Forum Discussion

dirome's avatar
dirome
Icon for Cirrus rankCirrus
Jul 24, 2014

How can I interpret the results in tcpdump?

Hi,

I have some questions with the command the tcpdump i need your help for clarify how can i read this, for example i send you the next result and i need that you explain me how read:

17:07:33.438366 IP 64.39.103.201.42214 > 186.113.14.108.http: . ack 1 win 5840
17:07:37.438105 IP 186.113.14.108.http > 64.39.103.201.42214: R 1:1(0) ack 1 win 4380
17:07:37.601723 IP 64.39.103.201.28969 > 186.113.14.108.http: S 1176829642:1176829642(0) win 4096 
17:07:37.601748 IP 186.113.14.108.http > 64.39.103.201.28969: S 3996325999:3996325999(0) ack 1176829643 win 4380 
17:07:37.603093 IP 64.39.103.201.28972 > 186.113.14.108.http: S 1176829645:1176829645(0) win 4096 
17:07:37.603112 IP 186.113.14.108.http > 64.39.103.201.28972: S 3451290207:3451290207(0) ack 1176829646 win 4380

And if you have information of how read tcpdump, i thank you

application delivery
deployment
design
devops
iRules
LTM
TMSH

6 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jul 24, 2014

    This may help: http://packetpushers.net/masterclass-tcpdump-interpreting-output/.

     

    As to the output, by line;

     

    1: ACK packet from 64.39.103.201 source port 42214 to 186.113.14.108 destination port 80

     

    2: RST packet back to 64.39.103.201, same ports

     

    ==The connection between hosts (using these ports) is closed==

     

    3: SYN packet from 64.39.103.201 source port 28969 to 186.113.14.108 destination port 80

     

    4: SYN/ACK packet back

     

    ==New connection being established

     

    5: SYN packet from 64.39.103.201 source port 28972 (*Note, different port to 3:) to 186.113.14.108 destination port 80

     

    6: SYN/ACK packet back

     

    ==Another new connection being established

     

  • dirome's avatar
    dirome
    Icon for Cirrus rankCirrus
    Jul 24, 2014

    your help is good, i only have a question, what is (0)?

    17:07:37.601723 IP 64.39.103.201.28969 > 186.113.14.108.http: S 1176829642:1176829642

    (0)
    win 4096

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jul 24, 2014

    Thanks.

     

    I actually don't know, would love to though (and update the article). Anyone know?

     

    I'll do some research anyway.

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jul 24, 2014

    OK, just checked, its the number of bytes the packet contains. It's really just a calculation based on the starting and ending sequence number which in this case is: 1176829642:1176829642, hence (0) no data carried.

     

  • Rene_Bader_1308's avatar
    Rene_Bader_1308
    Icon for Nimbostratus rankNimbostratus
    Jul 24, 2014

    Hi El_Bendecido,

     

    1176829642:1176829642(0) means the sending TCP stack is setting 1176829642 as the initial synchronization number (ISN), and "0" (no) data is being passed in this packet.

     

    Best

     

    René