Re: Packet capture analysis

sreeraj.murali · ‎04-04-2019

Hi Experts,

Could you please provide more insight on to below packet capture. What exactly happening between, 10.20.59.52 and 204.110.219.102

Also, suggest good docs/online links, which will help understand the TCPIP handshake and packet analysis.

9: 00:55:54.818484 802.1Q vlan#193 P0 10.20.59.52.43979 > 204.110.219.102.443: P 4224286519:4224286805(286) ack 1471341325 win 1444 <nop,nop,timestamp 62224971 1804188686>
10: 00:55:54.818545 802.1Q vlan#193 P0 10.20.59.52.43979 > 204.110.219.102.443: P 4224286805:4224287518(713) ack 1471341325 win 1444 <nop,nop,timestamp 62224971 1804188686>
11: 00:55:54.819400 802.1Q vlan#193 P0 204.110.219.102.443 > 10.20.59.52.43979: . ack 4224286805 win 501 <nop,nop,timestamp 1804242427 62224971>
12: 00:55:54.819400 802.1Q vlan#193 P0 204.110.219.102.443 > 10.20.59.52.43979: . ack 4224287518 win 496 <nop,nop,timestamp 1804242427 62224971>
17: 00:55:54.824572 802.1Q vlan#193 P0 10.20.59.52.44526 > 204.110.219.102.443: S 2148927462:2148927462(0) win 29200 <mss 1460,sackOK,timestamp 62224977 0,nop,wscale 7>
18: 00:55:54.824603 802.1Q vlan#193 P0 204.110.219.102.443 > 10.20.59.52.44526: R 0:0(0) ack 2148927463 win 29200
19: 00:55:54.949230 802.1Q vlan#193 P0 204.110.219.102.443 > 10.20.59.52.43979: P 1471341325:1471341552(227) ack 4224287518 win 501 <nop,nop,timestamp 1804242460 62224971>

Thanks in advance

Sreeraj Murali

Deepak Kumar · ‎04-04-2019

Hi,

It seems that there is a server 204.110.219.102 and service is running on Port TCP 443 and you are transferring some data:

9: 00:55:54.818484 802.1Q vlan#193 P0 10.20.59.52.43979 > 204.110.219.102.443: P 4224286519:4224286805(286) ack 1471341325 win 1444 <nop,nop,timestamp 62224971 1804188686>
10: 00:55:54.818545 802.1Q vlan#193 P0 10.20.59.52.43979 > 204.110.219.102.443: P 4224286805:4224287518(713) ack 1471341325 win 1444 <nop,nop,timestamp 62224971 1804188686>
11: 00:55:54.819400 802.1Q vlan#193 P0 204.110.219.102.443 > 10.20.59.52.43979: . ack 4224286805 win 501 <nop,nop,timestamp 1804242427 62224971>
12: 00:55:54.819400 802.1Q vlan#193 P0 204.110.219.102.443 > 10.20.59.52.43979: . ack 4224287518 win 496 <nop,nop,timestamp 1804242427 62224971>

in the above packet's Server and client are sending Acknowledge packets (means Yes, I received that much data and please send more).

17: 00:55:54.824572 802.1Q vlan#193 P0 10.20.59.52.44526 > 204.110.219.102.443: S 2148927462:2148927462(0) win 29200 <mss 1460,sackOK,timestamp 62224977 0,nop,wscale 7>
18: 00:55:54.824603 802.1Q vlan#193 P0 204.110.219.102.443 > 10.20.59.52.44526: R 0:0(0) ack 2148927463 win 29200

Here, Client has transferred some data and Server has replied as ACK and asked for new data. The Server and CLient have adjected the window size 29200 and data transferring on MSS 1460.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

sreeraj.murali · ‎04-04-2019

Thanks. Attaching the complete capture to 204. server. So, do u say, that there is active connection getting established between the two? Because, i have denied the direct outgoing internet access, and the traffic from source has to communicate to a proxy host, which is in the LAN. Please comment.

Deepak Kumar · ‎04-04-2019

Hi,

What is 10.20.58.21.389:?

I didn't find that TCP handshake logs in the log file but a connection has been made each other and after that, the data transfer has started.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!