RE: [LARTC] Not understanding network setup!!

Sun, 04 Jun 2006 08:19:42 -0700 

Visham,

 : By the way, do you know if there's a way to distinguish between 
 : the ACK packet sent during the connection establishment phase of 
 : a TCP connection and subsequent ACK packets sent during the data 
 : transfer phase.
 : 
 : I now that the ACK number sent during the connection 
 : establishment will be equal to the 'sequence number for the SYN 
 : in the SYN/ACK packet' + 1
 : 
 : Is there a way to distinguish between this 3rd packet and any 
 : other ACK packet during data transfer w/o having to keep track of 
 : sequence numbers? Are there other characteristics or options that 
 : are set in the former and not in the latter?
 : 
 : Basically I want to capture the three packets sent during the 
 : connection establishment phase of TCP. How can I do that?

How many times (or how quickly) do you need to do this?  I have a 
somewhat simple-minded solution for you, but it doesn't scale, and 
may not actually solve you problem(s).

If you have anything more than a few connections on which you wish 
to snoop (to see that they have successfully completed the 
handshake) my solution will not work for you.  I have used this to 
capture the first three packets exchanged on a particular TCP 
connection:

  tcpdump -nni $INTERFACE -c 3 host $TARGET and port $DPORT and \
  '(   tcp[tcpflags] & tcp-syn = tcp-syn 
    or tcp[tcpflags] & tcp-ack = tcp-ack )'

If you are looking at inbound traffic to one of your servers, that 
can be a bit trickier.  You could, however tcpdump the entire stream 
line-bufferered and write a filter (sed/perl) that prints out only 
lines showing SYN flag and lines containing 'ack 1 win'.


10:16:11.232505 IP xx.yy.zz.44.7284 > aa.bb.cc.130.25: S 
2114067570:2114067570(0) win 5840 <mss 1460,sackOK,timestamp 906238871 
0,nop,wscale 2>
10:16:11.257184 IP aa.bb.cc.130.25 > xx.yy.zz.44.7284: S 
1756590593:1756590593(0) ack 2114067571 win 5792 <mss 1380,sackOK,timestamp 
3428194314 906238871,nop,wscale 2>
10:16:11.257242 IP xx.yy.zz.44.7284 > aa.bb.cc.130.25: . ack 1 win 1460 
<nop,nop,timestamp 906238896 3428194314>

Good luck,

-Martin

-- 
Martin A. Brown
http://linux-ip.net/
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Reply via email to