[Snort-users] Reading Packets?
fygrave at ...121...
Wed Oct 4 08:39:47 EDT 2000
~ :Does anyone have any good reference material on IP packet interpretation?
umm.. RFC? that's what I usually use if get stuck :)
~ :Something I can look at to help me figure out what I'm looking at. I have a
~ :slight handle on the basics but sometimes I get packets that I have no clue
~ :what I'm looking at.
~ :10/03-07:53:54.312623 0:50:DA:2D:FD:F -> 0:10:7B:77:8F:FA
Mac addresses of source and dest..
~ : type:0x800
ethernet frame type (0x800 -- IP datagram ;))
~ : X.X.4.125:1029 -> X.X.135.21:5000 TCP TTL:128 TOS:0x78 ID:11776
~ : DF
tcp, source port 1029, dst, 5000, time-to-live 128, type of service 0x78
(junk ;)), packet ID 11776, Don't-Fragment flag is on...
~ : **S***** Seq: 0x2C0FD Ack: 0x0 Win: 0x2000
Syn packet, SEQ/ACK, win 0x2000...
~ :## Mostly this stuff ?###
~ :TCP Options => MSS: 1460
Max. seg. size..
~ : NOP WS: 0 NOP NOP TS: 0 0 NOP NOP SackOK
http://www.faqs.org/rfcs/rfc2883.html for sack, WS and TS should be
somewhere there as well :)
More information about the Snort-users