Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Linux Networking > Interpreting tcpdump output for TCP connection

Reply
Thread Tools Display Modes

Interpreting tcpdump output for TCP connection

 
 
query.cdac@gmail.com
Guest
Posts: n/a

 
      05-23-2007, 12:59 PM
Hi All,

I am trying to understand the tcpdump output . The packets that I
am analyzing are when
when a tcp connection is established at port 80 . The output is as
follows

[root@gdrd5 ~]# tcpdump -i eth0 host 172.16.5.129

tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:44:43.033353 IP 172.16.5.129.34459 > gdrd5.cdacecity.in.http: S
"" 2012082717:2012082717(0) win 5840 " <mss 1460,sackOK,timestamp
158479315 0,nop,wscale 2>
15:44:43.033401 IP gdrd5.cdacecity.in.http > 172.16.5.129.34459: S "
1067063448:1067063448(0) ack 2012082718 win 5792 " <mss
1460,sackOK,timestamp 369354097 158479315,nop,wscale 2>
15:44:43.033511 IP 172.16.5.129.34459 > gdrd5.cdacecity.in.http: . ack
1 " win 1460 " <nop,nop,timestamp 158479315 369354097>
15:44:48.985256 IP 172.16.5.129.34459 > gdrd5.cdacecity.in.http: P
1:5(4) ack 1 win 1460 <nop,nop,timestamp 158485268 369354097>
15:44:48.985314 IP gdrd5.cdacecity.in.http > 172.16.5.129.34459: . ack
5 win 1448 <nop,nop,timestamp 369360050 158485268>


In the above output , a TCP connection was established at port 80 .
The sender is
172.16.5.129 and the receiver is gdrd5.cdacecity.in.http .


Can somebody please interpret the meaning of the contents that are
within "" (inverted comma)
in the above output. e.g

"" 2012082717:2012082717(0) win 5840 "
" 1067063448:1067063448(0) ack 2012082718 win 5792 "
" win 1460 "

The following is my understanding. During a TCP connection phase , the
sender and receiver negotiates the window size. In this scenario , the
sender is advertising a window size of 5840
bytes and the receiver is telling that it can use a window size of
5792 bytes. But the negotiated window size is (in the third step i.e
when the sender replies with ACK bit set ) equal to 1460 which is the
MSS value advertised by the receiver.

Is this negotiation to the value of MSS ( win 1460 ) is according to
TCP Slow Start algorithm for flow control.
i.e the congestion window is negotiated to the the receiver's segment
value according to RFC2001.

Please clear me if my understanding is wrong.
 
Reply With Quote
 
 
 
Reply

« rsync with laptop at different locations | VPN through Linux gateway to Windows LAN »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
tcpdump output - what is 0x0020? news8080@yahoo.com Linux Networking 4 01-30-2007 07:27 PM
tcpdump output kenz Linux Networking 16 09-14-2005 12:27 AM
Unusual tcpdump output? bakdong@hotmail.com Linux Networking 9 01-19-2005 01:36 PM
Need help in interpreting strace output. S V Linux Networking 0 10-19-2004 09:10 PM
Does anyone understand tcpdump output? Tim Sampson Linux Networking 0 08-15-2003 02:15 PM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11