TCP Dump, cannot understand these 4 lines?

I need support understanding these 4 lines. looks like tcp dump but im actully not understanding what exactly is happening here.

13:13:22.407445 IP 192.168.246.128.54955 > 192.168.246.13.80: S 2910497703:2910497703(0) win 5840 <mss 1460,sackok,timestamp="" 518611="" 0,nop,wscale="" 6="">
13:13:22.407560 IP 192.168.246.13.80 > 192.168.246.128.54955: S 3762608065:3762608065(0) ack 2910497704 win 64240 <mss 1460,nop,wscale="" 0,nop,nop,timestamp="" 0="" 0,nop,nop,sackok="">
13:13:22.407963 IP 192.168.246.128.54955 > 192.168.246.13.80: . ack 1 win 92 <nop,nop,timestamp 518611="" 0="">
13:13:22.408321 IP 192.168.246.128.54955 > 192.168.246.13.80: R 1:1(0) ack 1 win 92 <nop,nop,timestamp 518611="" 0="">

Solution 1:

Seems like client 192.168.246.128 tried to connect to web server 192.168.246.13 but client's window size of 92 bytes was refused by a slow-read attack prevention mechanism.

Solution 2:

EDIT after reading comment by @GuntramBlohm on answer by @XavierLucas I did a quick check how do certain nmap scans look like on the wire and it seems pattern in OP is match for nmap -sT known as TCP connect scan

e.g. case with port 80 open

# nmap -sT localhost -p80
11:06:20.734518 IP 127.0.0.1.58802 > 127.0.0.1.80: Flags [S], seq 2064268743, win 32792, options [mss 16396,sackOK,TS val 3605220739 ecr 0,nop,wscale 8], length 0
11:06:20.734540 IP 127.0.0.1.80 > 127.0.0.1.58802: Flags [S.], seq 2269627608, ack 2064268744, win 32768, options [mss 16396,sackOK,TS val 3605220739 ecr 3605220739,nop,wscale 8], length 0
11:06:20.734551 IP 127.0.0.1.58802 > 127.0.0.1.80: Flags [.], ack 1, win 129, options [nop,nop,TS val 3605220739 ecr 3605220739], length 0
11:06:20.734718 IP 127.0.0.1.58802 > 127.0.0.1.80: Flags [R.], seq 1, ack 1, win 129, options [nop,nop,TS val 3605220739 ecr 3605220739], length 0

case with port 80 closed

# nmap -sT localhost -p80
12:18:07.737075 IP 127.0.0.1.58294 > 127.0.0.1.80: Flags [S], seq 2548091563, win 32792, options [mss 16396,sackOK,TS val 672612170 ecr 0,nop,wscale 7], length 0
12:18:07.737085 IP 127.0.0.1.80 > 127.0.0.1.58294: Flags [R.], seq 0, ack 2548091564, win 0, length 0

END EDIT original interpretation of tcpdump output

Line by line 13:13:22.407445

13:13:22.407445 IP 192.168.246.128.54955 > 192.168.246.13.80: S 2910497703:2910497703(0) win 5840 <mss 1460,sackok,timestamp="" 518611="" 0,nop,wscale="" 6="">

IP : 192.168.246.128 with source port 54955 tries to connect to IP 192.168.246.13 port 80 (http)
TCP Connection start is initiated by setting SYN flag indicated by letter S
sequence number of connection attempt is 2910497703
window size is 5840, maximum segment size 1460

Second line at 13:13:22.407560

13:13:22.407560 IP 192.168.246.13.80 > 192.168.246.128.54955: S 3762608065:3762608065(0) ack 2910497704 win 64240 <mss 1460,nop,wscale="" 0,nop,nop,timestamp="" 0="" 0,nop,nop,sackok="">

IP 192.168.246.13 with source port 80 responds to connection attempt from 192.168.246.128 src port 407445 with flags SYN+ACK indicated by letter S and ack
sequence number 3762608065 and sequence number from line above is incremented by one to get 2910497704
window is set to 64240 , maximum segment size (mss) 1460

Third line is final packet of three way handshake

13:13:22.407963 IP 192.168.246.128.54955 > 192.168.246.13.80: . ack 1 win 92 <nop,nop,timestamp 518611="" 0="">

enter image description here

it has same srcIP:port - dstIP:port pair as above with only ACK flag set.

Last line

13:13:22.408321 IP 192.168.246.128.54955 > 192.168.246.13.80: R 1:1(0) ack 1 win 92 <nop,nop,timestamp 518611="" 0="">

This line reads that connection between 192.168.246.128:54955 and 192.168.246.13:80 is reset (RST flag) and ACK flag which indicates data transmitted so far has been accepted as expected. More info on this can be found here

TCP Dump, cannot understand these 4 lines?

Solution 1:

Solution 2:

Related

Recent Posts