[OT] tcpdump

Chris MacDonald cgm-BjBj7/ohIX+w5LPnMra/2Q at public.gmane.org
Fri Sep 19 00:24:56 UTC 2003 

On Thu, Sep 18, 2003 at 01:52:11PM -0400, gbell72 wrote:
> 12:56:22.053052
> CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3242 >
> 165.254.12.101.http: S 152256065:152256065(0) win 8192 <mss
> 1460,nop,nop,sackOK> (DF)

Assuming the rogers.com host is you, it looks like you're connecting to a
webserver running on that IP address. Nothing to worry about with that.

>  12:56:22.089174 165.254.12.101.http >
> CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3242: S
> 4259504041:4259504041(0) ack 152256066 win 65535 <mss 1460,nop,nop,sackOK>
> (DF)
>  12:56:22.089562
> CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3242 >
> 165.254.12.101.http: . ack 1 win 8760 (DF)
>  12:56:22.090183
> CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3242 >
> 165.254.12.101.http: P 1:280(279) ack 1 win 8760 (DF)

These are just other packets from the same connection. No big deal.

>  12:56:22.780155
> CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3245 >
> 165.254.12.101.http: S 152256793:152256793(0) win 8192 <mss
> 1460,nop,nop,sackOK> (DF)
>  12:56:22.789197 poppit03.pogo.com.http >
> CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3244: P
> 1116:1303(187) ack 1166 win 24820 (DF)
>  12:56:22.820501 165.254.12.101.http >
> CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3245: S
> 4268719919:4268719919(0) ack 152256794 win 65535 <mss 1460,nop,nop,sackOK>
> (DF)
>  12:56:22.820904
> CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3245 >
> 165.254.12.101.http: . ack 1 win 8760 (DF)
>  12:56:22.821503
> CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3245 >
> 165.254.12.101.http: P 1:280(279) ack 1 win 8760 (DF)
> 
> I've googled keywords <mss 1460,nop,nop,sackok> and have noticed that some
> people have respinded that it's a possible worm.  From viewing my logs I
> see nothing to be overly concerned about just more so curious as to what
> this person or persons are up to.

Those are TCP flags, and there is absoltely nothing malicious about them. 

If you really want to figure out what it is, use tcpdump with the flags 
-s 1500 and -X. This will print out the contents of each packet. Though,
it might be easier to just have tcpdump write to a file, which you can
then open with ethereal and examine entire connections at once. 

And try not to worry about every weird packet that goes by. Trust me,
you'll go nuts. And chances are there's nothing malicious happening.

Also consider investing in TCP/IP Illustrated Volume 1, by W. Richard
Stevens. It's a great book that'll explain all the protocols and can help
you figure out what's going on.

good luck,
-cgm.
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list