For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Doran_Lum_13484's avatar
Doran_Lum_13484
Icon for Nimbostratus rankNimbostratus
Aug 04, 2014

Understanding tcpdump output

Hi all, I'm trying to understand the tcpdump output and after reading a few guidelines, may I just query a few items I don't understand.   1) From other links, their tcpdump would display the time...
tcpdump
nitass's avatar
nitass
Icon for Employee rankEmployee
Aug 04, 2014

1) From other links, their tcpdump would display the timestamp but it seems from mine I'm getting the counting of seconds from the time I start the tcpdump. How do I get the F5 timestamp as I will need it for investigation purpose ?

 

are you using wireshark? if yes, there is time display format under view menu.

 

2) On line 4, the Seq value changes to "1" does it means data is being push from the source to destination ?

 

sequence number is 1 because it is the first packet containing payload.

 

3) On line 5, the Ack value display as "187" does it means it's different connection from the previous one ?

 

187 is acknowledgement of packet 4.

 

Understanding TCP Sequence and Acknowledgment Numbers by stretch

 

http://packetlife.net/blog/2010/jun/7/understanding-tcp-sequence-acknowledgment-numbers/

 

4) On line 14, the FIN would means a graceful closure of the connection, would I be able to tell which connection is being close ?

 

i do not see 3 way handshake of that connection (between port 18192 and port 10084).