Making a Connection with tcpdump, Part II

Some sample scenarios of how you can use tcpdump for various Telnet connections.

Part I of this article discussed tcpdump, a command-line utility that sniffs network traffic. Now let's see what it can do.

Scenario 1: Established Telnet Connection

Using tcpdump we can analyze the PDUs that establish and terminate a TCP/IP connection. TCP uses a special mechanism to open and close connections. The tcpdump output below display data from different connection scenarios between host and The following tcpdump command and options were used to generate output:

#tcpdump -nn host and port 23

Before examining the output, let's take a detour and get a brief overview of TCP/IP connection management. This small detour will assist those individuals who are new to protocols. To guarantee a reliable connection (startup and shutdown), TCP uses a method in which three messages are exchanged. The process is called a three-way-handshake. To startup a connection:

  • The requesting Host sends a synchronization flag (SYN) in a TCP segment to create a connection.

  • The receiving Host receives the SYN flag and returns an acknowledgment flag (ACK).

  • The requesting Host receives the SYN flag and returns it's own ACK flag.

A similar handshake process is used to close a connection using a finish flag (FIN).

To establish a connection, the sending host creates a segment containing the IP address and port number of the host it want to connect to. The segment contains a SYN flag and the sending hosts initial sequence number. Data is segmented before it is sent. The sequence numbers allow the segments to be assembled in the correct order.

20:06:32.845356 >
S 3263977215:3263977215(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

The receiving hosts responds with its own SYN flag and its initial sequence number. This segment also contains an ACK flag to acknowledge the sending host's SYN (segment 3263977215 +1). This type of acknowledgment is called expectational acknowledgment, because the receiver acknowledges the sequence number of the next segment it expects to receive.

20:06:32.845725 > S
48495364:48495364(0) ack 3263977216 win 32120 <mss 1460,nop,nop,sackOK> 

The sending host acknowledges the SYN flag from the receiving host by sending another segment containing the . and ACK flags.

20:06:32.845921 > . ack 1 win 17520

So far two flags, S and ., have been seen. There are five in total.

  • S: SYN (Synchronize sequence numbers - Connection establishment)

  • F: FIN (Ending of sending by sender - Connection termination)

  • R: RST (Reset connection)

  • P: PSH (Push data)

  • .: (No flag is set)

Scenario 2: Closed Telnet Connection

To terminate a connection, a segment containing a FIN flag is sent from host back to the host with the open session.

20:07:32.916410 > F 147:147(0) ack
56 win 32120 (DF)

This may appear backwards, but trust me, it's not. Think of where the session is open--this is the point that is asking to close the connection. Host acknowledges the FIN segment.

20:07:32.916680 > . ack 148 win
17374 (DF)

Then host terminates it connection by sending a segment containing a FIN flag.

20:07:32.928907 > F 56:56(0) ack 148
win 17374 (DF)

Host acknowledges the segment.

20:07:32.929121 > . ack 57 win 32120
Scenario 3: Telnet Connection Refused (no service offered at the host)

To establish a connection, host sends a segment containing the IP address and port number of the host it want to connect to. The segment contains a SYN flag and the sending hosts initial sequence number.

05:28:00.080798 >
S 3034008467:3034008467(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

Host acknowledges the SYN from host by sending another segment containing the R (connection reset) and ACK flags.

05:28:00.080979 > R 0:0(0)
ack 3034008468 win 0 

Host doesn't take no for answer and tries again.

05:28:00.579420 > S
3034008467:3034008467(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

But it receives the same result from receiving host.

05:28:00.579524 > R 0:0(0) ack 1 win

A final attempt is made to establish a connection.

05:28:01.080114 &glt; S
3034008467:3034008467(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

Only three strikes in this ball game. Sending host gives up.

05:28:01.080225 > R 0:0(0) ack 1 win

Compare the outputs from an Establish Telnet Connection scenario and Telnet Connection Refusal scenario. The outputs from the receiving host are different. For the Telnet Connection Refusal scenario, the Telnet service was turned off at the receiving host using the /etc/inetd.conf file. If the service is not available, no connection can be established. Note to self: simple security measures turn off services not being used.


White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState