I don't recognize the packets. Maybe someone else will. You could look up the TCP port numbers for a clue. Port 1389, for example, claims to be for Document Management. TCP port numbers are in the Assigned Numbers RFC 1700. Also, check the IP source. Determine if it's a server, end station, or whatever. This is probably some proprietary application. Priscilla At 01:29 PM 3/25/01, you wrote: >Here is some packets from tcpdump capture and printed out with tethereal. > >Public IP-addresses and host names edited for security reasons ... > >I really don't expect you to use too much time to this problen, but here >is capture when you asked. > >Thank you very much for interest. > > > >Frame 1 (298 on wire, 158 captured) > Arrival Time: Mar 23, 2001 11:40:21.9112 > Time delta from previous packet: 0.000000 seconds > Time relative to first packet: 0.000000 seconds > Frame Number: 1 > Packet Length: 298 bytes > Capture Length: 158 bytes >Ethernet II > Destination: 00:00:00:00:00:01 (XEROX_00:00:01) > Source: 00:50:50:c4:ec:38 (Cisco_c4:ec:38) > Type: IP (0x0800) >Internet Protocol > Version: 4 > Header length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..0. = ECN-Capable Transport (ECT): 0 > .... ...0 = ECN-CE: 0 > Total Length: 284 > Identification: 0xa452 > Flags: 0x00 > .0.. = Don't fragment: Not set > ..0. = More fragments: Not set > Fragment offset: 0 > Time to live: 59 > Protocol: TCP (0x06) > Header checksum: 0x7ad2 (correct) > Source: somehost.huch.fi (195.215.135.75) > Destination: 10.65.11.84 (10.65.11.84) >Transmission Control Protocol, Src Port: 9005 (9005), Dst Port: 1389 >(1389), Seq: 2585933962, Ack: 99353967 > Source port: 9005 (9005) > Destination port: 1389 (1389) > Sequence number: 2585933962 > Next sequence number: 2585934206 > Acknowledgement number: 99353967 > Header length: 20 bytes > Flags: 0x0018 (PSH, ACK) > 0... .... = Congestion Window Reduced (CWR): Not set > .0.. .... = ECN-Echo: Not set > ..0. .... = Urgent: Not set > ...1 .... = Acknowledgment: Set > .... 1... = Push: Set > .... .0.. = Reset: Not set > .... ..0. = Syn: Not set > .... ...0 = Fin: Not set > Window size: 16384 > Checksum: 0x0175 >Data (104 bytes) > ><DATA SNIPPED OUT> > > >Frame 2 (150 on wire, 150 captured) > Arrival Time: Mar 23, 2001 11:40:22.1129 > Time delta from previous packet: 0.201696 seconds > Time relative to first packet: 0.201696 seconds > Frame Number: 2 > Packet Length: 150 bytes > Capture Length: 150 bytes >Ethernet II > Destination: 00:00:00:00:00:01 (XEROX_00:00:01) > Source: 00:50:50:c4:ec:38 (Cisco_c4:ec:38) > Type: IP (0x0800) >Internet Protocol > Version: 4 > Header length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..0. = ECN-Capable Transport (ECT): 0 > .... ...0 = ECN-CE: 0 > Total Length: 136 > Identification: 0x2e0c > Flags: 0x04 > .1.. = Don't fragment: Set > ..0. = More fragments: Not set > Fragment offset: 0 > Time to live: 127 > Protocol: TCP (0x06) > Header checksum: 0x69f8 (correct) > Source: otherhost.huch.fi (195.215.135.60) > Destination: 10.65.15.23 (10.65.15.23) >Transmission Control Protocol, Src Port: 2632 (2632), Dst Port: 1152 >(1152), Seq: 499318847, Ack: 7520061 > Source port: 2632 (2632) > Destination port: 1152 (1152) > Sequence number: 499318847 > Next sequence number: 499318943 > Acknowledgement number: 7520061 > Header length: 20 bytes > Flags: 0x0018 (PSH, ACK) > 0... .... = Congestion Window Reduced (CWR): Not set > .0.. .... = ECN-Echo: Not set > ..0. .... = Urgent: Not set > ...1 .... = Acknowledgment: Set > .... 