Understanding tcpdump output

  • KM537420
  • 24-Dec-2008
  • 27-May-2021

Summary

In this article I will dissect the results of output from the tcpdump command. This utility is often used when troubleshooting Server Automation communication.

Reference

The following command will filter on the eth0 network interface and match network packets with the port of 110 in the packet headers.

# tcpdump -i eth0 port 110

15:04:49.050227 windbag.34348 > venus.domain.com.pop3: S 2974284112:2974284112(0) win 5840 <mss 1460,sackOK,timestamp 995173 0,nop,wscale 0 > (DF)
15:04:49.190076 venus.domain.com.pop3 > windbag.34348: S 2862911212:2862911212(0) ack 2974284113 win 5840 <;mss 1460> (DF)
15:04:49.190168 windbag.34348 > venus.domain.com.pop3: . ack 1 win 5840 (DF)

Handshake Dissection

There is a whole lot going on here, which I shall now deign to explain.

15:04:49.050227 is the timestamp, in hh:mm:ss:fraction format.

windbag.34348 > is the originating host and port.

venus.domain.com.pop3: is the destination host and port <i>(see /etc/services)

is the first part of the three-way TCP handshake (SYN, SYN, ACK).

2974284112:2974284112 is the byte sequence/range. The initial sequence number (ISN) is generated randomly. Then sequence numbers for the rest of the bytes in the connection are incremented by 1 from the ISN. Since no data are exchanged at this stage, both numbers are the same.

win 5840 is the window size, or the number of bytes of buffer space the host has available for receiving data.

mss 1460 is the maximum segment size, or maximum IP datagram size that can be handled without using fragmentation. Both sides of the connection must agree on a value; if they are different, the lower value is used.

sackOK means "selective acknowledgments," or allow the receiver to acknowledge packets out of sequence. Originally, packets could only be acknowledged in sequence. So if the third packet out of a thousand packets received went missing, the host could only acknowledge the receipt of the first two packets, and the sender would have to resend all packets from number three through one thousand. sackOK allows only the missing third packet to be re-sent.

timestamp 995173 0 measures the round-trip time. There are two fields: the Timestamp Value and the Timestamp Echo Reply. On the first exchange, the Echo Reply is set to 0. When the second host receives that packet, it transfers the timestamp from the old packet's Timestamp Value field to the new packet's Timestamp Echo Reply field. Then it generates a new value for the Timestamp Value field. So the Timestamp Value field contains the latest timestamp, while the Timestamp Echo Reply field contains the previous timestamp.

nop, or "no operation," is just padding. TCP options must be multiples of 4 bytes, so nop is used to pad undersized fields.

wscale 0 is a nifty hack to get around the original window size limitation of 65,535 bytes, because the window size field is only 16 bits long. wscale provides for a full gigabyte of buffer. Both sides of the connection must support this and agree; otherwise the window size does not change.

(DF) means "don't fragment."

TCP header flags.

U, URG. 1 bit.
Urgent pointer valid flag.

A, ACK. 1 bit.
Acknowledgment number valid flag.

P, PSH. 1 bit.
Push flag.

R, RST. 1 bit.
Reset connection flag.

S, SYN. 1 bit.
Synchronize sequence numbers flag.

F, FIN. 1 bit.
End of data flag.