Wireshark mailing list archives

Re: TCP Retransmission question

From: Andrew Hood <ajhood () fl net au>
Date: Wed, 22 Jun 2011 08:06:03 +1000

Shain Singh wrote:

What does TCP transmission string  mean in wireshark?


Here is a good link to read up on a little bit about TCP retransmits (which
are not exactly a bad thing):
http://thenetworkguy.typepad.com/nau/2008/03/a-tale-of-five.html
Having a LOT of retransmits can be due a a number of reasons and most
troubleshooting usually starts occurring from looking at the network.

Jun 21 15:15:25 server02 sshd[5523]: Did not receive identification
string from 68.168.113.155
Jun 21 15:27:57 server02 sshd[5937]: Invalid user webmaster from
68.168.113.155
Jun 21 15:27:57 server02 sshd[5937]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=68.168.113.155
Jun 21 15:27:59 server02 sshd[5937]: Failed password for invalid user
webmaster from 68.168.113.155 port 33025 ssh2
Jun 21 15:28:01 server02 sshd[5940]: Invalid user admin from 68.168.113.155
Jun 21 15:28:01 server02 sshd[5940]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=68.168.113.155
Jun 21 15:28:03 server02 sshd[5940]: Failed password for invalid user
admin from 68.168.113.155 port 33304 ssh2
Jun 21 15:28:06 server02 sshd[5942]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=68.168.113.155  user=root
Jun 21 15:28:08 server02 sshd[5942]: Failed password for root from
68.168.113.155 port 33514 ssh2


Ok, so all the above is showing is that the IP 68.168.113.155 is trying a
dictionary based attack of usernames against your publicly accessible SSH
server on 'server02'.


I have an automated log check for sshd invalid user or failed password.
Multiple entries cause the culprits go in iptables, together with the
entire allocated netblock. My net, my rules.

GloboTech Communications GTCOMM (NET-68-168-112-0-1) 68.168.112.0 -
68.168.127.255
Genious Communications GTCOMM-579 (NET-68-168-113-128-1) 68.168.113.128
- 68.168.113.159

has not found their way into iptables - yet, but would get

-A INPUT -s 68.168.112.0/255.255.240.0 -p tcp -j LOGDROP
where
-A LOGDROP -j ULOG --ulog-prefix "IPTdrop" --ulog-qthreshold 5
-A LOGDROP -j DROP

Andrew


-- 
There's no point in being grown up if you can't be childish sometimes.
                -- Dr. Who
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

TCP Retransmission question Thomas Anderson (Jun 21)
- Re: TCP Retransmission question ronnie sahlberg (Jun 21)
- Re: TCP Retransmission question Shain Singh (Jun 21)
  - Re: TCP Retransmission question Thomas Anderson (Jun 21)
    - Re: TCP Retransmission question Shain Singh (Jun 21)
    - Re: TCP Retransmission question Andrew Hood (Jun 21)
    - Re: TCP Retransmission question Anthony Murabito (Jun 21)