[Snort-users] RePost Reading Packets? to Clarify.

Chris Owen chris at ...475...
Tue Oct 3 20:40:03 EDT 2000


Well, at the risk of sounding repetitive... There's the TCP/IP illustrated
book.  The book has a list of acronym definitions at the back and describes
many protocols (from TCP, IP and UDP to SNMP and NFS and more) in an easy to
understand fashion.  Richard Stevens uses tcpdump as a teaching tool
throughout the book which will allow you to read packet dumps like what you
posted in your original email after studying the book for awhile.

I still stand by this book as the best solution.

There is also http://www.dictionary.com which has always been there for me
when acronyms have went over my head.

For information on all possible (correct?) values of whatever field... I
think you're pretty much stuck looking at the rfcs or the aforementioned
book.

RFCs can be downloaded and searched through at http://www.rfc-editor.org.

But if you're looking for other ways to visualize the packets you could save
the output to tcpdump format and open it in ethereal or a similar GUI packet
analyiser to get the IP header breakdown and the such.

You could download ethereal from http://ethereal.zing.org.  They even have
screenshots!  I love that.

I don't know if it's of any help or if it has any supporting documentation
that would be interesting but the program isic generates packets with random
values and is pretty nifty.

http://expert.cc.purdue.edu/~frantzen/

What do you mean by "possible values [of all acronyms]?".

All the colours of the rainbow! =D

 Chris.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Christopher
Northrop
Sent: Tuesday, October 03, 2000 10:22 AM
To: Snort user List
Subject: [Snort-users] RePost Reading Packets? to Clarify.


Ok, I think maybe I didn't explain myself clearly. What I was looking for
was kind of a cheat sheet for decoding IP acronyms and possible values of
each. Kind of like those vi editor cards you get from venders once in a
while..   I'm sorry to have aggravated any-ones ego.

Please this is a serious request your information will be summarized for the
benefit of the group..

TIA
Chris N.



----- Original Message -----
From: Fernando Cardoso <fernando at ...498...>
To: 'Christopher Northrop' <chris.northrop at ...406...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Tuesday, October 03, 2000 12:47 PM
Subject: RE: [Snort-users] Reading Packets?


> [...]
> > Does anyone have any good reference material on IP packet
> > interpretation?
> > Something I can look at to help me figure out what I'm
> > looking at.  I have a
> > slight handle on the basics but sometimes I get packets that
> > I have no clue
> > what I'm looking at.
> >
>  Here's some help:
>
>  example:
>
>  10/03-07:53:54.312623 -> Date and time (Am I bright or what? ;)
>
> [MAC header]
>  0:50:DA:2D:FD:F -> 0:10:7B:77:8F:FA -> Source/destination MAC address
>  type:0x800 -> Type (8 means IP)
>
> [IP header]
>  len:0x4E -> Header lenght
>  X.X.4.125:1029 -> X.X.135.21:5000 -> Source/destination IP/port (port
> numbers taken from TCP headers!)
>  TCP -> Protocol
>  TTL:128 -> Time to life
>  TOS:0x78 -> Type of service (Internetwork control, Low delay, High
> Throughput)
>  ID:11776 -> ID!!
>  DF -> Don't fragment flag
>
> [TCP header]
>
>  **S***** -> TCP flags (SYN)
>  Seq: 0x2C0FD -> Sequence number
>  Ack: 0x0 -> Aknowledgement number
>  Win: 0x2000 -> Window
> > ## Mostly this stuff  ?###
>  TCP Options => MSS: 1460 NOP WS: 0 NOP NOP TS: 0 0 NOP NOP SackOK
>  Maximum Segment Size, Selective Acknowledgement OK
>
>
> I really advise you to grab a copy of the relevant RFCs and check them
out.
>
> Fernando
>
> _________________________________________________________
> Fernando Cardoso Phone: +351 21 7982186
> Network Administrator Fax: +351 21 7982185
> National Library E-mail: fernando at ...498...
> Portugal PGP ID: 28551CB8
>

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users




More information about the Snort-users mailing list