Pix "Capture" output help

thstagman · ‎09-08-2011

Hello Everyone

Can someone help me with understanding part of the output from a "capture", taken from a PIx. I have removed part of this output in order to fit it nicely onto the screen. But I need to undertsand what the letters "S" and "R" stand for, located in a column almost central to the output..

Best Regards

Mike

04:12:35.091029 155.136.225.19.2144 > 155.131.30.28.3923: S 30113069:30113069(0) ack 3053111352 win 5792 <mss 1460,sackOK,timestamp 04:12:35.340085 155.136.225.19.2144 > 155.131.30.28.3923: S 30113069:30113069(0) ack 3053111352 win 5792 <mss 1460,sackOK,timestamp 04:12:35.939785 155.136.225.19.2144 > 155.131.30.28.3923: S 30113069:30113069(0) ack 3053111352 win 5792 <mss 1460,sackOK,timestamp 04:12:36.939679 155.136.225.19.2144 > 155.131.30.28.3923: S 30113069:30113069(0) ack 3053111352 win 5792 <mss 1460,sackOK,timestamp 04:12:38.123666 155.131.30.28.3923 > 155.136.225.19.2144: S 3053111351:3053111351(0) win 32768 <mss 1380,nop,wscale 0,nop,nop,timestamp[|tcp]04:12:38.164160 155.136.225.19.2144 > 155.131.30.28.3923: S 30113069:30113069(0) ack 3053111352 win 5792 <mss 1460,sackOK,timestamp 04:12:38.939877 155.136.225.19.2144 > 155.131.30.28.3923: S 30113069:30113069(0) ack 3053111352 win 5792 <mss 1460,sackOK,timestamp
04:12:41.391947 155.131.30.28.3923 > 155.136.225.19.2144: S 3053111351:3053111351(0) win 32768 <mss 1380,nop,wscale 0,nop,nop,timestamp[|tcp]04:12:41.431755 155.136.225.19.2144 > 155.131.30.28.3923: S 30113069:30113069(0) ack 3053111352 win 5792 <mss 1460,sackOK,timestamp 04:12:42.939862 155.136.225.19.2144 > 155.131.30.28.3923: S 30113069:30113069(0) ack 3053111352 win 5792 <mss 1460,sackOK,timestamp 04:12:44.670558 155.131.30.28.3923 > 155.136.225.19.2144: S 3053111351:3053111351(0) win 32768 <mss 1380,sackOK,eol>
04:12:44.710473 155.136.225.19.2144 > 155.131.30.28.3923: S 30113069:30113069(0) ack 3053111352 win 5792 <mss 1460,sackOK,timestamp 04:12:47.946377 155.131.30.28.3923 > 155.136.225.19.2144: R 3053111352:3053111352(0) win 0

varrao · ‎09-08-2011

Hi Mike,

These captures indicate a tcp handshake being taken place between the source and the destination. TCP handshake is a 3 way process, th source sends a SYN packet (S) and the destination replies that by SYN ACK, the source would again send an acknowledgement for it as ACK , and then the connection is established. If you see a R , it means that one of the machines sent a Reset to the connection:

04:12:47.946377 155.131.30.28.3923 > 155.136.225.19.2144: R 3053111352:3053111352(0) win 0

As you can see 155.131.30.28 sent a reset to 155.136.225.19, and the connection is terminated.

If you are working with captures for the first time, my advise would be to use pcap format of captures and view them in wireshark. they would make it more simpler for you to understand and interpret. Here is a very good doc for it:

https://supportforums.cisco.com/docs/DOC-17814

Hope this was helpful.

Thanks,

Varun

Please do rate helpful posts.

Thanks,
Varun Rao

thstagman · ‎09-08-2011

Hello Varun

Many thanks, that has helped me a great deal ,,

All the best to you ...

Mike

varrao · ‎09-08-2011

No Problem Mike

Thanks,

Varun

Thanks,
Varun Rao

thstagman · ‎09-08-2011

So much for me keeping it nice and tidy ... I have highlighted the letters

Regards

Mike

04:12:44.710473 155.136.225.19.2144 > 155.131.30.28.3923: S 30113069:30113069(0) ack 3053111352 win 5792

04:12:47.946377 155.131.30.28.3923 > 155.136.225.19.2144: R 3053111352:3053111352(0) win 0

varrao · ‎09-08-2011

You can see it in here:

The machine 155.136.225.19 sent the other machine (155.131.30.28) requesting a connection with a SYN packet (S), the other machine did not acknowledge it and sent a termination for it or reset (R).

Thanks,

Varun

Thanks,
Varun Rao