[Snort-users] Reading Packets?

Fyodor fygrave at ...121...
Wed Oct 4 08:39:47 EDT 2000


~ :
~ :Does anyone have any good reference material on IP packet  interpretation?

umm.. RFC? that's what I usually use if get stuck :)

~ :Something I can look at to help me figure out what I'm looking at.  I have a
~ :slight handle on the basics but sometimes I get packets that I have no clue
~ :what I'm looking at.
~ :
~ :example:
~ :10/03-07:53:54.312623 0:50:DA:2D:FD:F -> 0:10:7B:77:8F:FA

Mac addresses of source and dest..

~ : type:0x800

ethernet frame type (0x800 -- IP datagram ;))

~ :len:0x4E
~ : X.X.4.125:1029 -> X.X.135.21:5000 TCP TTL:128 TOS:0x78 ID:11776
~ : DF

tcp, source port 1029, dst, 5000, time-to-live 128, type of service 0x78
(junk ;)), packet ID 11776, Don't-Fragment flag is on...

~ : **S***** Seq: 0x2C0FD Ack: 0x0 Win: 0x2000

Syn packet, SEQ/ACK, win 0x2000...

~ :## Mostly this stuff  ?###
~ :TCP Options => MSS: 1460

Max. seg. size..

~ : NOP WS: 0 NOP NOP TS: 0 0 NOP NOP SackOK

http://www.faqs.org/rfcs/rfc2883.html for sack, WS and TS should be
somewhere there as well :)




More information about the Snort-users mailing list