[Snort-users] Reading Packets?
fernando at ...498...
Tue Oct 3 12:47:11 EDT 2000
> Does anyone have any good reference material on IP packet
> Something I can look at to help me figure out what I'm
> looking at. I have a
> slight handle on the basics but sometimes I get packets that
> I have no clue
> what I'm looking at.
Here's some help:
10/03-07:53:54.312623 -> Date and time (Am I bright or what? ;)
0:50:DA:2D:FD:F -> 0:10:7B:77:8F:FA -> Source/destination MAC address
type:0x800 -> Type (8 means IP)
len:0x4E -> Header lenght
X.X.4.125:1029 -> X.X.135.21:5000 -> Source/destination IP/port (port
numbers taken from TCP headers!)
TCP -> Protocol
TTL:128 -> Time to life
TOS:0x78 -> Type of service (Internetwork control, Low delay, High
ID:11776 -> ID!!
DF -> Don't fragment flag
**S***** -> TCP flags (SYN)
Seq: 0x2C0FD -> Sequence number
Ack: 0x0 -> Aknowledgement number
Win: 0x2000 -> Window
> ## Mostly this stuff ?###
TCP Options => MSS: 1460 NOP WS: 0 NOP NOP TS: 0 0 NOP NOP SackOK
Maximum Segment Size, Selective Acknowledgement OK
I really advise you to grab a copy of the relevant RFCs and check them out.
Fernando Cardoso Phone: +351 21 7982186
Network Administrator Fax: +351 21 7982185
National Library E-mail: fernando at ...498...
Portugal PGP ID: 28551CB8
More information about the Snort-users