[Snort-users] tcp/510 probe

Arman Magluyan Telecom/SG AMagluyan at ...871...
Tue Nov 28 18:57:16 EST 2000


I am pretty new in this list and in this business of packet analyzing, and
would like to 
request the members of this list if you can please point me to some web site
or even books that I can
buy to understand these information from a packet sniffer. 

I am currently using SnifferPro but recently setup a RedHat 6.2 box, hoping
to try a *nix platform freeware (any suggestion?). Right now I am just using
this to look for the source and destination layer 3 and 4 protocols. 

mthks....
-----Original Message-----
From: jess at ...521... [mailto:jess at ...521...]
Sent: Tuesday, November 28, 2000 12:33 PM
To: Len Burns
Cc: andy lowton; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] tcp/510 probe 


	Hi!

	In my case, here is the ethereal dump of the offending packet. It
would be very interesting to know if the packet's characteristics match
for the different attacks other people have suffered. We could discover if
the different attackers are using the same tool.

	I don't know if it's some kind of problem with my  capture file,
but look at the 6 final bytes. Those six 0's should not exist as the
IP lenght is set to 40 bytes.

								JESS
--- --- ---
Internet Protocol
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Currently Unused: 0
    Total Length: 40
    Identification: 0xf0aa
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 235
    Protocol: TCP (0x06)
    Header checksum: 0xce01 (correct)
    Source: 204.182.234.16 (204.182.234.16)
    Destination: xxx.xxx.xxx.xxx
Transmission Control Protocol, Src Port: 510 (510), Dst Port: 510 (510),
Seq: 50331648, Ack: 0
    Source port: 510 (510)
    Destination port: 510 (510)
    Sequence number: 50331648
    Header length: 20 bytes
    Flags: 0x0002 (SYN)
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 16383

   0  xxxx xxxx xxxx xxx  xxxx xxxx xxxx 4500   ........ {?...E. 
  10  0028 c2df 4000 eb06 bbcc xxxx xxxx ccb6   .(.. at ...868... 
  20  ea10 01fe 01fe 0000 0000 0300 0001 5014   ..............P. 
  30  0000 97b0 0000 0000 0000 0000             ............
                     ^^^^ ^^^^ ^^^^ 






_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users



More information about the Snort-users mailing list