[CLUE-Tech] Packet Analysis (was Netfilter Log Message)
Brandon N
bneill at yahoo.com
Thu Aug 9 13:07:22 MDT 2001
> > Can anyone decrypt this for me? :)
> >
> > Aug 9 10:31:36 larry kernel: Netfilter: IN=eth1 OUT=
> > MAC=00:a0:cc:d0:d1:ef:00:30:80:23:6d:8c:08:00 SRC=24.178.31.64
> > DST=24.178.96.233 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=42185 DF
> PROTO=TCP
> > SPT=4135 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
>
'IN' section tells you what ethernet card the request came in on.
'OUT' is the same, but empty in this case.
'MAC' is the mac address on your ethernet card.
'SRC' is the address that originated this querry.
'DST' is is the address it came to (yours, I presume).
The next few packets describe stuff about the packet headers and such,
which I am not that great at:
> (LEN, TOS, PREC, TTL, ID, DF).
LEN packet length
TOS Type of service, generally not used, but can be used for QOS
(Quality of service) or determining which packets to forward first
PREC
TTL Time to live, how many hops before the packet dies
ID
DF Don't Fragment
'PROTO' tells you what network protocal it was
> (tcp, udp,
> icmp).
'SPT' is the port on the originating machnine
'DPT' is the port on the destination machine. That is the part that
gives it away as Code Red, port 80 is the html port. You can find out
what ports do what by looking in /etc/services. Ports above 1024 are
unprivelaged ports, and not usually associated with a specific
function. Any program can use them.
Not necessarily true, if you look at /etc/services, ports up to 5002
are assigned in there. Many other higher ports are also assigned, such
as IRC at 6667, but not listed in /etc/services.
The
> last
> packets, (WINDOW, RES, SYN, UGRP) is more packet info that I am no
> good at.
WINDOW is a bit complicated, it has to do with how fast the machine
sends packets
RES TCP Reset I believe
SYN TCP Sync, basically means it's the first packet of a TCP connection
UGRP Urgent Pointer
Hope this is helpful
Brandon
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
More information about the clue-tech
mailing list