|
|||
understanding tcpdump
hi folks
am new to openbsd, but using it on our business server. I have been using systat, pfctl, tcpdump and other tools to monitor server logs as well as the apache logs. Question following the following command "sudo tcpdump -ttt -r /var/log/pflog port 22 |less" if found one entry which puzzled me "mar 31 14:33:44.484756 xxx.xxx.xxx.xxx:22 >xxx.xxx.xxx.xxx:80 R 0:0(0) ack 1 win 0(pf)" i read this as ip xxx.xxx.xxx.xxx:22 connected to our webserver xxx.xxx.xxx.xxx:80 port 80 what made me curious was the :22 of the connecting machine. Does this mean that the user or robot as xxx.xxx.xxx.xxx:22 simply was outgoing from their machine on port 22 to my server at port 80??????????? we were curious because we block all p22 traffic from anywhere except our internal network????? what does R 0:0(0) ack 1 win 0(pf) mean ????? yes have read man page for tcpdump (don't mind be pointed to more neewbie docs that would help w/this) any help appreciated |
|
|||
To really understand those tcpdump flags, you will need a basic understanding of TCP
Some references: The packet you have seen, may have come from a third party trying to do a TCP reset attack
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
When we think of TCP or UDP ports, we almost always think of the destination port number, but there are two port numbers involved -- not only the destination port, there is a sending port as well.
There are two port numbers involved in every UDP or TCP conversation. Each side has its own port number. Wikipedia says (highlight mine): Quote:
Quote:
Code:
The general format of a TCP protocol line is: src > dst: flags src-os data-seqno ack window urgent options Specifically: "R" is the TCP flag "RST" -- it means, "Reset the Connection." 0:0(0) says the packet sequence number is zero, and contains no data. "ack 1" is the sequence number expected in response "win 0(pf)" is zero bytes for window (the remote buffer), as this is a pflog trace, rather than a trace of a NIC. |
|
|||
thanks for the references...................
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Understanding and Community | Ninguem | Off-Topic | 4 | 31st March 2012 01:22 AM |
Help needed with understanding PF rules | sparky | OpenBSD Security | 7 | 26th March 2012 09:07 PM |
Understanding Fdisk, Slice, and the MBR (Master Boot Record) | FBSD | Guides | 1 | 20th February 2010 08:33 PM |
i would like to know about tcpdump | chamnanpol | FreeBSD General | 8 | 17th September 2008 11:00 AM |
Understanding the FreeBSD kernel | TomAmundsen | FreeBSD General | 3 | 7th July 2008 02:48 PM |