LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Help reading TCPDUMP output (https://www.linuxquestions.org/questions/linux-networking-3/help-reading-tcpdump-output-47417/)

BenCarlisle 02-27-2003 10:53 AM
Help reading TCPDUMP output
 
I am getting severe tcp traffic and I was wondering if anyone could help?? I am obviously a networking newbie, so any help is greatly appreciated.

Here is a sample of the tcpdump output:

11:01:36.404310 xxxx.xx.client2.attbi.com.1789 > 10.10.10.10.ircd: R [tcp sum ok] 0:0(0) win 0 (ttl 151, id 29779, len 40)
11:01:36.404310 xxxx.xx.client2.attbi.com.1789 > 10.10.10.10.ircd: R [tcp sum ok] 0:0(0) win 0 (ttl 160, id 29779, len 40)
11:01:36.404310 xxxx.xx.client2.attbi.com.1789 > 10.10.10.10.ircd: R [tcp sum ok] 0:0(0) win 0 (ttl 152, id 29779, len 40)
11:01:36.404310 xxxx.xx.client2.attbi.com.1789 > 10.10.10.10.ircd: R [tcp sum ok] 0:0(0) win 0 (ttl 151, id 29779, len 40)


As you can see, the source is on the ATTBI network (which is what I am on as well). The destination is what is confusing me... 10.10.10.10 is not my IP address. Why am I getting these packets? I'm getting loads of them, always from the same source.

Also the RESET flag is set for all of these, and there is no data being sent. What the heck is going on?

-B

SlickWilly 02-27-2003 11:55 AM
What kindof network are you connected to there?

BenCarlisle 02-27-2003 01:27 PM
Well, I'm on two networks, my machine uses IP Masq to route local traffic.

* eth0 is AT&T Broadband Cable - it initializes through DHCP (pump), my BCAST is 255.255.255.255 and my MASK is 255.255.248.0.

* eth1 is an internal LAN, Class-C 192.168.1 network.

Does that answer your question? Is there anything else I can do to help clarify?

SlickWilly 02-27-2003 02:35 PM
Yeah, it helps...

What you're seeing there is 'shared traffic'. I expect they've configured their cable modems to the 10. network (I know mine does). Although 10.10.10.10 seems a little fishy.

Anyway. This isn't aimed at you. The cable network has shared segments, the same way that a hub (not a switch mind) sends data to all ports, so does the cable network.

Hence you'll see ARP requests, DHCP stuff, free-floating crud passed along to your cable modem, and you'll be able to listen in on it, should you so desire.

The way I read your dump, to answer the question is :

client2.attbi.com is sending packets from port 1789 to 10.10.10.10 on port um.. (quick lookup) 6667. The packets are Reset packets with a window (return data) size of Zero. Which is expected for Reset packets.

Basically what you're seeing is some host sending traffic to some (private, and certainly not internet routable) ip address attempting to reset a connection on ircd port - Which 'services' says is internet relay chat (I assume daemon). This may or may not actually be what the port is used for.

Anyway, as I said, this traffic isn't destined for you, but since your network card is (I think - slap me if I'm wrong) being put into promiscuous mode by tcpdump you're listening in on all the conversations that happen to pass by your cable modem.. Which, under the nature of cable modems is rather alot, and probably has nothing to do with you...

:)

Slick.


All times are GMT -5. The time now is 04:58 AM.