Arif
-
12:03:24 am on March 21, 2010 | # |
Filter out initial SYN (flags 0x02) of TCP connection from specific source and destination:
tcp.flags == 0x02 and ip.src == 10.201.62.78 and ip.dst == 10.201.62.249A series of sync packets will appear as:
1 2 3 4 5 6 7
No. Time Source Destination Protocol Info 1 0.000000 10.201.62.78 10.201.62.249 TCP 53161 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 4 0.001124 10.201.62.78 10.201.62.249 TCP 53162 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 7 0.001556 10.201.62.78 10.201.62.249 TCP 53163 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 16 0.006334 10.201.62.78 10.201.62.249 TCP 53164 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 20 0.009590 10.201.62.78 10.201.62.249 TCP 53165 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 24 0.011687 10.201.62.78 10.201.62.249 TCP 53166 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0In the above specific case, multiple ports i.e. 53163, 53162, etc. is starting conversation with port 10010 by sending out sync packets.