Packet capture results

Unanswered Question
Nov 2nd, 2007
User Badges:

Can someone tell me what the "S" and "R" mean after the ip address and port number in this capture?


Also what is the "sackok"?


This was taken from a PIX firewall


14:14:48.625028 10.1.20.1.52132 > 192.168.1.8.445: S 1109456674:1109456674(0) win 5840 <mss

1460,sackOK,timestamp 2272115942[|tcp]>


14:14:48.625089 192.168.1.8.445 > 10.1.20.1.52132: R 0:0(0) ack 1109456675 win 5840 <mss 146

0,sackOK,timestamp 2272115942[|tcp]>


14:14:48.625471 10.1.20.1.52133 > 192.168.1.8.139: S 1111528719:1111528719(0) win 5840 <mss

1460,sackOK,timestamp 2272115942[|tcp]>


14:14:48.625516 192.168.1.8.139 > 10.1.20.1.52133: R 0:0(0) ack 1111528720 win 5840 <mss 146

0,sackOK,timestamp 2272115942[|tcp]>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Fri, 11/02/2007 - 13:02
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Richard


I believe that S = sent and R = Received. I am not clear about sack but it appears to be OK (perhaps a sequencing thing?).


HTH


Rick

bmbreer Fri, 11/02/2007 - 14:34
User Badges:

If it's like the output from tcpdump then the S means that SYN bit in the TCP header is set and the R means that RST bit in the TCP header is set.

Actions

This Discussion