question concerning tcpdump

---

• From: Bernd <bernd.lentes@xxxxxxxx>
• Date: 10 May 2007 02:09:57 -0700

---

hello NG,

i have a question concerning tcpdump. I have a machine running which
is behaving a bit strange. I wanted to check the network traffice
there using tcpdump.
So i connected this machine to network-hub, connected there a second
machine and ran on the second machine tcpdump. I don't trust the
"strange" machine completly.
I ran tcpdump for about 10 hours and wrote all traffic from this host
to a file, using:
tcpdump -n -vv -w ~/tcpdump.txt -C 10 ip src host adress
Today i had a file with about 65000 lines, that's o.k.
I checked it a bit, filtered out all the lines with traffic which
looks o.k. for me using grep.
I have one line which i don't understand and i'm wondering about:

19:35:30.510098 IP xxxxxxx.32786 > xxxxxxxx.smpppd: S
555971953:555971953(0) win 5840 <mss
1460,sackOK,timestamp 15510435 0,nop,wscale 2>

I deleted our ip's, hope that's o.k. for you.
Can i find out if this packet used tcp or udp ?
Is the "win 5840" a sign for tcp ? I don't know much about protocols,
i just red a time ago that tcp uses "windows" for connection control.
The first "xed" ip is our host (the source), the second one
(destination) is the router in our network.

/etc/services says: smpppd 3185/tcp # SuSE Meta PPPD
for smpppd. The machine we are talking about is a SuSE 9.2 box.
PPP is something with point-to-point protocol ?
We don't have a modem or isdn-card on this box.

Thanks for any hint.
Bernd

.

---

• Follow-Ups:
  • Re: question concerning tcpdump
    • From: Moe Trin

• Prev by Date: Re: configure
• Next by Date: libata: ide-drive mounted as sda : how to deal with 32-bit/multisector?
• Previous by thread: how we can get the icon of any file through shellscript in c++
• Next by thread: Re: question concerning tcpdump
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: DDoS attack. ... A "tcpdump -ner" will show you the MAC address or addresses your tcpdump ... to the source host, or a core router through which it came. ... you'll need to trace back to which network on the ... > It got all the signs of a dDoS attack window size is always the same dst ... (Incidents) Re: Q re networking, might need guru ... needed a network analyzer that worked, and now I have nothing but tcpdump and tethereal, neither of which shows me what I need to know. ... Yes I did that, but I'm running kde Les, and have to start it from the cli. ... It didn't work, I presume its too gnome-centric so I removed it, and now etherape, another GTK+ app, cannot be made to work. ... And I built it to get a network monitor of SOME kind. ... (Fedora) Re: how big can disconnected dataset be? ... I forgot to mention, yes, reducing network ... > traffice, or rather, get all the data to the local server ... > Server from the datasets. ... huge performance increase on your SQL server, but I'm sure you will see some ... (microsoft.public.dotnet.languages.vb) Re: pptp and ppp ... Here is part of the output from tcpdump. ... they want to connect to the corporate network using pptp. ... > network using pptp and then allow the clients to use the FreeBSD box as ... (freebsd-questions) Re: help! Strange traffic ... try the tcpdump again but without name resolution. ... If the address for web.visp.ashosting.nl is not in your network then someone ... Once you verify that the routing issue isn't on ... Ean Kingston ... (freebsd-questions)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)