Re: could someone help me with tcpdump?

Wed, 30 Oct 2002 13:39:55 -0800 

The authentication happens in protocol 47 (Microsoft chat ?). The tcp port
1723 does not authenticate. You need to filter protocol 47 and port 1723 at
the same time to see the login popup.

----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, October 30, 2002 1:39 PM
Subject: could someone help me with tcpdump?


>
> Hello all
>
> I am trying to get a couple of win2k vpn boxen to work across a firewall.
Here is a dump, my comments are in between each dump line.  I want to see if
I understand what I am looking at.
>
> 12:17:12.246870 156.98.222.175.1064 > 156.98.190.111.1723: S
3085367584:3085367584(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
>
> 222.175 makes the initial contact to 19.11 with a "S" syn packet?  The
workstation port is 1064 and the server port is 1723 which is the vpn port.
The two numbers (#:#) are the tcp sequence numbers?  What is "win" and the
stuff after that?
>
> 12:17:12.247288 156.98.190.111.1723 > 156.98.222.175.1064: S
3369974062:3369974062(0) ack 3085367585 win 64240 <mss 1460,nop,nop,sackOK>
(DF)
>
> 190.111 port 1723 replies to 222.175.  I see the "ack" later on, so was I
wrong about the "S" being syn above because it is still here.  Why is the
number after the ack one larger than the above?
>
> 12:17:12.247570 156.98.222.175.1064 > 156.98.190.111.1723: . ack 1 win
17520 (DF)
>
> 222.175 syn acks.
>
> What is this stuff below?
>
> 12:17:12.247800 156.98.222.175.1064 > 156.98.190.111.1723: P 1:157(156)
ack 1 win 17520 (DF)
> 12:17:12.248204 156.98.190.111.1723 > 156.98.222.175.1064: P 1:157(156)
ack 157 win 64084 (DF)
> 12:17:15.479988 156.98.190.111.1723 > 156.98.222.175.1064: P 1:157(156)
ack 157 win 64084 (DF)
> 12:17:15.480651 156.98.222.175.1064 > 156.98.190.111.1723: P 157:325(168)
ack 157 win 17364 (DF)
> 12:17:15.481998 156.98.190.111.1723 > 156.98.222.175.1064: P 157:189(32)
ack 325 win 63916 (DF)
> 12:17:15.484913 156.98.222.175.1064 > 156.98.190.111.1723: P 325:349(24)
ack 189 win 17332 (DF)
> 12:17:15.698650 156.98.190.111.1723 > 156.98.222.175.1064: . ack 349 win
63892 (DF)
>
> Nothing happens, the workstation can't seem to get authenticated.  I think
I am not yet transfering protocol 47 though and I am looking into that now.
I just want to understand tcpdump better.  I almost feel like I had
something lower level that showed me this stuff a little more raw.  --of
course I don't even understand what I have now! :-)
>
> --ja
> --
>
>

Reply via email to