[Snort-users] RePost Reading Packets? to Clarify.
chris.northrop at ...406...
Tue Oct 3 13:22:11 EDT 2000
Ok, I think maybe I didn't explain myself clearly. What I was looking for
was kind of a cheat sheet for decoding IP acronyms and possible values of
each. Kind of like those vi editor cards you get from venders once in a
while.. I'm sorry to have aggravated any-ones ego.
Please this is a serious request your information will be summarized for the
benefit of the group..
----- Original Message -----
From: Fernando Cardoso <fernando at ...498...>
To: 'Christopher Northrop' <chris.northrop at ...406...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Tuesday, October 03, 2000 12:47 PM
Subject: RE: [Snort-users] Reading Packets?
> > Does anyone have any good reference material on IP packet
> > interpretation?
> > Something I can look at to help me figure out what I'm
> > looking at. I have a
> > slight handle on the basics but sometimes I get packets that
> > I have no clue
> > what I'm looking at.
> Here's some help:
> 10/03-07:53:54.312623 -> Date and time (Am I bright or what? ;)
> [MAC header]
> 0:50:DA:2D:FD:F -> 0:10:7B:77:8F:FA -> Source/destination MAC address
> type:0x800 -> Type (8 means IP)
> [IP header]
> len:0x4E -> Header lenght
> X.X.4.125:1029 -> X.X.135.21:5000 -> Source/destination IP/port (port
> numbers taken from TCP headers!)
> TCP -> Protocol
> TTL:128 -> Time to life
> TOS:0x78 -> Type of service (Internetwork control, Low delay, High
> ID:11776 -> ID!!
> DF -> Don't fragment flag
> [TCP header]
> **S***** -> TCP flags (SYN)
> Seq: 0x2C0FD -> Sequence number
> Ack: 0x0 -> Aknowledgement number
> Win: 0x2000 -> Window
> > ## Mostly this stuff ?###
> TCP Options => MSS: 1460 NOP WS: 0 NOP NOP TS: 0 0 NOP NOP SackOK
> Maximum Segment Size, Selective Acknowledgement OK
> I really advise you to grab a copy of the relevant RFCs and check them
> Fernando Cardoso Phone: +351 21 7982186
> Network Administrator Fax: +351 21 7982185
> National Library E-mail: fernando at ...498...
> Portugal PGP ID: 28551CB8
More information about the Snort-users