Honeypots mailing list archives
Re: honeyd logs
From: Niels Provos <provos () citi umich edu>
Date: Wed, 28 Jan 2004 11:36:08 -0500
On Wed, Jan 28, 2004 at 04:48:07AM -0800, Thomas Jones wrote: Content-Description: signed data
On Tuesday 27 January 2004 09:53 am, Mauricio Smythe wrote:Hi All, Can you sayme please what is the difference beeewn this honeyd logs: 1) 2004-01-16-13:23:14.0175 tcp(6) S xx.xx.xx.xx 32770 yy.yy.yy.yy 80 2) 2004-01-16-13:23:14.0869 tcp(6) E xx.xx.xx.xx 32770 yy.yy.yy.yy 80: 0 0 3) 2004-01-16-14:10:47.0133 tcp(6) - aa.aa.aa.aa 1025 bb.bb.bb.bb 1133: 40 RA In 1) what that mean the "S"Let me see if i can decipher them for you!? "S" = SYN flag setIn 2) what that mean the "E" and why its ends whith 80: 0 0, different than the fist one"E" = ECN flag set "0" = Type 0 codepoint for the ECT?In 3) what that mean the "-" and the 40 RA"-"= no flags "RA" = RST and ACK flags set
Actually, S stands for start of connection and E stands for end of connection. The first 0 is number of bytes received and the second 0 is number of bytes sent. Niels.
Current thread:
- honeyd logs Mauricio Smythe (Jan 27)
- Re: honeyd logs Thomas Jones (Jan 28)
- Re: honeyd logs Niels Provos (Jan 28)
- Re: honeyd logs Thomas Jones (Jan 28)