LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page tcpdump wont show the correct amount of traffic in single port scan?
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-05-2006, 09:04 AM   #1
positrox
LQ Newbie
 
Registered: Nov 2005
Distribution: SuSe, Debian
Posts: 26

Rep: Reputation: 15
Question tcpdump wont show the correct amount of traffic in single port scan?

Hello

I can't get this off my head so I hope someone is able to help me.

I have my localhost and an external server. I issue this command in my localhost:

sudo tcpdump host [hostfilter] and ! port 22 -i eth1 -venNt -s0

And this on my external server:

sudo tcpdump host [hostfilter] and ! port 22 -venNt -s0

So what I want is to see all the traffic between me and the external host except the traffic generated by ssh.

Then on my localcomp I issue a single-port scan like this:

sudo nmap -sS [exthost] -v -p23 -P0

And i get the results (shortened):

23/tcp closed telnet
Raw packets sent: 1 (44B) | Rcvd: 1 (46B)

Nmap states that it has sent 44bytes and received 46bytes. When I look my tcpdump outputs I see the following:

(mac- and ip-addresses replaced)

--first on my localhost--

Code:
macX > macY, ethertype IPv4 (0x0800), length 58: IP (tos 0x0, ttl  45, id 24780, offset 0, flags [none], length: 44) ipX.48343 > ipY.23: S [tcp sum ok] 544277442:544277442(0) win 2048 <mss 1460>
macY > macX, ethertype IPv4 (0x0800), length 60: IP (tos 0x0, ttl  57, id 1184, offset 0, flags [DF], length: 40) ipY.23 > ipX.48343: R [tcp sum ok] 0:0(0) ack 544277443 win 0
--and my external server--

Code:
macZ > macW, ethertype IPv4 (0x0800), length 58: IP (tos 0x0, ttl  37, id 24780, offset 0, flags [none], length: 44) ipX.48343 > ipY.23: S [tcp sum ok] 544277442:544277442(0) win 2048 <mss 1460>
macW > macZ, ethertype IPv4 (0x0800), length 54: IP (tos 0x0, ttl  64, id 1184, offset 0, flags [DF], length: 40) ipY.23 > ipX.48343: R [tcp sum ok] 0:0(0) ack 544277443 win 0
So basically my local computer (ipX) sends a tcp-syn-packet to my external server (ipY) to the port 23 and tcpdump says that the length is 44 bytes (agrees with nmap). Then the external server sends a rst-tcp-packet as a reply and the size(/length?) is 40 bytes. And this is the problem.

1) Why nmap tells me that it has received 46 bytes?
2) What are the six bytes?
3) How I can verify them in tcpdump output?

also why is the second ethernet frame 2bytes shorter (58vs60) ?

Help is really appreciated.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
generate large amount of traffic data Mr_C Linux - Networking 3 03-09-2006 11:38 PM
tcpdump, dhcpcd and recieving many listings of addresses and the correct gateway and starlypt Linux - Networking 1 09-16-2005 08:04 PM
snort logging all outbound traffic as port-scan? Pcghost Linux - Security 3 04-20-2004 01:12 PM
How to use tcpdump to monitor traffic of a TCP connection sajsal Linux - Networking 0 03-05-2004 04:11 AM
Disk Druid not reflecting correct cylinder amount. manny dingo Linux - Software 1 06-15-2001 11:01 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:28 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration