[FUG-BR] Entendendo o tcpdump

Ricardo Nascimento Ferreira ricardonf em gmail.com
Terça Fevereiro 3 17:44:08 BRST 2009 

Ricardo, Segue um trecho do man-page que define o formato padrão fornecido pelo
tcpdump.
Boa leitura.

The general format of a tcp protocol line is:
              *src* *>* *dst:* *flags* *data-seqno* *ack* *window*
*urgent* *options*
       *Src* and *dst* are the source and  destination  IP  addresses
and  ports.
       *Flags*  are some combination of S (SYN), F (FIN), P (PUSH) or R (RST) or
       a single `.' (no flags).  *Data-seqno* describes the portion of  sequence
       space  covered  by the data in this packet (see example below).  *Ack* is
       sequence number of the next data expected the other direction  on  this
       connection.   *Window*  is  the  number  of bytes of receive buffer space
       available the other direction on this connection.  *Urg* indicates  there
       is  `urgent'  data  in the packet.  *Options* are tcp options enclosed in
       angle brackets (e.g., <mss 1024>).

       *Src,* *dst* and *flags* are always present.  The other fields
depend on  the
       contents  of  the  packet's  tcp protocol header and are output only if
       appropriate.



2009/2/3 Ricardo Augusto de Souza <ricardo.souza at cmtsp.com.br>

> Fala galera,
>
>
>
> Estou precisando de um  help para entender os tipos de pacotes/requisições
> que estão trafegando entre um PDV e um servidor SCM.
>
> Este PDV é responsável pela carga de créditos nos cartões dos usuários.
>
> Hoje começou a dar problema e não sabemos o q é.
>
> Não houve mudanças nos firewalls ( FreeBSD ).
>
>
>
> Fiz uma analise com tcpdump e preciso de ajuda para entende-los:
>
>
>
> 15:53:42.813952 10.100.0.27.10000 > 10.10.51.7.4831: P 43:85(42) ack 146
> win 65390 <nop,nop,timestamp 35630407 4753> (DF)
>
> 15:53:42.825702 10.10.51.7.4831 > 10.100.0.27.10000: . ack 85 win 2920
> <nop,nop,timestamp 4831 35630407> (DF)
>
> 15:53:43.064756 10.10.51.7.4831 > 10.100.0.27.10000: P 146:189(43) ack 85
> win 2920 <nop,nop,timestamp 4855 35630407> (DF)
>
> 15:53:43.224712 10.100.0.27.10000 > 10.10.51.7.4831: . ack 189 win 65347
> <nop,nop,timestamp 35630411 4855> (DF)
>
> 15:53:43.281616 10.100.0.27.10000 > 10.10.51.7.4831: P 85:127(42) ack 189
> win 65347 <nop,nop,timestamp 35630411 4855> (DF)
>
> 15:53:43.293177 10.10.51.7.4831 > 10.100.0.27.10000: . ack 127 win 2920
> <nop,nop,timestamp 4878 35630411> (DF)
>
> 15:53:45.858525 10.10.51.7.4831 > 10.100.0.27.10000: P 189:232(43) ack 127
> win 2920 <nop,nop,timestamp 5043 35630411> (DF)
>
> 15:53:45.991184 10.100.0.27.10000 > 10.10.51.7.4831: P 127:169(42) ack 232
> win 65304 <nop,nop,timestamp 35630438 5043> (DF)
>
> 15:53:46.003366 10.10.51.7.4831 > 10.100.0.27.10000: . ack 169 win 2920
> <nop,nop,timestamp 5058 35630438> (DF)
>
> 15:53:47.226167 10.10.51.7.4831 > 10.100.0.27.10000: P 232:279(47) ack 169
> win 2920 <nop,nop,timestamp 5168 35630438> (DF)
>
> 15:53:47.364699 10.100.0.27.10000 > 10.10.51.7.4831: P 169:223(54) ack 279
> win 65257 <nop,nop,timestamp 35630452 5168> (DF)
>
> 15:53:47.376669 10.10.51.7.4831 > 10.100.0.27.10000: . ack 223 win 2920
> <nop,nop,timestamp 5183 35630452> (DF)
>
> 15:53:47.926833 10.10.51.7.4831 > 10.100.0.27.10000: P 279:353(74) ack 223
> win 2920 <nop,nop,timestamp 5231 35630452> (DF)
>
> 15:53:48.160527 10.100.0.27.10000 > 10.10.51.7.4831: . ack 353 win 65183
> <nop,nop,timestamp 35630461 5231> (DF)
>
> 15:53:49.878443 10.100.0.27.10000 > 10.10.51.7.4831: P 223:265(42) ack 353
> win 65183 <nop,nop,timestamp 35630477 5231> (DF)
>
> 15:53:49.890277 10.10.51.7.4831 > 10.100.0.27.10000: . ack 265 win 2920
> <nop,nop,timestamp 5428 35630477> (DF)
>
> 15:53:50.461960 10.10.51.7.4831 > 10.100.0.27.10000: P 353:400(47) ack 265
> win 2920 <nop,nop,timestamp 5477 35630477> (DF)
>
> 15:53:50.672970 10.100.0.27.10000 > 10.10.51.7.4831: P 265:319(54) ack 400
> win 65136 <nop,nop,timestamp 35630485 5477> (DF)
>
> 15:53:50.684968 10.10.51.7.4831 > 10.100.0.27.10000: . ack 319 win 2920
> <nop,nop,timestamp 5500 35630485> (DF)
>
> 15:53:51.287185 10.10.51.7.4831 > 10.100.0.27.10000: P 400:474(74) ack 319
> win 2920 <nop,nop,timestamp 5552 35630485> (DF)
>
> 15:53:51.442947 10.100.0.27.10000 > 10.10.51.7.4831: . ack 474 win 65062
> <nop,nop,timestamp 35630493 5552> (DF)
>
> 15:53:53.319291 10.100.0.27.10000 > 10.10.51.7.4831: P 319:361(42) ack 474
> win 65062 <nop,nop,timestamp 35630511 5552> (DF)
>
> 15:53:53.331103 10.10.51.7.4831 > 10.100.0.27.10000: . ack 361 win 2920
> <nop,nop,timestamp 5757 35630511> (DF)
>
> 15:55:27.086589 10.10.51.7.4831 > 10.100.0.27.10000: F 474:474(0) ack 361
> win 2920 <nop,nop,timestamp 13093 35630511> (DF)
>
> 15:55:27.092311 10.100.0.27.10000 > 10.10.51.7.4831: . ack 475 win 65062
> <nop,nop,timestamp 35631449 13093> (DF)
>
>
>
>
>
> Queria saber o q significa este: P, . , F e etc.
>
>
>
> Valeu
>
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>



-- 
Ricardo Nascimento Ferreira
Analista de Segurança da Informação
CISSP-DF Grupo de Estudos
Modulo Certified Security Officer
Solaris Certified System Administrator

Mais detalhes sobre a lista de discussão freebsd