Packet capture results

Unanswered Question
Nov 2nd, 2007

Can someone tell me what the "S" and "R" mean after the ip address and port number in this capture?

Also what is the "sackok"?

This was taken from a PIX firewall

14:14:48.625028 10.1.20.1.52132 > 192.168.1.8.445: S 1109456674:1109456674(0) win 5840 <mss

1460,sackOK,timestamp 2272115942[|tcp]>

14:14:48.625089 192.168.1.8.445 > 10.1.20.1.52132: R 0:0(0) ack 1109456675 win 5840 <mss 146

0,sackOK,timestamp 2272115942[|tcp]>

14:14:48.625471 10.1.20.1.52133 > 192.168.1.8.139: S 1111528719:1111528719(0) win 5840 <mss

1460,sackOK,timestamp 2272115942[|tcp]>

14:14:48.625516 192.168.1.8.139 > 10.1.20.1.52133: R 0:0(0) ack 1111528720 win 5840 <mss 146

0,sackOK,timestamp 2272115942[|tcp]>

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Fri, 11/02/2007 - 13:02

Richard

I believe that S = sent and R = Received. I am not clear about sack but it appears to be OK (perhaps a sequencing thing?).

HTH

Rick

bmbreer Fri, 11/02/2007 - 14:34

If it's like the output from tcpdump then the S means that SYN bit in the TCP header is set and the R means that RST bit in the TCP header is set.

Actions

This Discussion