'Re: could someone help me with tcpdump?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: could someone help me with tcpdump?
From:       Seth <ssscud () yahoo ! com>
Date:       2002-10-31 22:16:53
[Download RAW message or body]

for the record I was wrong about the tcp port number
of GRE (proto 47)...
sorry
--- Seth <ssscud@yahoo.com> wrote:
> I think the well known ports page would help
> everyone
> here:
> http://www.iana.org/assignments/port-numbers
> 
> But for the record proto number 47 (GRE) is generic
> routing encapsulation usews tcp and udp port numer
> 47.
> It is very important part of MS-VPN (especially if
> pptp)implementation.
> 
> I also think it is a good idea to read up on esp eha
> and isakmp.
> 
> Peace,
> --- Max Leonard <max@harleyshouse.com> wrote:
> > I had a similar problem with getting some OSX
> > clients tunneling from behind
> > nat/fw to an outside VPN.
> > The only solution I could come up with was
> > redirecting the GRE packets
> > (proto 47) from the outside to a static IP inside
> > the LAN. My very-limited
> > understanding of GRE is that it always uses port
> 0,
> > which makes true NAT
> > very difficult due to the fact that you can't get
> > unique ports to map, or
> > TCP sessions to hold onto. Although, if anyone has
> > any working solutions for
> > mapping multiple VPN tunnels through
> ipfilter/ipnat,
> > I would love to know
> > about them.
> > 
> > 
> > -Max
> > 
> > 
> > 
> > 
> > 
> > 
> > ----- Original Message -----
> > From: <jabbott@abbotts.org>
> > To: <ipfilter@cairo.anu.edu.au>
> > Sent: Wednesday, October 30, 2002 10:39 AM
> > Subject: could someone help me with tcpdump?
> > 
> > 
> > >
> > > Hello all
> > >
> > > I am trying to get a couple of win2k vpn boxen
> to
> > work across a firewall.
> > Here is a dump, my comments are in between each
> dump
> > line.  I want to see if
> > I understand what I am looking at.
> > >
> > > 12:17:12.246870 156.98.222.175.1064 >
> > 156.98.190.111.1723: S
> > 3085367584:3085367584(0) win 16384 <mss
> > 1460,nop,nop,sackOK> (DF)
> > >
> > > 222.175 makes the initial contact to 19.11 with
> a
> > "S" syn packet?  The
> > workstation port is 1064 and the server port is
> 1723
> > which is the vpn port.
> > The two numbers (#:#) are the tcp sequence
> numbers? 
> > What is "win" and the
> > stuff after that?
> > >
> > > 12:17:12.247288 156.98.190.111.1723 >
> > 156.98.222.175.1064: S
> > 3369974062:3369974062(0) ack 3085367585 win 64240
> > <mss 1460,nop,nop,sackOK>
> > (DF)
> > >
> > > 190.111 port 1723 replies to 222.175.  I see the
> > "ack" later on, so was I
> > wrong about the "S" being syn above because it is
> > still here.  Why is the
> > number after the ack one larger than the above?
> > >
> > > 12:17:12.247570 156.98.222.175.1064 >
> > 156.98.190.111.1723: . ack 1 win
> > 17520 (DF)
> > >
> > > 222.175 syn acks.
> > >
> > > What is this stuff below?
> > >
> > > 12:17:12.247800 156.98.222.175.1064 >
> > 156.98.190.111.1723: P 1:157(156)
> > ack 1 win 17520 (DF)
> > > 12:17:12.248204 156.98.190.111.1723 >
> > 156.98.222.175.1064: P 1:157(156)
> > ack 157 win 64084 (DF)
> > > 12:17:15.479988 156.98.190.111.1723 >
> > 156.98.222.175.1064: P 1:157(156)
> > ack 157 win 64084 (DF)
> > > 12:17:15.480651 156.98.222.175.1064 >
> > 156.98.190.111.1723: P 157:325(168)
> > ack 157 win 17364 (DF)
> > > 12:17:15.481998 156.98.190.111.1723 >
> > 156.98.222.175.1064: P 157:189(32)
> > ack 325 win 63916 (DF)
> > > 12:17:15.484913 156.98.222.175.1064 >
> > 156.98.190.111.1723: P 325:349(24)
> > ack 189 win 17332 (DF)
> > > 12:17:15.698650 156.98.190.111.1723 >
> > 156.98.222.175.1064: . ack 349 win
> > 63892 (DF)
> > >
> > > Nothing happens, the workstation can't seem to
> get
> > authenticated.  I think
> > I am not yet transfering protocol 47 though and I
> am
> > looking into that now.
> > I just want to understand tcpdump better.  I
> almost
> > feel like I had
> > something lower level that showed me this stuff a
> > little more raw.  --of
> > course I don't even understand what I have now!
> :-)
> > >
> > > --ja
> > > --
> > >
> > 
> 
> 
> =====
> SRR
> 
> __________________________________________________
> Do you Yahoo!?
> HotJobs - Search new jobs daily now
> http://hotjobs.yahoo.com/


=====
SRR

__________________________________________________
Do you Yahoo!?
HotJobs - Search new jobs daily now
http://hotjobs.yahoo.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic