You are not logged in.

Pages: 1

#1 2010-08-29 06:40:10

battlepanic
Member
Registered: 2009-08-22
Posts: 76

Reading the TCP flags field tcpdump's output

I'm trying to get a better understanding of tcpdump's output.  Specifically, I'm looking at the status of the TCP flags in each packet.  I have some tcpdump output that looks like the following:

14:01:59.343461 IP 192.168.1.20.56343 > 192.168.1.3.ssh: Flags [s], seq 60444020, win 5840, options [mss 1460,sackOK,TS val 88170671 ecr 0,nop,wscale 6], length 0
14:01:59.343699 IP 192.168.1.3.ssh > 192.168.1.20.56343: Flags [S.], seq 16878243, ack 60444021, win 17520, options [mss 1460,nop,wscale 0,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
14:01:59.343716 IP 192.168.1.20.56343 > 192.168.1.3.ssh: Flags [.], ack 1, win 92, options [nop,nop,TS val 88170671 ecr 0], length 0
14:01:59.344226 IP 192.168.1.3.ssh > 192.168.1.20.56343: Flags [.], ack 1, win 65535, options [nop,nop,TS val 2296519 ecr 88170671], length 0
14:01:59.493436 IP 192.168.1.3.ssh > 192.168.1.20.56343: Flags [P.], seq 1:22, ack 1, win 65535, options [nop,nop,TS val 2296521 ecr 88170671], length 21
14:01:59.493458 IP 192.168.1.20.56343 > 192.168.1.3.ssh: Flags [.], ack 22, win 92, options [nop,nop,TS val 88170716 ecr 2296521], length 0
14:01:59.493536 IP 192.168.1.20.56343 > 192.168.1.3.ssh: Flags [P.], seq 1:22, ack 22, win 92, options [nop,nop,TS val 88170716 ecr 2296521], length 21
14:01:59.548018 IP 192.168.1.3.ssh > 192.168.1.20.56343: Flags [P.], seq 22:806, ack 22, win 65514, options [nop,nop,TS val 2296521 ecr 88170716], length 784
14:01:59.548027 IP 192.168.1.20.56343 > 192.168.1.3.ssh: Flags [P.], seq 22:870, ack 806, win 116, options [nop,nop,TS val 88170733 ecr 2296521], length 848
14:01:59.690788 IP 192.168.1.3.ssh > 192.168.1.20.56343: Flags [.], ack 870, win 64666, options [nop,nop,TS val 2296523 ecr 88170733], length 0
14:01:59.690796 IP 192.168.1.20.56343 > 192.168.1.3.ssh: Flags [P.], seq 870:894, ack 806, win 116, options [nop,nop,TS val 88170776 ecr 2296523], length 24

According the the tcpdump man page:

Flags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), W
(ECN CWR) or E (ECN-Echo), or a single `.'  (no flags).

As you can see in my example, the first packet has the S (SYN) flag and the second packet has the S (SYN) flag following by a '.'  What does the '.' mean when combined with other flags?  The man page doesn't seem to mention this case.

Offline

#2 2010-08-29 11:28:26

hexanol
Member
From: Canaduh
Registered: 2009-08-04
Posts: 95

Re: Reading the TCP flags field tcpdump's output

I believe (in fact, I'm quite sure) it has something to do with the ACK flag. This would be coherent with why there is no '.' for the first packet (establishing a connection), and why it's there for every other one.

Offline

Pages: 1

Board footer

Powered by FluxBB