[SLUG] Output from tcpdump

• Next message: Doug Koobs: "[SLUG] Re: Output from tcpdump"
• Previous message: Paul M. Foster: "[SLUG] Suncoast LUG Meetings"
• Next in thread: Smitty: "Re: [SLUG] Output from tcpdump"
• Reply: Smitty: "Re: [SLUG] Output from tcpdump"
• Reply: Brian Coyle: "Re: [SLUG] Output from tcpdump"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

While using tcpdump to learn about arp, I found some unexpected activity on
my network, which sonsist only of:

Linksys Cable/DSL router at 192.168.1.215
RH 7.3 mail server at 192.168.1.201
Win2K Pro at 192.168.1.1

I ran tcpdump while there were no users running any programs...
Here are the tcpdump output lines, with my questions included:

16:07:23.381067 133.65.185.24.2957 > 192.168.1.201.ssh: S
2350411248:2350411248(0) win 32120 <mss 1460,sackOK,timestamp 411665006
0,nop,wscale
 0> (DF)
16:07:23.381336 192.168.1.201.ssh > 133.65.185.24.2957: S
816541276:816541276(0) ack 2350411249 win 5792 <mss 1460,sackOK,timestamp
10387441 4
11665006,nop,wscale 0> (DF) [tos 0x10]
16:07:23.599026 133.65.185.24.2957 > 192.168.1.201.ssh: . ack 1 win 32120
<nop,nop,timestamp 411665028 10387441> (DF)
16:07:23.601198 192.168.1.201.ssh > 133.65.185.24.2957: P 1:24(23) ack 1 win
5792 <nop,nop,timestamp 10387463 411665028> (DF) [tos 0x10]
16:07:23.810986 133.65.185.24.2957 > 192.168.1.201.ssh: . ack 24 win 32120
<nop,nop,timestamp 411665049 10387463> (DF)
16:07:53.466782 133.65.185.24.2957 > 192.168.1.201.ssh: F 1:1(0) ack 24 win
32120 <nop,nop,timestamp 411668015 10387463> (DF)
16:07:53.467540 192.168.1.201.ssh > 133.65.185.24.2957: . ack 2 win 5792
<nop,nop,timestamp 10390450 411668015> (DF) [tos 0x10]
16:07:53.467705 192.168.1.201.ssh > 133.65.185.24.2957: F 24:24(0) ack 2 win
5792 <nop,nop,timestamp 10390450 411668015> (DF) [tos 0x10]
16:07:53.689100 133.65.185.24.2957 > 192.168.1.201.ssh: . ack 25 win 32120
<nop,nop,timestamp 411668037 10390450> (DF)

Is someone at 133.65.185.24 trying to ssh into my Linux box? If so, what log
would I look at to see if they were successful?

16:07:23.382952 192.168.1.201.32769 > ns2.tampabay.rr.com.domain: 2718+
PTR? 201.1.168.192.in-addr.arpa. (44) (DF)
16:07:23.418843 ns2.tampabay.rr.com.domain > 192.168.1.201.32769: 2718
NXDomain 0/1/0 (121) (DF)
16:07:23.419640 192.168.1.201.32769 > ns2.tampabay.rr.com.domain: 2719+
PTR? 215.1.168.192.in-addr.arpa. (44) (DF)
16:07:23.434479 ns2.tampabay.rr.com.domain > 192.168.1.201.32769: 2719
NXDomain 0/1/0 (121) (DF)
16:07:23.435482 192.168.1.201.32769 > ns2.tampabay.rr.com.domain: 2720+
PTR? 24.185.65.133.in-addr.arpa. (44) (DF)
16:07:23.452173 ns2.tampabay.rr.com.domain > 192.168.1.201.32769: 2720
NXDomain 0/1/0 (106) (DF)
16:07:23.453083 192.168.1.201.32769 > ns2.tampabay.rr.com.domain: 2721+
PTR? 80.1.32.65.in-addr.arpa. (41) (DF)
16:07:23.466381 ns2.tampabay.rr.com.domain > 192.168.1.201.32769: 2721*
1/3/3 PTR[|domain] (DF)

I'm assuming that this is some DNS resolution activity. Is this normal?
Maybe the SMTP server is resolving an MX record or something?
Also, the gateway often sends arp requests for 192.168.1.254, which does not
exist... Why would it be looking for it?

Thanks,

Doug

• Next message: Doug Koobs: "[SLUG] Re: Output from tcpdump"
• Previous message: Paul M. Foster: "[SLUG] Suncoast LUG Meetings"
• Next in thread: Smitty: "Re: [SLUG] Output from tcpdump"
• Reply: Smitty: "Re: [SLUG] Output from tcpdump"
• Reply: Brian Coyle: "Re: [SLUG] Output from tcpdump"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:49:19 EDT