This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP Dump, cannot understand these 4 lines?

0

I need support understanding these 4 lines. looks like tcp dump but im actully not understanding what exactly is happening here.

  1. 13:13:22.407445 IP 192.168.246.128.54955 > 192.168.246.13.80: S 2910497703:2910497703(0) win 5840 <mss 1460,sackok,timestamp="" 518611="" 0,nop,wscale="" 6="">
  2. 13:13:22.407560 IP 192.168.246.13.80 > 192.168.246.128.54955: S 3762608065:3762608065(0) ack 2910497704 win 64240 <mss 1460,nop,wscale="" 0,nop,nop,timestamp="" 0="" 0,nop,nop,sackok="">
  3. 13:13:22.407963 IP 192.168.246.128.54955 > 192.168.246.13.80: . ack 1 win 92 <nop,nop,timestamp 518611="" 0="">
  4. 13:13:22.408321 IP 192.168.246.128.54955 > 192.168.246.13.80: R 1:1(0) ack 1 win 92 <nop,nop,timestamp 518611="" 0="">

asked 17 Nov '14, 12:18

Kell90's gravatar image

Kell90
11223
accept rate: 0%

One Answer:

0

This is a 3-way handshake between a linux client (192.168.246.128) and a windows http server.

    Linux           Windows
      ----- SYN -----> 
      <---- SYN_ACK--- 
      ------ACK -----> 
      ------RST ----->

The 4th packet is a RESET of the connection - pretty early to my taste. So it looks like you are just checking whether the http server is active and operational. Network monitors do this often.

PS.: Is this part of your homework???

answered 17 Nov '14, 12:44

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

edited 17 Nov '14, 12:51

Thank you so much for the fast reply, my question now is where do you identify that the IP 128 is a linux client?

(17 Nov '14, 12:51) Kell90

That comes form 20+ years experience of reading traces ... ;-)

(17 Nov '14, 13:37) mrEEde

OS details from 3 way handshake in trace can be derieved from Initial RWIN size, Find this link for more details, http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting

(17 Nov '14, 20:41) kishan pandey