Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Packet capture results

Can someone tell me what the "S" and "R" mean after the ip address and port number in this capture?

Also what is the "sackok"?

This was taken from a PIX firewall

14:14:48.625028 10.1.20.1.52132 > 192.168.1.8.445: S 1109456674:1109456674(0) win 5840 <mss

1460,sackOK,timestamp 2272115942[|tcp]>

14:14:48.625089 192.168.1.8.445 > 10.1.20.1.52132: R 0:0(0) ack 1109456675 win 5840 <mss 146

0,sackOK,timestamp 2272115942[|tcp]>

14:14:48.625471 10.1.20.1.52133 > 192.168.1.8.139: S 1111528719:1111528719(0) win 5840 <mss

1460,sackOK,timestamp 2272115942[|tcp]>

14:14:48.625516 192.168.1.8.139 > 10.1.20.1.52133: R 0:0(0) ack 1111528720 win 5840 <mss 146

0,sackOK,timestamp 2272115942[|tcp]>

3 REPLIES
Hall of Fame Super Silver

Re: Packet capture results

Richard

I believe that S = sent and R = Received. I am not clear about sack but it appears to be OK (perhaps a sequencing thing?).

HTH

Rick

New Member

Re: Packet capture results

Thanks.

New Member

Re: Packet capture results

If it's like the output from tcpdump then the S means that SYN bit in the TCP header is set and the R means that RST bit in the TCP header is set.

310
Views
5
Helpful
3
Replies