For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Doran_Lum_13484's avatar
Doran_Lum_13484
Icon for Nimbostratus rankNimbostratus
Aug 04, 2014

Understanding tcpdump output

Hi all, I'm trying to understand the tcpdump output and after reading a few guidelines, may I just query a few items I don't understand.

 

1) From other links, their tcpdump would display the timestamp but it seems from mine I'm getting the counting of seconds from the time I start the tcpdump. How do I get the F5 timestamp as I will need it for investigation purpose ?

 

2) On line 4, the Seq value changes to "1" does it means data is being push from the source to destination ?

 

3) On line 5, the Ack value display as "187" does it means it's different connection from the previous one ?

 

4) On line 14, the FIN would means a graceful closure of the connection, would I be able to tell which connection is being close ?

 

Source: 10.0.0.1

 

Dest: 10.0.0.2

 

Seq Time Source Destination Protocol Length Info

 

2 25.895186 10.0.0.1 10.0.0.2 TCP 58 19032 > 10084 [SYN] Seq=0 Win=2048 Len=0 MSS=1460

 

3 25.895247 10.0.0.2 10.0.0.1 TCP 58 10084 > 19032 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460

 

4 26.019773 10.0.0.1 10.0.0.2 TCP 240 19032 > 10084 [PSH, ACK] Seq=1 Ack=1 Win=2048 Len=186

 

5 26.019818 10.0.0.2 10.0.0.1 TCP 54 10084 > 19032 [ACK] Seq=1 Ack=187 Win=4566 Len=0

 

6 26.495622 10.0.0.2 10.0.0.1 TCP 316 10084 > 19032 [PSH, ACK] Seq=1 Ack=187 Win=4566 Len=262

 

7 26.634369 10.0.0.1 10.0.0.2 TCP 54 19032 > 10084 [PSH, ACK] Seq=187 Ack=263 Win=2048 Len=0

 

8 38.894968 10.0.0.1 10.0.0.2 TCP 58 11323 > 10084 [SYN] Seq=0 Win=2048 Len=0 MSS=1460

 

9 38.894986 10.0.0.2 10.0.0.1 TCP 58 10084 > 11323 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460

 

10 39.019084 10.0.0.1 10.0.0.2 TCP 237 11323 > 10084 [PSH, ACK] Seq=1 Ack=1 Win=2048 Len=183

 

11 39.019129 10.0.0.2 10.0.0.1 TCP 54 10084 > 11323 [ACK] Seq=1 Ack=184 Win=4563 Len=0

 

12 39.481991 10.0.0.2 10.0.0.1 TCP 314 10084 > 11323 [PSH, ACK] Seq=1 Ack=184 Win=4563 Len=260

 

13 39.621209 10.0.0.1 10.0.0.2 TCP 54 11323 > 10084 [PSH, ACK] Seq=184 Ack=261 Win=2048 Len=0

 

14 49.002323 10.0.0.1 10.0.0.2 TCP 54 18192 > 10084 [FIN, PSH, ACK] Seq=1 Ack=1 Win=2048 Len=0

 

15 49.002341 10.0.0.2 10.0.0.1 TCP 54 10084 > 18192 [ACK] Seq=1 Ack=2 Win=4566 Len=0

 

16 49.003114 10.0.0.2 10.0.0.1 TCP 54 10084 > 18192 [FIN, ACK] Seq=1 Ack=2 Win=4566 Len=0

 

17 49.098877 10.0.0.1 10.0.0.2 TCP 54 18192 > 10084 [PSH, ACK] Seq=2 Ack=2 Win=2048 Len=0

 

tcpdump

1 Reply

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 04, 2014

    1) From other links, their tcpdump would display the timestamp but it seems from mine I'm getting the counting of seconds from the time I start the tcpdump. How do I get the F5 timestamp as I will need it for investigation purpose ?

     

    are you using wireshark? if yes, there is time display format under view menu.

     

    2) On line 4, the Seq value changes to "1" does it means data is being push from the source to destination ?

     

    sequence number is 1 because it is the first packet containing payload.

     

    3) On line 5, the Ack value display as "187" does it means it's different connection from the previous one ?

     

    187 is acknowledgement of packet 4.

     

    Understanding TCP Sequence and Acknowledgment Numbers by stretch

     

    http://packetlife.net/blog/2010/jun/7/understanding-tcp-sequence-acknowledgment-numbers/

     

    4) On line 14, the FIN would means a graceful closure of the connection, would I be able to tell which connection is being close ?

     

    i do not see 3 way handshake of that connection (between port 18192 and port 10084).