For you IT-guys who wants a challenge! [analysing tcp packets]
Join Date: Aug 2007
Posts: 728
What is the Meaning/Structure/Contents of these 14 TCP/IP packets:
1. 13:12:49.751403 arp who-has 192.168.246.13(Broadcast) tell 192.168.246.128
2. 13:12:49.751602 arp reply 192.168.246.13is-at 00:00:01:0f:2e:7e
3. 13:12:50.441259 IP 192.168.246.13.137 > 192.168.246.128.137: UDP, length 50
4. 13:12:50.441632 IP 192.168.246.128 > 192.168.246.13: ICMP 192.168.246.128 udp port 137 unreachable, length 86
5. 13:12:51.942563 IP 192.168.246.13.137 > 192.168.246.128.137: UDP, length 50
6. 13:12:51.943277 IP 192.168.246.128 > 192.168.246.13: ICMP 192.168.246.128 udp port 137 unreachable, length 86
7. 13:12:53.444627 IP 192.168.246.13.137 > 192.168.246.128.137: UDP, length 50
8. 13:12:53.445343 IP 192.168.246.128 > 192.168.246.13: ICMP 192.168.246.128 udp port 137 unreachable, length 86
9. 13:13:02.738990 IP 192.168.246.128.39886 > 192.168.246.13.80: . ack 1611053795 win 3072
10. 13:13:02.739053 IP 192.168.246.13.80 > 192.168.246.128.39886: R 1611053795:1611053795(0) win 0
11. 13:13:22.407445 IP 192.168.246.128.54955 > 192.168.246.13.80: S 2910497703:2910497703(0) win 5840 <mss 1460,sackOK,timestamp 518611 0,nop,wscale 6>
12. 13:13:22.407560 IP 192.168.246.13.80 > 192.168.246.128.54955: S 3762608065:3762608065(0) ack 2910497704 win 64240 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
13. 13:13:22.407963 IP 192.168.246.128.54955 > 192.168.246.13.80: . ack 1 win 92 <nop,nop,timestamp 518611 0>
14. 13:13:22.408321 IP 192.168.246.128.54955 > 192.168.246.13.80: R 1:1(0) ack 1 win 92 <nop,nop,timestamp 518611 0>
Last edited by ZwiFT; 11-06-2011 at 04:31 PM.
Join Date: Aug 2004
Posts: 10,515
Well, I'm an "IT guy" but analyzing network packets isn't my thing entirely, especially when it comes to not knowing what I'm checking for - meaning, what action happened on the systems that would cause network traffic. I'm a systems "IT guy"
I can tell you generically this though:
The computer with IP 192.168.246.128 was trying to find the computer that has IP address 192.168.246.13 and the computer with that IP responded with its MAC address. Totally normal type response.
Then some communication was attempted via NetBIOS (port 137) which doesn't really exist anymore and hasn't since Windows 98. NetBIOS has been long encapsulted within TCP/IP since XP if so chosen, but it could still be exposed directly.
Then it looks like some communication to .13 over port 80 (web site port) from the .128 computer was attempted, but nothing was actually requested, just a port check.
What exactly transpired to cause this traffic I couldn't begin to tell you though. Perhaps a Windows Media PC (MythTV?) you are using for streaming? Roku device? A networked printer? shrug
Join Date: Aug 2007
Posts: 728
Thanks for the reply =) It helped me some. This is for a school assignment I'm struggling with. So I have no other information than what I gave you!
![For you IT-guys who wants a challenge! [analysing tcp packets]](https://d30akgybcov179.cloudfront.net/icons/hamburger.svg){kind=icon}
![For you IT-guys who wants a challenge! [analysing tcp packets]](https://d30akgybcov179.cloudfront.net/icons/close-sidebar.svg){kind=icon}
![For you IT-guys who wants a challenge! [analysing tcp packets]](https://d30akgybcov179.cloudfront.net/icons/quote.svg){kind=icon}