tcpdump need explain

dellroxy · 10-23-2008, 04:52 AM

Dear Member;
kindly be informed that i need explain the output of the tcpdum command
I know that this command is using for dump traffic on a network
but I didn't understand the output of this command
I am using fedora 9

this is snap shot for the command

Code:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:04:45.885763 IP 196.204.142.34.1614 > 87.68.112.235.cable.012.net.il.5773: P 1439496598:1439496671(73) ack 3353917585 win 65535
12:04:45.885817 IP 196.204.142.34.1519 > raae8.r.pppool.de.4662: . ack 362275216 win 64715
12:04:45.886251 IP mail.settecltd.com.52317 > linkrdnsd.link.net.domain:  56161+ PTR? 235.112.68.87.in-addr.arpa. (44)
12:04:45.903508 IP 216-139-243-216.aus.us.siteprotect.com.1984 > 196.204.142.34.1510: P 4192119513:4192119733(220) ack 2891117690 win 65390
12:04:45.913486 IP 196.204.142.34.1519 > raae8.r.pppool.de.4662: . 0:1408(1408) ack 1 win 64715
12:04:45.914521 IP 196.204.142.34.1519 > raae8.r.pppool.de.4662: P 1408:2600(1192) ack 1 win 64715
12:04:45.915715 IP 82.129.134.50.pop3 > 196.204.225.132.3262: . 1249461382:1249462794(1412) ack 2505799382 win 5840
12:04:45.933120 IP raae8.r.pppool.de.4662 > 196.204.142.34.1519: . 1:1409(1408) ack 4294964696 win 63797
12:04:45.938727 IP 82.129.134.50.pop3 > 196.204.225.132.3262: . 1412:2824(1412) ack 1 win 5840
12:04:45.939138 IP 196.204.225.132.3262 > 82.129.134.50.pop3: . ack 2824 win 65535
12:04:45.943304 IP raae8.r.pppool.de.4662 > 196.204.142.34.1519: P 1409:2601(1192) ack 4294964696 win 63797
12:04:45.943431 IP 125-224-217-59.dynamic.hinet.net.18581 > mail.settecltd.com.12268: UDP, length 98
12:04:45.943583 IP 196.204.142.34.1519 > raae8.r.pppool.de.4662: . ack 2601 win 65535
12:04:45.997774 IP mail.networksolutionsemail.com.pop3 > 196.204.142.34.1643: S 3352262053:3352262053(0) ack 2685303687 win 5840 <mss 1460>
12:04:45.997983 IP 196.204.142.34.1643 > mail.networksolutionsemail.com.pop3: . ack 1 win 65535
12:04:46.046749 IP 82.129.134.50.pop3 > 196.204.225.132.3262: . 2824:4236(1412) ack 1 win 5840
12:04:46.057377 IP raae8.r.pppool.de.4662 > 196.204.142.34.1519: . ack 2600 win 64768
12:04:46.071388 IP 82.129.134.50.pop3 > 196.204.225.132.3262: . 4236:5648(1412) ack 1 win 5840
12:04:46.071748 IP 196.204.225.132.3262 > 82.129.134.50.pop3: . ack 5648 win 65535
12:04:46.086827 IP 196.204.142.34.1510 > 216-139-243-216.aus.us.siteprotect.com.1984: . ack 220 win 65315
12:04:46.097351 IP 82.129.134.50.pop3 > 196.204.225.132.3262: . 5648:7060(1412) ack 1 win 5840
12:04:46.132370 IP 193.153.41.37.4662 > 196.204.142.34.1621: P 1592242264:1592242341(77) ack 2519224166 win 2825
12:04:46.161273 IP 196.204.142.34.1621 > 193.153.41.37.4662: P 1:23(22) ack 77 win 64909
12:04:46.162417 IP 196.204.142.34.1625 > host-87-99-23-186.lanet.net.pl.4662: P 1147577904:1147579204(1300) ack 3786813667 win 65517
12:04:46.169110 IP mail.networksolutionsemail.com.pop3 > 196.204.142.34.1643: P 1:30(29) ack 1 win 5840
12:04:46.170091 IP 196.204.142.34.1643 > mail.networksolutionsemail.com.pop3: P 1:27(26) ack 30 win 65506
12:04:46.171116 IP 214.red.136.225.212.user.ptvtelecom.com.x11 > 196.204.142.34.1627: P 3463702150:3463702161(11) ack 970282592 win 65415
12:04:46.171343 IP 196.204.142.34.1627 > 214.red.136.225.212.user.ptvtelecom.com.x11: P 1:59(58) ack 11 win 65416
12:04:46.202427 IP raae8.r.pppool.de.4662 > 196.204.142.34.1519: . 2601:4009(1408) ack 0 win 64768
12:04:46.211824 IP raae8.r.pppool.de.4662 > 196.204.142.34.1519: P 4009:5201(1192) ack 0 win 64768
12:04:46.212091 IP 196.204.142.34.1519 > raae8.r.pppool.de.4662: . ack 5201 win 65535
12:04:46.222407 IP 196.204.225.132.3262 > 82.129.134.50.pop3: . ack 7060 win 64123
12:04:46.286002 IP 82.129.134.50.pop3 > 196.204.225.132.3262: . 7060:8472(1412) ack 1 win 5840

acid_kewpie · 10-23-2008, 05:58 AM

well what do you want to actually know about it? fomr that output we *could* explain the entire tpc/ip protocol squite to you which i certainly hope isn't what you're expecting. Maybe you shouls be asking a question to us about this specific capture and a user issue you're trying to track down? I see pop3 in there... email trouble?

dellroxy · 10-27-2008, 04:18 AM

Dear
for example lets talk about this line

12:04:46.212091 what does it mean
IP
196.204.142.34.1519 > raae8.r.pppool.de.4662:
i guss the 196.204.142.34 connect with the port number 1519 to raae8.r.pppool.de. with this port 4662

mean the trafic source from 196.204.142.34
the detinition dource is raae8.r.pppool.de

ack 5201 win 65535
what does it mean

Code:

12:04:46.212091 IP 196.204.142.34.1519 > raae8.r.pppool.de.4662: . ack 5201 win 65535

Q- when i writing tcpdump only this will show all trafic on the network?
Q- when i want to determine specific trafic from specific ip address what can do ?
thanks for your effort helping me

acid_kewpie · 10-27-2008, 05:24 AM

ack means it's an acknowledge flagged packet, for sequence number 5291 and the session currently has a window size of 65535 bytes. This sort of information is what makes up tcp/ip in itself, if you want to undestand tcp data flows then you should really do some research into the theory behind it, not just look to read a tcpdump output.