For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dirome's avatar
dirome
Icon for Cirrus rankCirrus
Jul 24, 2014

How can I interpret the results in tcpdump?

Hi,

I have some questions with the command the tcpdump i need your help for clarify how can i read this, for example i send you the next result and i need that you explain me how read:

17:07:33.438366 IP 64.39.103.201.42214 > 186.113.14.108.http: . ack 1 win 5840
17:07:37.438105 IP 186.113.14.108.http > 64.39.103.201.42214: R 1:1(0) ack 1 win 4380
17:07:37.601723 IP 64.39.103.201.28969 > 186.113.14.108.http: S 1176829642:1176829642(0) win 4096 
17:07:37.601748 IP 186.113.14.108.http > 64.39.103.201.28969: S 3996325999:3996325999(0) ack 1176829643 win 4380 
17:07:37.603093 IP 64.39.103.201.28972 > 186.113.14.108.http: S 1176829645:1176829645(0) win 4096 
17:07:37.603112 IP 186.113.14.108.http > 64.39.103.201.28972: S 3451290207:3451290207(0) ack 1176829646 win 4380

And if you have information of how read tcpdump, i thank you

application delivery
deployment
design
devops
iRules
LTM
TMSH

6 Replies

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jul 24, 2014

    This may help: http://packetpushers.net/masterclass-tcpdump-interpreting-output/.

     

    As to the output, by line;

     

    1: ACK packet from 64.39.103.201 source port 42214 to 186.113.14.108 destination port 80

     

    2: RST packet back to 64.39.103.201, same ports

     

    ==The connection between hosts (using these ports) is closed==

     

    3: SYN packet from 64.39.103.201 source port 28969 to 186.113.14.108 destination port 80

     

    4: SYN/ACK packet back

     

    ==New connection being established

     

    5: SYN packet from 64.39.103.201 source port 28972 (*Note, different port to 3:) to 186.113.14.108 destination port 80

     

    6: SYN/ACK packet back

     

    ==Another new connection being established

     

  • dirome's avatar
    dirome
    Icon for Cirrus rankCirrus
    Jul 24, 2014

    your help is good, i only have a question, what is (0)?

    17:07:37.601723 IP 64.39.103.201.28969 > 186.113.14.108.http: S 1176829642:1176829642

    (0)
    win 4096

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jul 24, 2014

    Thanks.

     

    I actually don't know, would love to though (and update the article). Anyone know?

     

    I'll do some research anyway.

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jul 24, 2014

    OK, just checked, its the number of bytes the packet contains. It's really just a calculation based on the starting and ending sequence number which in this case is: 1176829642:1176829642, hence (0) no data carried.

     

  • Rene_Bader_1308's avatar
    Rene_Bader_1308
    Icon for Altostratus rankAltostratus
    Jul 24, 2014

    Hi El_Bendecido,

     

    1176829642:1176829642(0) means the sending TCP stack is setting 1176829642 as the initial synchronization number (ISN), and "0" (no) data is being passed in this packet.

     

    Best

     

    René