[Snort-users] Reading Packets?

Fernando Cardoso fernando at ...498...
Tue Oct 3 12:47:11 EDT 2000

> Does anyone have any good reference material on IP packet  
> interpretation?
> Something I can look at to help me figure out what I'm 
> looking at.  I have a
> slight handle on the basics but sometimes I get packets that 
> I have no clue
> what I'm looking at.
 Here's some help:


 10/03-07:53:54.312623 -> Date and time (Am I bright or what? ;)

[MAC header]
 0:50:DA:2D:FD:F -> 0:10:7B:77:8F:FA -> Source/destination MAC address
 type:0x800 -> Type (8 means IP)

[IP header]
 len:0x4E -> Header lenght
 X.X.4.125:1029 -> X.X.135.21:5000 -> Source/destination IP/port (port
numbers taken from TCP headers!)
 TCP -> Protocol
 TTL:128 -> Time to life
 TOS:0x78 -> Type of service (Internetwork control, Low delay, High
 ID:11776 -> ID!!
 DF -> Don't fragment flag

[TCP header]

 **S***** -> TCP flags (SYN)
 Seq: 0x2C0FD -> Sequence number
 Ack: 0x0 -> Aknowledgement number
 Win: 0x2000 -> Window
> ## Mostly this stuff  ?###
 TCP Options => MSS: 1460 NOP WS: 0 NOP NOP TS: 0 0 NOP NOP SackOK
 Maximum Segment Size, Selective Acknowledgement OK

I really advise you to grab a copy of the relevant RFCs and check them out.


Fernando Cardoso			Phone:	+351 21 7982186
Network Administrator		Fax:		+351 21 7982185
National Library			E-mail:	fernando at ...498...
Portugal				PGP ID:	28551CB8 

More information about the Snort-users mailing list