|< Day Day Up >|
2.6 Examining tcpdump Output
The more data collected by tcpdump, the clearer the content of the network traffic stream becomes. Here is another example of a tcpdump capture:
14:02:09.181190 specto.ksl.com.33248 > quasi.ksl.com.ftp: S 1191864640:1191864640(0) win 5840 <mss 1460,sackOK,timestamp 238617 0,nop,wscale 0> (DF)
Here's what each field in this output means:
The data within the < and > characters are the TCP options; they ensure safe and effective delivery of the packet. While there are some techniques where an attacker can gather information about a host based upon how they respond to strange settings in these options, their real importance is most often secondary to what is contained in the main header and data payload of the packet. Here are the options for the packet we're examining:
The tcpdump output shows this packet to be a connection request from specto.ksl.com to establish an FTP connection to quasi.ksl.com. While older versions of tcpdump might display only the port number, port 21 resolves here to the FTP service. This is resolved using the /etc/services file.
Because this is the first step in establishing a session, the SYN flag is sent, identifiable by the S option in the tcpdump output (this will be covered more closely when we discuss the TCP three-way handshake). The initial beginning and ending sequence numbers are the same, since no data is being sent. In most cases, no data is sent until the three-way handshake is completed. There are exceptions to this rule; RFC 793 points out that data can be sent prior to completion of the handshake and that not all handshakes receive completion. In any case, a packet that doesn't conform to the protocol's established standards should be considered suspicious.
|< Day Day Up >|