I created a temporary hole in our ACL and assigned an unused /25 in the
target range so I could get a sample capture...
# /usr/sbin/tcpdump -n -s 1600 -l -x -vv -ttt src host 0.0.0.0
Nov 05 12:47:45.201683 0.0.0.0.1819 > x.y.85.42.445: S [tcp sum ok]
3111234821:3111234821(0) win 55808 (ttl 108, id 256)
4500 0028 0100 0000 6c06 b931 0000 0000
3f75 552a 071b 01bd b971 ad05 0000 0000
5002 da00 d1f3 0000 0000 0000 0000
Nov 05 12:51:04.788145 0.0.0.0.1917 > x.y.85.109.445: S [tcp sum ok]
773800305:773800305(0) win 55808 (ttl 108, id 256)
4500 0028 0100 0000 6c06 b8ee 0000 0000
3f75 556d 077d 01bd 2e1f 4171 0000 0000
5002 da00 c835 0000 0000 0000 0000
According to ngrep the packets have no data in them (445.log created
using same tcpdump params as above):
# /usr/local/sbin/ngrep -I 445.log -e
#
T 0.0.0.0:1819 -> x.y.85.42:445 [S]
#
T 0.0.0.0:1917 -> x.y.85.109:445 [S]
vs. what ethereal says is the data portion:
# /usr/local/bin/tethereal -n -r 445.log -x -s 1600
1 0.000000 0.0.0.0 -> x.y.85.42 TCP 1819 > 445 [SYN]
Seq=3111234821 Ack=0 Win=55808 Len=0
0000 00 60 08 2f 4a 79 00 b0 64 99 d9 01 08 00 45 00 .`./Jy..d.....E.
0010 00 28 01 00 00 00 6c 06 b9 31 00 00 00 00 3f 75 .(....l..1....?u
0020 55 2a 07 1b 01 bd b9 71 ad 05 00 00 00 00 50 02 U*.....q......P.
0030 da 00 d1 f3 00 00 00 00 00 00 00 00 ............
2 199.586462 0.0.0.0 -> x.y.85.109 TCP 1917 > 445 [SYN]
Seq=773800305 Ack=0 Win=55808 Len=0
0000 00 60 08 2f 4a 79 00 b0 64 99 d9 01 08 00 45 00 .`./Jy..d.....E.
0010 00 28 01 00 00 00 6c 06 b8 ee 00 00 00 00 3f 75 .(....l.......?u
0020 55 6d 07 7d 01 bd 2e 1f 41 71 00 00 00 00 50 02 Um.}....Aq....P.
0030 da 00 c8 35 00 00 00 00 00 00 00 00 ...5........
Mike
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 08 2002 - 22:34:14 PST