2.6 Examining tcpdump Output
The more data collected by tcpdump,
the clearer the content of the network traffic stream becomes. Here
is another example of a
tcpdump capture:
14:02:09.181190 specto.ksl.com.33248 > quasi.ksl.com.ftp: S 1191864640:1191864640(0)
win 5840 <mss 1460,sackOK,timestamp 238617 0,nop,wscale 0> (DF)
Here's what each field in this output means:
- 14:02:09.181190
- specto.ksl.com.33248
Hostname and source port
- quasi.ksl.com.ftp
Hostname and destination port (translated to FTP)
- S
First character of the TCP flag: PSH, RST, SYN, FIN (the ACK flag is
shown somewhere else)
- 1191864640
Initial sequence number from source
- 1191864640
Ending sequence number, which is the initial sequence number plus the
size of the packet in data bytes
- (0)
Data bytes or payload size of this TCP packet
- win 5840
Size of the receiving data window
data within
the < and > characters are the TCP
options; they ensure safe and effective delivery of the
packet. While there are some techniques where an attacker can gather
information about a host based upon how they respond to strange
settings in these options, their real importance is most often
secondary to what is contained in the main header and data payload of
the packet. Here are the options for the packet
we're examining:
- mss 1460
Max-segment-size or mss option (TCP option)
- sackOK
Selective acknowledgement permitted (TCP option)
- timestamp 238617
Round-trip delivery time used for tracking changes in latency that
may require acknowledgment timer adjustments (TCP option)
- nop
No operation provides padding around other options; useful for
acknowledging receipt of packets without forcing resends (TCP option)
- wscale 0
Window scale (not to be confused with the standard TCP header field
of window size) used for recording the bytes of buffer space the host
has for receiving data (TCP option)
- (DF)
The "don't
fragment" bit is set
The tcpdump output shows this packet to be a connection request from
specto.ksl.com to establish an FTP connection to
quasi.ksl.com. While older versions of tcpdump
might display only the port number, port 21 resolves here to the FTP
service. This is resolved using the
/etc/services file.
A useful parameter for
tcpdump is the -n
or -nn switch, which tells tcpdump not to resolve
hostnames and services. It's commonly used on hosts
that are not able to properly resolve hostnames, i.e., without DNS
access or /etc/hosts entries. In cases such as
these, tcpdump may delay output or even drop packets.
It's also a good idea to get used to looking at
packet captures without DNS enabled.
Because this is the first step in establishing a session, the SYN
flag is sent, identifiable by the S option in the
tcpdump output (this will be covered more closely when we discuss the
TCP three-way handshake). The initial beginning and ending sequence
numbers are the same, since no data is being sent. In most cases, no
data is sent until the three-way handshake is completed. There are
exceptions to this rule; RFC 793 points out that data can be sent
prior to completion of the handshake and that not all handshakes
receive completion. In any case, a packet that
doesn't conform to the protocol's
established standards should be considered suspicious.