at 2:32am :twisted:

You asked this one on IRC or one just like it. heheh

bsdjunkie

March 20th, 2003, 12:45

I posted this one on IRC the other nite hoping people would figure it out. =)

soup4you2

March 20th, 2003, 14:58

on freebsd you can add something in your rc.conf that will drop syn+fin packets

tcp_drop_synfin="YES"
however docs state that if you do this it will break RCF web compience.. but i've never seen any problems w/ it

sysctl
net.inet.tcp.syncookies=0

tarballed

March 20th, 2003, 16:56

syn+fin,
syn,ack,

All sorts of flags and connection items that I need to familiarize myself with.
Anyone know of where I can get my hands on some good documentation so I can learn about this and join in the fun and games of deciphering TCPDUMP logs and snort logs? :)

Tarballed, who is very stressed and tired... :?

|MiNi0n|

March 20th, 2003, 22:47

Anyone know of where I can get my hands on some good documentation so I can learn about this and join in the fun and games of deciphering TCPDUMP logs and snort logs? :)

The man page for nmap is always a good start:

http://www.insecure.org/nmap/data/nmap_manpage.html