LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 06-01-2005, 02:09 AM   #1
Tihi
LQ Newbie
 
Registered: Aug 2004
Distribution: Slackware
Posts: 19

Rep: Reputation: 0
tcpdump


Hi everybody!
I am difficult to understand the following output generated from tcpdump:

tcpdump -i eth0 host 192.168.1.2 -n

09:33:07.862236 IP 192.168.1.2.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
09:33:08.612389 IP 192.168.1.2.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
09:33:09.363007 IP 192.168.1.2.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
09:33:12.748227 IP 192.168.1.2.1034 > 212.39.90.43.53: 2758+ A? zonelabs.com. (30)
09:33:13.764453 IP 192.168.1.2.1034 > 212.39.90.43.53: 2758+ A? zonelabs.com. (30)
09:33:14.776041 IP 192.168.1.2.1034 > 212.39.90.43.53: 2758+ A? zonelabs.com. (30)
09:33:16.804434 IP 192.168.1.2.1034 > 212.39.90.42.53: 2758+ A? zonelabs.com. (30)
09:33:16.822431 IP 192.168.1.2.1034 > 212.39.90.43.53: 2758+ A? zonelabs.com. (30)



I see that the host 192.168.1.2 is sending packets from source port 1034 to netbios and DNS (212.39.90.42 is the DNS server of my provider) periodicaly. But what does it mean zonelabs.com. (30) - I have a zonealarm on this host (192.168.1.2) . Can anyone help me pls!

Best regards!
 
Old 06-01-2005, 04:33 AM   #2
skunkburner
Member
 
Registered: Mar 2004
Distribution: Fedora Core 17 & 18, Debian Wheezy
Posts: 137

Rep: Reputation: 16
Your windoze box & zonealarm are trying to find out the zonelabs.com IP address
it is querying DNS for the zonelabs.com A record (presumably for its auto update check) the (30) is the packet length

Last edited by skunkburner; 06-01-2005 at 04:37 AM.
 
Old 06-01-2005, 04:39 AM   #3
bramhastra
Member
 
Registered: May 2005
Location: India
Distribution: RHEL 4.0
Posts: 136

Rep: Reputation: 15
Here are few details about tcpdump command


For UDP datagrams

15:22:41.400299 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp 110

Timestamp 15:22:41.400299
Source address orac.erg.abdn.ac.uk
Source port 1052
Destination address 224.2.156.220
Destination port 57392
Protocol udp
Size 110

For TCP datagrams

16:23:01.079553 churchward.erg.abdn.ac.uk.33635 > gordon.erg.abdn.ac.uk.32772: P 12765:12925(160) ack 19829 win 24820 (DF)

Timestamp 16:23:01.079553
Source address churchward.erg.abdn.ac.uk
Source port 33635
Destination address gordon.erg.abdn.ac.uk
Destination port 32772
Indicates that the PUSH flag is set P
Sequence number (also start byte) 12765:
Contained data bytes from sqeuence number upto but not including 12925
Number of user data bytes in datagram (160)
Details of acknowledgements, Window size and Header flags ack 19829 win 24820 (DF)
 
Old 06-01-2005, 05:54 AM   #4
Tihi
LQ Newbie
 
Registered: Aug 2004
Distribution: Slackware
Posts: 19

Original Poster
Rep: Reputation: 0
10x a lot!!!
It was my nightmare last night .
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
tcpdump telestudent Linux - Software 1 03-03-2005 10:07 PM
help tcpdump blackzone Linux - Networking 1 10-08-2004 07:07 AM
tcpdump dlm4444 Linux - Networking 1 02-15-2004 03:03 PM
tcpdump gbell72 Linux - Security 5 09-18-2003 02:08 PM
tcpdump isbrower Linux - Networking 2 06-11-2001 03:48 PM


All times are GMT -5. The time now is 11:04 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration