[prev in list] [next in list] [prev in thread] [next in thread]
List: intrusions
Subject: RE: odd traffic?
From: Darin.MARAIS () cec ! eu ! int
Date: 2002-12-31 8:35:35
[Download RAW message or body]
hi there mark
thank you very much for your reply.
im afraid that I may have created this problem myself. In my enthusiasm to
resolve another problem or rid the database of false positives from a
previous call that I had, I change the ttl_limit [number] pre-process from
the default to 64.
With the mail than I received from you I suddenly realised what I have done.
This change may very well be triggering the alarm. I apologise if I have
created the false positive.
I changed the rules database or the snort.conf file on the 26.12 and the
alarm was received on the 27.12. it could very well be a routing problem
that is now being detected as a "xmas scan" due to the changes that I
implemented
what do you think?
regards
Darin
**********************************************************************
-----Original Message-----
From: Johannes Ullrich
Sent: 26 December 2002 17:06
To: MARAIS Darin (ADMIN)
Cc: intrusions@incidents.org
Subject: Re: (spp_stream4) TTL LIMIT Exceeded
> prehaps a stupid question, but im having some difficulty understanding
> this one. my snort seams to indicate quite a few (spp_stream4) TTL LIMIT
> Exceeded alerts and i am not to sure on how they should be inteperited.
If I remember right, this module did compare TTLs across different
packets of a given connection. The idea is, that these TTLs should
stay constant, unless someone is playing with the packets (e.g.
rerouting, injecting or other nasty stuff).
However, in real live it is not guaranteed that all packets between
two hosts take the same paths. The stream4 module allows you to configure
the 'ttl_limit', which is the maximum TTL delta allowed. For details,
see http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.4.6
(short summary: probably a false positive. Check the target IP if it
is on an odd/remote network)
****************************************************************************
*****
<snip> from the snort.conf file
preprocessor frag2
# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat
# stick/snot against TCP rules. Also performs full TCP stream
# reassembly, stateful inspection of TCP streams, etc. Can statefully
# detect various portscan types, fingerprinting, ECN, etc.
# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608)
# options (options are comma delimited):
# detect_scans - stream4 will detect stealth portscans and generate alerts
# when it sees them when this option is set
# detect_state_problems - detect TCP state problems, this tends to be very
# noisy because there are a lot of crappy ip stack
# implementations out there
#
# disable_evasion_alerts - turn off the possibly noisy mitigation of
# overlapping sequences.
#
#
# min_ttl [number] - set a minium ttl that snort will accept to
# stream reassembly
#
# ttl_limit [number] - differential of the initial ttl on a session
versus
# the normal that someone may be playing games.
# Routing flap may cause lots of false
positives.
#
# keepstats [machine|binary] - keep session statistics, add "machine" to
# get them in a flat format for machine reading, add
# "binary" to get them in a unified binary output
# format
# noinspect - turn off stateful inspection only
# timeout [number] - set the session timeout counter to [number] seconds,
# default is 30 seconds
# memcap [number] - limit stream4 memory usage to [number] bytes
# log_flushed_streams - if an event is detected on a stream this option
will
# cause all packets that are stored in the stream4
# packet buffers to be flushed to disk. This only
# works when logging in pcap mode!
#
# Stream4 uses Generator ID 111 and uses the following SIDS
# for that GID:
# SID Event description
# ----- -------------------
# 1 Stealth activity
# 2 Evasive RST packet
# 3 Evasive TCP packet retransmission
# 4 TCP Window violation
# 5 Data on SYN packet
# 6 Stealth scan: full XMAS
# 7 Stealth scan: SYN-ACK-PSH-URG
# 8 Stealth scan: FIN scan
# 9 Stealth scan: NULL scan
# 10 Stealth scan: NMAP XMAS scan
# 11 Stealth scan: Vecna scan
# 12 Stealth scan: NMAP fingerprint scan stateful detect
# 13 Stealth scan: SYN-FIN scan
# 14 TCP forward overlap
preprocessor stream4: detect_scans, disable_evasion_alerts, ttl_limit 64
-----Original Message-----
From: Mark E. Donaldson [mailto:markee@ridgecrest.ca.us]
Sent: 31 December 2002 1:34
To: MARAIS Darin (ADMIN); Intrusions@incidents.org
Subject: RE: odd traffic?
Darin - indeed this is odd traffic. I'm currently working on my GCIA
practical and I may even use this for one of my "detect analysis", but first
I'm going to have to study this a little more. Anyway, a couple of things
did strike me that may prove helpful to you now. This doesn't explain the
TCP flag combinations setting off "XMAS" and "NULL", but these packets
remarkably resemble those caught in a routing loop. I say this because the
true TTL of 131.30 appears to be 64. It appears to have decremented to 62
by the time it reaches the monitored portion of the network segment. From
there, the packets appear to be bouncing back and forth from one router to
another, until the TTL hits 0 and is discarded by one of the routers. I
conclude this because each packet set has the following characteristics: 1)
Identical IP ID, 2) unchanging ephemeral port number, 3) identical every
things in fact with the exception of the decrementing TTL, 4) very very
small timestamp increments. There is still more explaining to be done, but
I thought I'd make this offering.
##########################################
This is coming from the home and office of:
Mark E. Donaldson
bandwidthco.com
markee@ridgecrest.ca.us
Copyright © 1999 Bandwidthco.com. All rights reserved.
##########################################
-----Original Message-----
From: Darin.MARAIS@cec.eu.int [mailto:Darin.MARAIS@cec.eu.int]
Sent: Monday, December 30, 2002 2:04 AM
To: Intrusions@incidents.org
Subject: odd traffic?
hi all,
my snort detected a couple of port scans from a device in our network and
im not to sure on what to make of it!
I captured some data with using tcpdump from that ip address after detecting
the scan packets and to me the data looks strange.
can someone add comment?
Dec 27 10:01:36 my.net.184.168:3368 -> my.net.131.30:proxy INVALIDACK
1*UAPRS*
Dec 27 10:04:28 my.net.184.168:3424 -> my.net.131.30:proxy XMAS 1*U*P**F
Dec 30 09:44:24 my.net.184.168:2128 -> my.net.131.30:proxy NULL *2******
Dec 30 09:46:00 my.net.184.168:2162 -> my.net.131.30:proxy NULL *2******
Dec 30 09:51:49 my.net.184.168:2237 -> my.net.131.30:proxy NOACK 12U*PR*F
[root@localhost root]# tcpdump host my.net.184.168 -i eth0 -v -n -nn
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0
10:26:53.296699 my.net.184.168.2869 > my.net.131.30.proxyport: S [tcp sum
ok] 352623264:352623264(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 121,
id 39547, len 48)
10:26:53.297464 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 62, id 48481, len 48)
10:26:53.297735 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 61, id 48481, len 48)
10:26:53.297883 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 60, id 48481, len 48)
10:26:53.298091 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 59, id 48481, len 48)
10:26:53.298663 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 58, id 48481, len 48)
10:26:53.299134 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 57, id 48481, len 48)
10:26:53.299138 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 56, id 48481, len 48)
10:26:53.299222 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 55, id 48481, len 48)
<snip>
10:26:53.308166 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 5, id 48481, len 48)
10:26:53.308312 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 4, id 48481, len 48)
10:26:53.308515 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 3, id 48481, len 48)
10:26:53.308661 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 2, id 48481, len 48)
10:26:53.308866 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) [ttl 1] (id 48481, len 48)
10:26:56.468456 my.net.184.168.2869 > my.net.131.30.proxyport: S [tcp sum
ok] 352623264:352623264(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 121,
id 40059, len 48)
10:26:56.469904 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 62, id 48482, len 40)
10:26:56.470455 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 61, id 48482, len 40)
10:26:56.470665 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 60, id 48482, len 40)
10:26:56.470844 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 59, id 48482, len 40)
10:26:56.470982 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 58, id 48482, len 40)
10:26:56.471139 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 57, id 48482, len 40)
10:26:56.471464 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 56, id 48482, len 40)
10:26:56.471470 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 55, id 48482, len 40)
10:26:56.471606 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 54, id 48482, len 40)
10:26:56.471751 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 53, id 48482, len 40)
10:26:56.471855 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 52, id 48482, len 40)
10:26:56.471995 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 51, id 48482, len 40)
10:26:56.472101 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 50, id 48482, len 40)
10:26:56.472493 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 49, id 48482, len 40)
10:26:56.472496 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 48, id 48482, len 40)
10:26:56.472499 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 47, id 48482, len 40)
10:26:56.472593 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 46, id 48482, len 40)
10:26:56.472732 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 45, id 48482, len 40)
10:26:56.472837 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 44, id 48482, len 40)
10:26:56.472978 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 43, id 48482, len 40)
10:26:56.473084 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 42, id 48482, len 40)
10:26:56.473225 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 41, id 48482, len 40)
10:26:56.473337 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 40, id 48482, len 40)
10:26:56.473478 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 39, id 48482, len 40)
10:26:56.473583 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 38, id 48482, len 40)
10:26:56.473721 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 37, id 48482, len 40)
10:26:56.473845 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 36, id 48482, len 40)
10:26:56.473985 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 35, id 48482, len 40)
10:26:56.474268 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 34, id 48482, len 40)
10:26:56.474271 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 33, id 48482, len 40)
10:26:56.474724 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 32, id 48482, len 40)
10:26:56.474868 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 31, id 48482, len 40)
10:26:56.475562 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 30, id 48482, len 40)
10:26:56.475565 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 29, id 48482, len 40)
10:26:56.475585 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 28, id 48482, len 40)
10:26:56.476157 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 27, id 48482, len 40)
10:26:56.476161 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 26, id 48482, len 40)
10:26:56.476253 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 25, id 48482, len 40)
10:26:56.476630 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 24, id 48482, len 40)
10:26:56.476654 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 23, id 48482, len 40)
10:26:56.476826 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 22, id 48482, len 40)
10:26:56.476978 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 21, id 48482, len 40)
10:26:56.477084 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 20, id 48482, len 40)
10:26:56.477227 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 19, id 48482, len 40)
10:26:56.477333 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 18, id 48482, len 40)
10:26:56.477472 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 17, id 48482, len 40)
10:26:56.477585 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 16, id 48482, len 40)
10:26:56.477723 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 15, id 48482, len 40)
10:26:56.477831 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 14, id 48482, len 40)
10:26:56.477970 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 13, id 48482, len 40)
10:26:56.478239 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 12, id 48482, len 40)
10:26:56.478295 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 11, id 48482, len 40)
10:26:56.478845 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 10, id 48482, len 40)
10:26:56.478984 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 9, id 48482, len 40)
10:26:56.478988 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 8, id 48482, len 40)
10:26:56.479085 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 7, id 48482, len 40)
10:26:56.479223 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 6, id 48482, len 40)
10:26:56.479366 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 5, id 48482, len 40)
10:26:56.479469 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 4, id 48482, len 40)
10:26:56.480108 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 3, id 48482, len 40)
10:26:56.480112 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 2, id 48482, len 40)
10:26:56.480115 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) [ttl 1] (id 48482, len 40)
10:26:58.134203 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 62, id 48483, len 48)
10:26:58.134765 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 61, id 48483, len 48)
10:26:58.134990 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 60, id 48483, len 48)
10:26:58.135156 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 59, id 48483, len 48)
10:26:58.135585 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 58, id 48483, len 48)
10:26:58.135715 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 57, id 48483, len 48)
10:26:58.135846 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 56, id 48483, len 48)
10:26:58.135849 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 55, id 48483, len 48)
10:26:58.135958 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 54, id 48483, len 48)
10:26:58.136100 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 53, id 48483, len 48)
10:26:58.136206 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 52, id 48483, len 48)
10:26:58.136349 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 51, id 48483, len 48)
10:26:58.136456 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 50, id 48483, len 48)
10:26:58.136598 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 49, id 48483, len 48)
10:26:58.136703 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 48, id 48483, len 48)
10:26:58.136844 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 47, id 48483, len 48)
10:26:58.136951 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 46, id 48483, len 48)
10:26:58.137093 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 45, id 48483, len 48)
10:26:58.137200 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 44, id 48483, len 48)
10:26:58.137342 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 43, id 48483, len 48)
10:26:58.137448 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 42, id 48483, len 48)
10:26:58.137591 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 41, id 48483, len 48)
10:26:58.137698 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 40, id 48483, len 48)
10:26:58.137838 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 39, id 48483, len 48)
10:26:58.137945 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 38, id 48483, len 48)
10:26:58.138086 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 37, id 48483, len 48)
10:26:58.138193 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 36, id 48483, len 48)
10:26:58.138335 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 35, id 48483, len 48)
10:26:58.138441 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 34, id 48483, len 48)
10:26:58.138583 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 33, id 48483, len 48)
10:26:58.138689 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 32, id 48483, len 48)
10:26:58.138831 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 31, id 48483, len 48)
10:26:58.138938 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 30, id 48483, len 48)
10:26:58.139077 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 29, id 48483, len 48)
10:26:58.139182 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 28, id 48483, len 48)
10:26:58.139326 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 27, id 48483, len 48)
10:26:58.139431 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 26, id 48483, len 48)
10:26:58.139573 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 25, id 48483, len 48)
10:26:58.139679 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 24, id 48483, len 48)
10:26:58.139820 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 23, id 48483, len 48)
10:26:58.139929 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 22, id 48483, len 48)
10:26:58.140070 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 21, id 48483, len 48)
10:26:58.140177 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 20, id 48483, len 48)
10:26:58.140318 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 19, id 48483, len 48)
10:26:58.140425 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 18, id 48483, len 48)
10:26:58.140565 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 17, id 48483, len 48)
10:26:58.140672 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 16, id 48483, len 48)
10:26:58.140813 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 15, id 48483, len 48)
10:26:58.141220 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 14, id 48483, len 48)
10:26:58.141223 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 13, id 48483, len 48)
10:26:58.141322 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 12, id 48483, len 48)
10:26:58.141464 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 11, id 48483, len 48)
10:26:58.141573 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 10, id 48483, len 48)
10:26:58.141714 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 9, id 48483, len 48)
10:26:58.141853 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 8, id 48483, len 48)
10:26:58.141994 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 7, id 48483, len 48)
10:26:58.142100 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 6, id 48483, len 48)
10:26:58.142242 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 5, id 48483, len 48)
10:26:58.142347 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 4, id 48483, len 48)
10:26:58.142491 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 3, id 48483, len 48)
10:26:58.142600 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 2, id 48483, len 48)
10:26:58.142740 my.net.131.30.proxyport > my.net.184.168.2869: S [tcp sum
ok] 1179833195:1179833195(0) ack 352623265 win 49640 <mss
1460,nop,nop,sackOK> (DF) [ttl 1] (id 48483, len 48)
10:27:01.113549 my.net.184.168.2871 > my.net.131.30.proxyport: S [tcp sum
ok] 352631083:352631083(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 121,
id 40571, len 48)
10:27:01.114339 my.net.131.30.proxyport > my.net.184.168.2871: S [tcp sum
ok] 1226617255:1226617255(0) ack 352631084 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 62, id 48484, len 48)
10:27:01.927277 my.net.184.168.2871 > my.net.131.30.proxyport: . [tcp sum
ok] ack 1 win 8760 (DF) (ttl 121, id 41083, len 40)
10:27:02.000173 my.net.184.168.2871 > my.net.131.30.proxyport: P 1:501(500)
ack 1 win 8760 (DF) (ttl 121, id 41339, len 540)
10:27:02.000708 my.net.131.30.proxyport > my.net.184.168.2871: . [tcp sum
ok] ack 501 win 49640 (DF) (ttl 62, id 48485, len 40)
10:27:02.038159 my.net.131.30.proxyport > my.net.184.168.2871: P 1:272(271)
ack 501 win 49640 (DF) (ttl 62, id 48486, len 311)
10:27:02.038852 my.net.131.30.proxyport > my.net.184.168.2871: FP
272:1128(856) ack 501 win 49640 (DF) (ttl 62, id 48487, len 896)
10:27:02.196059 my.net.184.168.2869 > my.net.131.30.proxyport: S [tcp sum
ok] 352623264:352623264(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 121,
id 41851, len 48)
10:27:02.196742 my.net.131.30.proxyport > my.net.184.168.2869: . [tcp sum
ok] ack 1 win 49640 (DF) (ttl 62, id 48488, len 40)
10:27:02.994711 my.net.184.168.2871 > my.net.131.30.proxyport: . [tcp sum
ok] ack 272 win 8489 (DF) (ttl 121, id 42363, len 40)
10:27:03.001417 my.net.184.168.2871 > my.net.131.30.proxyport: . [tcp sum
ok] ack 1129 win 7633 (DF) (ttl 121, id 42619, len 40)
10:27:03.008307 my.net.184.168.2871 > my.net.131.30.proxyport: R [tcp sum
ok] 352631584:352631584(0) win 0 (DF) (ttl 121, id 42875, len 40)
10:27:03.087162 my.net.184.168.2872 > my.net.131.30.proxyport: S [tcp sum
ok] 352633057:352633057(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 121,
id 43131, len 48)
10:27:03.088713 my.net.131.30.proxyport > my.net.184.168.2872: S [tcp sum
ok] 1238298131:1238298131(0) ack 352633058 win 49640 <mss
1460,nop,nop,sackOK> (DF) (ttl 62, id 48489, len 48)
10:27:03.901555 my.net.184.168.2872 > my.net.131.30.proxyport: . [tcp sum
ok] ack 1 win 8760 (DF) (ttl 121, id 43643, len 40)
10:27:03.968410 my.net.184.168.2872 > my.net.131.30.proxyport: P 1:456(455)
ack 1 win 8760 (DF) (ttl 121, id 43899, len 495)
10:27:03.969992 my.net.131.30.proxyport > my.net.184.168.2872: . [tcp sum
ok] ack 456 win 49640 (DF) (ttl 62, id 48490, len 40)
10:27:04.002191 my.net.131.30.proxyport > my.net.184.168.2872: P 1:446(445)
ack 456 win 49640 (DF) (ttl 62, id 48491, len 485)
10:27:04.002520 my.net.131.30.proxyport > my.net.184.168.2872: .
446:1285(839) ack 456 win 49640 (DF) (ttl 62, id 48492, len 879)
10:27:04.003033 my.net.131.30.proxyport > my.net.184.168.2872: .
1285:2745(1460) ack 456 win 49640 (DF) (ttl 62, id 48493, len 1500)
10:27:04.003038 my.net.131.30.proxyport > my.net.184.168.2872: P [tcp sum
ok] 2745:2783(38) ack 456 win 49640 (DF) (ttl 62, id 48494, len 78)
10:27:04.003042 my.net.131.30.proxyport > my.net.184.168.2872: F [tcp sum
ok] 2783:2783(0) ack 456 win 49640 (DF) (ttl 62, id 48495, len 40)
10:27:05.115882 my.net.184.168.2872 > my.net.131.30.proxyport: F [tcp sum
ok] 456:456(0) ack 446 win 8315 (DF) (ttl 121, id 44411, len 40)
10:27:05.116633 my.net.131.30.proxyport > my.net.184.168.2872: . [tcp sum
ok] ack 457 win 49640 (DF) (ttl 62, id 48496, len 40)
10:27:05.306071 my.net.184.168.2872 > my.net.131.30.proxyport: . [tcp sum
ok] ack 446 win 8315 <nop,nop,sack sack 1 {1285:2745} > (DF) (ttl 121, id
44667, len 52)
10:27:05.315743 my.net.184.168.2872 > my.net.131.30.proxyport: . [tcp sum
ok] ack 446 win 8315 <nop,nop,sack sack 1 {1285:2783} > (DF) (ttl 121, id
44923, len 52)
10:27:05.323358 my.net.184.168.2872 > my.net.131.30.proxyport: . [tcp sum
ok] ack 446 win 8315 <nop,nop,sack sack 1 {1285:2784} > (DF) (ttl 121, id
45179, len 52)
10:27:05.324448 my.net.131.30.proxyport > my.net.184.168.2872: P
446:1285(839) ack 457 win 49640 (DF) (ttl 62, id 48497, len 879)
10:27:06.250706 my.net.184.168.2872 > my.net.131.30.proxyport: R [tcp sum
ok] 352633514:352633514(0) win 0 (DF) (ttl 121, id 45435, len 40)
217 packets received by filter
0 packets dropped by kernel
[root@localhost root]#
Best Regards
Darin Marais
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic