DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 1st April 2013
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default understanding tcpdump

hi folks
am new to openbsd, but using it on our business server.
I have been using systat, pfctl, tcpdump and other tools to monitor
server logs as well as the apache logs.

Question

following the following command

"sudo tcpdump -ttt -r /var/log/pflog port 22 |less"

if found one entry which puzzled me

"mar 31 14:33:44.484756 xxx.xxx.xxx.xxx:22 >xxx.xxx.xxx.xxx:80
R 0:0(0) ack 1 win 0(pf)"

i read this as ip xxx.xxx.xxx.xxx:22 connected to our webserver xxx.xxx.xxx.xxx:80
port 80

what made me curious was the :22 of the connecting machine. Does this mean that
the user or robot as xxx.xxx.xxx.xxx:22 simply was outgoing from their machine on
port 22 to my server at port 80???????????

we were curious because we block all p22 traffic from anywhere except our internal
network?????

what does R 0:0(0) ack 1 win 0(pf) mean ?????

yes have read man page for tcpdump (don't mind be pointed to more
neewbie docs that would help w/this)


any help appreciated
Reply With Quote
  #2   (View Single Post)  
Old 1st April 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

To really understand those tcpdump flags, you will need a basic understanding of TCP

Some references:
The packet you have seen, may have come from a third party trying to do a TCP reset attack
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 1st April 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

When we think of TCP or UDP ports, we almost always think of the destination port number, but there are two port numbers involved -- not only the destination port, there is a sending port as well.

There are two port numbers involved in every UDP or TCP conversation. Each side has its own port number.

Wikipedia says (highlight mine):
Quote:
The core network services, such as the World-Wide Web, typically use small port numbers less than 1024. In many operating systems special privileges are required for applications to bind to these ports, because these are often deemed critical to the operation of IP networks. Conversely, the client end of a connection typically uses a high port number allocated for short term use, therefore called an ephemeral port.
In this case, the sending port was indeed port 22. I have no idea why, but... this does not have anything to do with operating an SSH server, such as sshd(8), which uses port 22 as the default destination port.
Quote:
what does R 0:0(0) ack 1 win 0(pf) mean ?????
The tcpdump(8) man page says:
Code:
    The general format of a TCP protocol line is:

                   src > dst: flags src-os data-seqno ack window urgent options
Below that, you will find descriptions and examples.

Specifically:

"R" is the TCP flag "RST" -- it means, "Reset the Connection."
0:0(0) says the packet sequence number is zero, and contains no data.
"ack 1" is the sequence number expected in response
"win 0(pf)" is zero bytes for window (the remote buffer), as this is a pflog trace, rather than a trace of a NIC.
Reply With Quote
  #4   (View Single Post)  
Old 11th April 2013
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default

thanks for the references...................
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Understanding and Community Ninguem Off-Topic 4 31st March 2012 01:22 AM
Help needed with understanding PF rules sparky OpenBSD Security 7 26th March 2012 09:07 PM
Understanding Fdisk, Slice, and the MBR (Master Boot Record) FBSD Guides 1 20th February 2010 08:33 PM
i would like to know about tcpdump chamnanpol FreeBSD General 8 17th September 2008 11:00 AM
Understanding the FreeBSD kernel TomAmundsen FreeBSD General 3 7th July 2008 02:48 PM


All times are GMT. The time now is 08:39 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick