Great Circle Associates Firewalls
(December 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Q: Plain TCP packet vs. SYN packet
From: Brian Stormont <brian_stormont @ corfu . projo . com>
Organization: The Providence Journal Company
Date: Tue, 10 Dec 1996 19:12:14 -0500
To: Firewalls @ GreatCircle . COM 
Hi,

   I've been monitoring some network traffic from a questionable site,
and there's something about the traffic that confuses me.  I'm using
snoop, under Solaris and am storing the output to a file which I
periodically check to see what the site has been trying lately.

Here's a snippet of the logs (note, I changed the ip source and dest to
X and Y for privacy reasons):


183 1:21:11.08931 X -> Y length:   60  TCP D=80 S=2990 Syn
Seq=4088659968 Len=0 Win=4500
184 1:21:11.08991 Y -> X length:   54  TCP D=2990 S=80 Rst
Ack=4088659969 Win=0
185 1:21:11.36522 X -> Y length:   60  TCP D=80 S=2990 Syn
Seq=4107337728 Len=0 Win=4500
186 1:21:11.36581 Y -> X length:   54  TCP D=2990 S=80 Rst
Ack=4107337729 Win=0
187 1:21:11.65607 X -> Y length:   60  TCP D=80 S=2990 Syn
Seq=4125294592 Len=0 Win=4500
188 1:21:11.65644 Y -> X length:   54  TCP D=2990 S=80 Rst
Ack=4125294593 Win=0
189 1:21:11.90320 X -> Y length:   60  TCP D=80 S=2990 Syn
Seq=4143972352 Len=0 Win=4500
190 1:21:11.90357 Y -> X length:   54  TCP D=2990 S=80 Rst
Ack=4143972353 Win=0
[.....]

And in another instance:

  1 11:59:21.22242 X -> Y length:   60  TELNET C port=1078 
  2 11:59:21.22393 Y -> X length:   58  TELNET R port=1078 
  3 11:59:21.28657 X -> Y length:   60  TELNET C port=1078 
  4 11:59:21.33055 X -> Y length:   81  TELNET C port=1078 
  5 11:59:21.38164 Y -> X length:   54  TELNET R port=1078 
  6 11:59:22.58280 Y -> X length:   54  TELNET R port=1078 
[....]


Now what I'm confused about is why does an attempted connection to port
80 sometimes appear in the Syn/Ack form and why sometimes it appears as
just plain "TELNET" in the output.

I'm running tcpd to block telnet connections from site X, however the
"Syn" packets above do not cause tcpd to log anything, yet the "TELNET"
logged packets do.

If I try to simulate a connection attempt myself, snoop only shows
"TELNET" packets. No Syn or Ack packets are logged.


So, my question is, what would generate just Syn packets aimed at port
80, without waking up tcpd, and why don't normal telnet requests that DO
get caught by tcpd NOT generate Syn/Ack traffic?

Am I missing something obvious?


-brian

------------------------------------
brian_stormont @
 corfu .
 projo .
 com
Indexed By Date Previous: Re: How can I route packet by service port?
From: prasad <prasad @ cinops . xerox . com>
Next: SUPER OPPORTUNITY!!
From: paracom @ li . net
Indexed By Thread Previous: RE: phone hookup detection, etc.
From: "Buff, Kurt" <kurt @ SEATTLE . NYLCARE . com>
Next: SUPER OPPORTUNITY!!
From: paracom @ li . net
Google
 
Search Internet Search www.greatcircle.com