1... = Push: Set > .... .0.. = Reset: Not set > .... ..0. = Syn: Not set > .... ...0 = Fin: Not set > Window size: 8304 > Checksum: 0xfa51 (correct) >Data (96 bytes) > ><DATA SNIPPED OUT> > >Frame 3 (150 on wire, 150 captured) > Arrival Time: Mar 23, 2001 11:40:22.5730 > Time delta from previous packet: 0.460179 seconds > Time relative to first packet: 0.661875 seconds > Frame Number: 3 > Packet Length: 150 bytes > Capture Length: 150 bytes >Ethernet II > Destination: 00:00:00:00:00:01 (XEROX_00:00:01) > Source: 00:50:50:c4:ec:38 (Cisco_c4:ec:38) > Type: IP (0x0800) >Internet Protocol > Version: 4 > Header length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..0. = ECN-Capable Transport (ECT): 0 > .... ...0 = ECN-CE: 0 > Total Length: 136 > Identification: 0xbdac > Flags: 0x04 > .1.. = Don't fragment: Set > ..0. = More fragments: Not set > Fragment offset: 0 > Time to live: 127 > Protocol: TCP (0x06) > Header checksum: 0xd9e2 (correct) > Source: secrethost.huch.fi (195.215.135.61) > Destination: 10.65.15.139 (10.65.15.139) >Transmission Control Protocol, Src Port: 1064 (1064), Dst Port: 1059 >(1059), Seq: 1789933904, Ack: 173403 > Source port: 1064 (1064) > Destination port: 1059 (1059) > Sequence number: 1789933904 > Next sequence number: 1789934000 > Acknowledgement number: 173403 > Header length: 20 bytes > Flags: 0x0018 (PSH, ACK) > 0... .... = Congestion Window Reduced (CWR): Not set > .0.. .... = ECN-Echo: Not set > ..0. .... = Urgent: Not set > ...1 .... = Acknowledgment: Set > .... 1... = Push: Set > .... .0.. = Reset: Not set > .... ..0. = Syn: Not set > .... ...0 = Fin: Not set > Window size: 8672 > Checksum: 0xaace (correct) >Data (96 bytes) > ><DATA SNIPPED OUT> > >Frame 4 (150 on wire, 150 captured) > Arrival Time: Mar 23, 2001 11:40:22.7153 > Time delta from previous packet: 0.142212 seconds > Time relative to first packet: 0.804087 seconds > Frame Number: 4 > Packet Length: 150 bytes > Capture Length: 150 bytes >Ethernet II > Destination: 00:00:00:00:00:01 (XEROX_00:00:01) > Source: 00:50:50:c4:ec:38 (Cisco_c4:ec:38) > Type: IP (0x0800) >Internet Protocol > Version: 4 > Header length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..0. = ECN-Capable Transport (ECT): 0 > .... ...0 = ECN-CE: 0 > Total Length: 136 > Identification: 0x5d0c > Flags: 0x04 > .1.. = Don't fragment: Set > ..0. = More fragments: Not set > Fragment offset: 0 > Time to live: 127 > Protocol: TCP (0x06) > Header checksum: 0x3f02 (correct) > Source: otherhost.huch.fi (195.215.135.60) > Destination: 10.65.11.13 (10.65.11.13) >Transmission Control Protocol, Src Port: 2632 (2632), Dst Port: 1060 >(1060), Seq: 492678042, Ack: 218848 > Source port: 2632 (2632) > Destination port: 1060 (1060) > Sequence number: 492678042 > Next sequence number: 492678138 > Acknowledgement number: 218848 > Header length: 20 bytes > Flags: 0x0018 (PSH, ACK) > 0... .... = Congestion Window Reduced (CWR): Not set > .0.. .... = ECN-Echo: Not set > ..0. .... = Urgent: Not set > ...1 .... = Acknowledgment: Set > .... 1... = Push: Set > .... .0.. = Reset: Not set > .... ..0. = Syn: Not set > .... ...0 = Fin: Not set > Window size: 8144 > Checksum: 0x57df (correct) >Data (96 bytes) > ><DATA SNIPPED OUT> > > >-- >Regards Janne Kettunen >CCNA, CFFE ________________________ Priscilla Oppenheimer http://www.priscilla.com _________________________________ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
