I thought I'd try to learn WireShark but have a quick question. I started it up and went to a couple sites then stopped it. In 13 seconds, I had over 20,000 lines of ACK packets with no SYN or SYN/ACKs anywhere. Is this a DoS ACK attempt? Anything to be worried about? Thanks! asked 27 Mar '11, 21:16  cdnsupguy |
2 Answers:
This is just my regular home computer. No capture filters and yes, it seemed to be only ACKs one-way (only one part of the 3 way handshake). I was expecting to see the 2 other parts of the handshake in the list but don't see them anywhere. These were not to any servers or sites I visit or know about. answered 29 Mar '11, 16:09 cdnsupguy 1 If it's your home PC, you definitely have a problem! You better get it scanned pronto! (29 Mar '11, 19:51) hansangb So what could it be? Seems like a DoS of some kind or could it be something else? I ran an updated AV scanner in Safe Mode as well as Spyware scanner and Rootkit detector which came back clean. (31 Mar '11, 17:09) cdnsupguy |
So you want to learn how to use wireshark and perform network analysis, you say? OK, then dig in to it a little bit. Where are these ACK's originating from, the local or remote host? What ports are you seeing on the local and remote hosts? What does netstat show you? The only way to learn it is to do it. answered 31 Mar '11, 18:28  joeqwerty edited 01 Apr '11, 18:07 |
Is this a workstation or a public facing server? 20,000 ACKs in 13 seconds isn't excessive per se, it depends on the how busy the server is. Are you saying that you only saw ACKs in one way? Were these to servers you visited? Were you using any capture filters? (or display filters at that).