Hello all I am trying to get a couple of win2k vpn boxen to work across a firewall. Here is a dump, my comments are in between each dump line. I want to see if I understand what I am looking at.
12:17:12.246870 156.98.222.175.1064 > 156.98.190.111.1723: S 3085367584:3085367584(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 222.175 makes the initial contact to 19.11 with a "S" syn packet? The workstation port is 1064 and the server port is 1723 which is the vpn port. The two numbers (#:#) are the tcp sequence numbers? What is "win" and the stuff after that? 12:17:12.247288 156.98.190.111.1723 > 156.98.222.175.1064: S 3369974062:3369974062(0) ack 3085367585 win 64240 <mss 1460,nop,nop,sackOK> (DF) 190.111 port 1723 replies to 222.175. I see the "ack" later on, so was I wrong about the "S" being syn above because it is still here. Why is the number after the ack one larger than the above? 12:17:12.247570 156.98.222.175.1064 > 156.98.190.111.1723: . ack 1 win 17520 (DF) 222.175 syn acks. What is this stuff below? 12:17:12.247800 156.98.222.175.1064 > 156.98.190.111.1723: P 1:157(156) ack 1 win 17520 (DF) 12:17:12.248204 156.98.190.111.1723 > 156.98.222.175.1064: P 1:157(156) ack 157 win 64084 (DF) 12:17:15.479988 156.98.190.111.1723 > 156.98.222.175.1064: P 1:157(156) ack 157 win 64084 (DF) 12:17:15.480651 156.98.222.175.1064 > 156.98.190.111.1723: P 157:325(168) ack 157 win 17364 (DF) 12:17:15.481998 156.98.190.111.1723 > 156.98.222.175.1064: P 157:189(32) ack 325 win 63916 (DF) 12:17:15.484913 156.98.222.175.1064 > 156.98.190.111.1723: P 325:349(24) ack 189 win 17332 (DF) 12:17:15.698650 156.98.190.111.1723 > 156.98.222.175.1064: . ack 349 win 63892 (DF) Nothing happens, the workstation can't seem to get authenticated. I think I am not yet transfering protocol 47 though and I am looking into that now. I just want to understand tcpdump better. I almost feel like I had something lower level that showed me this stuff a little more raw. --of course I don't even understand what I have now! :-) --ja --
