Previous Section  < Day Day Up >  Next Section

2.6 Examining tcpdump Output

The more data collected by tcpdump, the clearer the content of the network traffic stream becomes. Here is another example of a tcpdump capture:

14:02:09.181190 > S 1191864640:1191864640(0) 

win 5840 <mss 1460,sackOK,timestamp 238617 0,nop,wscale 0> (DF)

Here's what each field in this output means:



Hostname and source port

Hostname and destination port (translated to FTP)


First character of the TCP flag: PSH, RST, SYN, FIN (the ACK flag is shown somewhere else)


Initial sequence number from source


Ending sequence number, which is the initial sequence number plus the size of the packet in data bytes


Data bytes or payload size of this TCP packet

win 5840

Size of the receiving data window

The data within the < and > characters are the TCP options; they ensure safe and effective delivery of the packet. While there are some techniques where an attacker can gather information about a host based upon how they respond to strange settings in these options, their real importance is most often secondary to what is contained in the main header and data payload of the packet. Here are the options for the packet we're examining:

mss 1460

Max-segment-size or mss option (TCP option)


Selective acknowledgement permitted (TCP option)

timestamp 238617

Round-trip delivery time used for tracking changes in latency that may require acknowledgment timer adjustments (TCP option)


No operation provides padding around other options; useful for acknowledging receipt of packets without forcing resends (TCP option)

wscale 0

Window scale (not to be confused with the standard TCP header field of window size) used for recording the bytes of buffer space the host has for receiving data (TCP option)


The "don't fragment" bit is set

The tcpdump output shows this packet to be a connection request from to establish an FTP connection to While older versions of tcpdump might display only the port number, port 21 resolves here to the FTP service. This is resolved using the /etc/services file.

A useful parameter for tcpdump is the -n or -nn switch, which tells tcpdump not to resolve hostnames and services. It's commonly used on hosts that are not able to properly resolve hostnames, i.e., without DNS access or /etc/hosts entries. In cases such as these, tcpdump may delay output or even drop packets. It's also a good idea to get used to looking at packet captures without DNS enabled.

Because this is the first step in establishing a session, the SYN flag is sent, identifiable by the S option in the tcpdump output (this will be covered more closely when we discuss the TCP three-way handshake). The initial beginning and ending sequence numbers are the same, since no data is being sent. In most cases, no data is sent until the three-way handshake is completed. There are exceptions to this rule; RFC 793 points out that data can be sent prior to completion of the handshake and that not all handshakes receive completion. In any case, a packet that doesn't conform to the protocol's established standards should be considered suspicious.

    Previous Section  < Day Day Up >  Next Section