View Single Post
  #1   (View Single Post)  
Old 1st April 2013
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default understanding tcpdump

hi folks
am new to openbsd, but using it on our business server.
I have been using systat, pfctl, tcpdump and other tools to monitor
server logs as well as the apache logs.

Question

following the following command

"sudo tcpdump -ttt -r /var/log/pflog port 22 |less"

if found one entry which puzzled me

"mar 31 14:33:44.484756 xxx.xxx.xxx.xxx:22 >xxx.xxx.xxx.xxx:80
R 0:0(0) ack 1 win 0(pf)"

i read this as ip xxx.xxx.xxx.xxx:22 connected to our webserver xxx.xxx.xxx.xxx:80
port 80

what made me curious was the :22 of the connecting machine. Does this mean that
the user or robot as xxx.xxx.xxx.xxx:22 simply was outgoing from their machine on
port 22 to my server at port 80???????????

we were curious because we block all p22 traffic from anywhere except our internal
network?????

what does R 0:0(0) ack 1 win 0(pf) mean ?????

yes have read man page for tcpdump (don't mind be pointed to more
neewbie docs that would help w/this)


any help appreciated
Reply With Quote