Packet capture results

wilson_1234_2 · ‎11-02-2007

Can someone tell me what the "S" and "R" mean after the ip address and port number in this capture?

Also what is the "sackok"?

This was taken from a PIX firewall

14:14:48.625028 10.1.20.1.52132 > 192.168.1.8.445: S 1109456674:1109456674(0) win 5840 <mss

1460,sackOK,timestamp 2272115942[|tcp]>

14:14:48.625089 192.168.1.8.445 > 10.1.20.1.52132: R 0:0(0) ack 1109456675 win 5840 <mss 146

0,sackOK,timestamp 2272115942[|tcp]>

14:14:48.625471 10.1.20.1.52133 > 192.168.1.8.139: S 1111528719:1111528719(0) win 5840 <mss

1460,sackOK,timestamp 2272115942[|tcp]>

14:14:48.625516 192.168.1.8.139 > 10.1.20.1.52133: R 0:0(0) ack 1111528720 win 5840 <mss 146

0,sackOK,timestamp 2272115942[|tcp]>

Richard Burts · ‎11-02-2007

Richard

I believe that S = sent and R = Received. I am not clear about sack but it appears to be OK (perhaps a sequencing thing?).

HTH

Rick

HTH

Rick

wilson_1234_2 · ‎11-02-2007

Thanks.

bmbreer · ‎11-02-2007

If it's like the output from tcpdump then the S means that SYN bit in the TCP header is set and the R means that RST bit in the TCP header is set.