[Snort-users] RePost Reading Packets? to Clarify.

Christopher Northrop chris.northrop at ...406...
Tue Oct 3 13:22:11 EDT 2000


Ok, I think maybe I didn't explain myself clearly. What I was looking for
was kind of a cheat sheet for decoding IP acronyms and possible values of
each. Kind of like those vi editor cards you get from venders once in a
while..   I'm sorry to have aggravated any-ones ego.

Please this is a serious request your information will be summarized for the
benefit of the group..

TIA
Chris N.



----- Original Message -----
From: Fernando Cardoso <fernando at ...498...>
To: 'Christopher Northrop' <chris.northrop at ...406...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Tuesday, October 03, 2000 12:47 PM
Subject: RE: [Snort-users] Reading Packets?


> [...]
> > Does anyone have any good reference material on IP packet
> > interpretation?
> > Something I can look at to help me figure out what I'm
> > looking at.  I have a
> > slight handle on the basics but sometimes I get packets that
> > I have no clue
> > what I'm looking at.
> >
>  Here's some help:
>
>  example:
>
>  10/03-07:53:54.312623 -> Date and time (Am I bright or what? ;)
>
> [MAC header]
>  0:50:DA:2D:FD:F -> 0:10:7B:77:8F:FA -> Source/destination MAC address
>  type:0x800 -> Type (8 means IP)
>
> [IP header]
>  len:0x4E -> Header lenght
>  X.X.4.125:1029 -> X.X.135.21:5000 -> Source/destination IP/port (port
> numbers taken from TCP headers!)
>  TCP -> Protocol
>  TTL:128 -> Time to life
>  TOS:0x78 -> Type of service (Internetwork control, Low delay, High
> Throughput)
>  ID:11776 -> ID!!
>  DF -> Don't fragment flag
>
> [TCP header]
>
>  **S***** -> TCP flags (SYN)
>  Seq: 0x2C0FD -> Sequence number
>  Ack: 0x0 -> Aknowledgement number
>  Win: 0x2000 -> Window
> > ## Mostly this stuff  ?###
>  TCP Options => MSS: 1460 NOP WS: 0 NOP NOP TS: 0 0 NOP NOP SackOK
>  Maximum Segment Size, Selective Acknowledgement OK
>
>
> I really advise you to grab a copy of the relevant RFCs and check them
out.
>
> Fernando
>
> _________________________________________________________
> Fernando Cardoso Phone: +351 21 7982186
> Network Administrator Fax: +351 21 7982185
> National Library E-mail: fernando at ...498...
> Portugal PGP ID: 28551CB8
>




More information about the Snort-users mailing list