Find the answer to your Linux question:
Results 1 to 3 of 3
Hi, Can anyone tell me what these packet capture statistics mean? I'm capturing packets from one of my machines and dont' know what this capture indicates. Can anybody assist? For ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2006
    Posts
    5

    Newbie tcpdump question.


    Hi, Can anyone tell me what these packet capture statistics mean? I'm capturing packets from one of my machines and dont' know what this capture indicates. Can anybody assist? For instance whats the .1900 at the end of these IP's? Yeah, I'm paranoid. TBH.

    01:06:41.680227 IP newswww4.thny.bbc.co.uk.www > 10.16.0.52.43112: . 14288:15736(144 ack 765 win 32922 <nop,nop,timestamp 1178763071 234649783>
    01:06:41.680344 IP 10.16.0.52.43112 > newswww4.thny.bbc.co.uk.www: . ack 15736 win 9692 <nop,nop,timestamp 234649868 1178763071>
    01:06:41.681163 IP newswww4.thny.bbc.co.uk.www > 10.16.0.52.43112: . 15736:16688(952) ack 765 win 32922 <nop,nop,timestamp 1178763071 234649783>
    01:06:41.681284 IP 10.16.0.52.43112 > newswww4.thny.bbc.co.uk.www: . ack 16688 win 9692 <nop,nop,timestamp 234649869 1178763071>
    01:06:41.762379 IP newswww4.thny.bbc.co.uk.www > 10.16.0.52.43112: FP 16688:17379(691) ack 765 win 32922 <nop,nop,timestamp 1178763080 234649869>
    01:06:41.770565 IP 10.16.0.52.43112 > newswww4.thny.bbc.co.uk.www: F 765:765(0) ack 17380 win 9692 <nop,nop,timestamp 234649958 1178763080>
    01:06:41.874646 IP newswww4.thny.bbc.co.uk.www > 10.16.0.52.43112: . ack 766 win 32922 <nop,nop,timestamp 1178763091 234649958>
    01:06:59.133679 IP 10.16.0.52.ipp > 10.16.0.255.ipp: UDP, length 113
    01:07:04.166310 arp who-has 10.16.0.52 tell 10.16.0.49

    And some other "questionable" traffic

    23:36:08.897622 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 410
    23:36:08.900317 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 353
    23:36:08.925459 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 424
    23:36:08.927396 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 408
    23:36:08.976589 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 396
    23:36:09.146113 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 344
    23:36:11.901560 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 410
    23:36:11.903230 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 353
    23:36:11.928399 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 424
    23:36:11.930329 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 408
    23:36:11.979540 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 396
    23:36:12.149052 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 344
    23:36:14.904510 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 410
    23:36:14.906176 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 353
    23:36:14.931345 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 424
    23:36:14.933277 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 408
    23:36:14.982481 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 396
    23:36:15.152012 IP 10.16.0.53.1900 > 239.255.255.250.1900: UDP, length 344

  2. #2
    Linux Enthusiast
    Join Date
    Apr 2004
    Location
    UK
    Posts
    682
    Just because your paranoid doesn't mean they're not out to get you...

    Anyway, The first dump looks like someone browsing the news on the BBC website. The second dump looks like uPNP traffic. The .1900 at the end of the address indicates the port the traffic is comming from or going to. In this case port 1900. The same applies to the BBC traffic, but instead of saying .80, tcpdump knows port 80 is for web traffic and puts .www for readability.

    The destination address for the second dump is a broadcast address (multicast I think) so something on your network has uPNP capability and is advertising its services. I most often find this with ADSL routers advertising the link status, but lots of other things can do it too. See this page discussing the "problem" for some more information.

    If you run tcpdump with the flags "-s 1024 -X" it will dump out the actual traffic in a readable format (and hex) so you can actually read what is going through your network.

    Hope that helps,

    Chris...
    To be good, you must first be bad. "Newbie" is a rank, not a slight.

  3. #3
    Just Joined!
    Join Date
    Apr 2006
    Posts
    5
    Quote Originally Posted by kakariko81280
    Just because your paranoid doesn't mean they're not out to get you...

    Chris...
    LOL, nice one Chris!.. Thanks for the explanation. I was just wondering why the heck I was getting web traffic from bbc.co.uk when I wasn't even browsing. I was remotely connected to my laptop from work via ssh messiong around with dumps. I looked up that 1900 traffic and found out it's UPNP stuff as you mentioned. I'm going to mess around with the flags you mention after I get some sleep. I was pretty stoked when I used tcpdump to dump traffic to a file and then opened it using Ethereal. Fun stuff. Have a good 1..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •