Sie sind auf Seite 1von 11

What is the mean of offset field in TCP HEADER?

how it is useful kindly help me to


understand

Comments
TCP Header some times have option, so how to inform the receiver where data will be start? the solution
is offset, which inform the receiver after x bytes the data will start.
offset is use in many format and all are same concept.

Show open IP-to-IP TCP-Sessions in Cisco Network


hey everyone. followig problem...
i need to look for client-pcs they're producing high internet-traffic in our network. the problem is: the
internet-firewall is administrated by an it-service-partner and not in my hand. at first i want to bypass
requesting the firewall-logs from the it-service-partner because of it will cost money. the only thing i
can do is to look for clients they have constant traffic on switches and routers. all the commands i
found on the internet to show some tcp-connections on layer3 switches or routers was not helpful for
me... is there some possibility to look for single-ip client-traffic on a simply switched and routed cisco
network without NAT translations in it?
ps: iam searching for something similar to the command "show ip nat translations" but for routers
they do not use NAT.
thanks alot!

Comments

...Yes use ACL with tcp flag, this is used to detect TCP flood.
after config, check match number.
...okay. yes that makes sense. i created this rule and bind it to the interface. now i have to look for how i
can read out the logs of it…

GOOD QUESTION : BGP


=====================
In BGP, the TCP connection will be created on port 179, so all the session at PE router will be
created on this particular port only. My question is how BGP will differentiate between these session,
like if a particular neighbor will down so how it will be identify that which session need to be drop as
all are created on port 179.
=====================
Question Courtesy : ​Mayank Agarwal

Comments
...​destination port is 179 but source port will be diff ... there will be unique ​tcp​ session from each CE
device to PE on port 179

…. Its Vive Versa actually .. Source will be 179 .. and Destination different port for different neighbor
..​Source port always random and destination port always fixed
...LOGS : BGP
212.1.169.149 4 2828 61823 62146 4638 0 0 2w5d 2

# sh tcp br
TCB Local Address Foreign Address (state)
44354614 212.1.169.150.179 216.1.179.169.64746 ESTAB

Here remote ip is 212.1.169.149, Local is 212.1.169.150

You see from your point of view for source and destination but in actual random port side ip show it starts
the session first

COMPARE USING TWO COMMANDS


1. sh ip bgp summ
2. sh tcp br

... bgp uses transport layer services for a single peer to have tcp established with the other peer...the
exchange of routes between ce and pe merely operates on l3…

..sessions are made with sockets...IP:port no ..if that answers questionbs

...
Hi, In my router port 179 is occupied for remote ip...
Why like that ??

The way it is explained is wrong.in the perspective of x.x.x.150 it is right.But in the perspective of 149 it is
wrong. When Tcp 3 way handshake start, the router who initiate the session would send a sync packet
with random source port and destination port 179.The server respond with source as 179 and destination
as the random port*.

BGP is essentially a standard TCP based protocol, which means that it is client and server based. When
the client router initiates the BGP session is sends a request to the server with a destination port of 179
and a random source Port XYZ. The server then responds with a source port of 179 and a destination
port of XYZ.

" VTY LINE "


1. What is the Mechanism for VTY Lines connections ?
2. What is the purpose of VTY Line ?
3. VTY Line connections are based on TCP or UDP ?
4. VTY line is specific to Router or Switch or for any network device ?

Comments

To gain access to a device for an administrative purpose three methods are used... Console port , VTY
lines and auxiliary port.This is called an interactive access methods.

1- . VTY is an access control mechanism.. We can access by the Telnet and SSH.

2- To access the remote device...

3-VTP lines are TCP based.

4-For Switch, routers and may be for other devices... I am not sure... Please correct me for point-4

.. VTY line is based on TCP only, or UDP,or like depends on the network device like Switch or Router ?
Can u check & confirm ?

yes VTY line works on TCP because when you telnet or SSH both use TCP 22 and 23

1- . VTY can access by the Telnet and SSH.

2- VTY access the remote device...


3-VTP lines are TCP based.

4-For Switch, routers and other devices

..Line vty means how many person can telnet at one time suppose we have configure line vty 0 4 means5
people can telnet the router at a time. and privildge means if wew give priviledge 5 or 4 6 then the user
can run limited command according to Priviledge level

... basically line VTY is used to access routers remotely. line VTY is based on TCP where we can do
TELNET/ SSH. line vty 0 4 means at a time 5 users can access router remotely.

What is the command to change MTU value on Router ?


1. tcp adjust-mss <>
2. set ip mtu <>

Comments

...​ To change MSS we need to calculate dependent on the ISP most of the case for vlan it is 1452
...I have to say that my provider uses different MTUs per its segment.
I used mturoute.exe to discover ISP MTU and I can say that MTU varies from 1480 (lowest) to 1492
(maximum discovered).
Betwen me and the speed test server all MTUs are 1492 so let's asume that my ISP uses all over his
equipments MTU=1492.

I did this computing to get the MSS:

1. ETH MTU = 1500 (standard for my Cisco FE4)


2. PPoE = 1492 (1500 -8)
3. MSS: 1452 (1492 - 20 IP - 20 TCP) so I got 1452.

... "ip tcp adjust-mss" is the command for setting mss under interface however it is suggested to keep it
lower then MTU as you can carry more overhead ..specially in case of GRE and IPSEC when you need to
carry additional overhead.

Please share Three example of each , TCP & UDP


connections
Comments
The examples of TCP,
1) Telnet.

2) SSH,

3) Connection between client and web server .

The examples of UDP.

1) Video streaming.

2) Songs streaming.’

https://www.net.t-labs.tu-berlin.de/teaching/computer_networking/03.07.htm?fbclid=IwAR315PDAqaVrzd9
W3A5eqS7M-cdPOZ7VxrfP9mzPAmsRUDT5Ini72rnHCYY
https://avinashnetworking.wordpress.com/2016/09/25/tcp-mss-how-it-really-works/?fbclid=IwAR2XuWaL6
FJyc8A1beFgyFXpKMxQnH2cqNWVjMhav_rspFoXkk87HTuPA6Y
https://www.net.t-labs.tu-berlin.de/teaching/computer_networking/03.05.htm
https://www.net.t-labs.tu-berlin.de/teaching/computer_networking/03.05.htm

SERVER QUERY ??
How to check if a application running on server is based on TCP or UDP ?

Comments
"netstat -anb" command on windows.. and "netstat -pnlt" on linux..
...I was about to say this but in netstat command their is no clear way of knowing about the applications.

Under "Proto", it does you show what type of protocol it is but in "netstat" command, under "local
addresses" it only shows the IP address of your computer, but it doesn't show that which application on
your computer is being connected to which Web Server on internet

..Jameel

But when we use "netstat" command in our Client computer or Server, it only shows us the port number,
not the application, so how will we know which port is using which application?

...OUTPUT .-- C:\Users>netstat -anb

Active Connections

Proto Local Address Foreign Address State


TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
RpcSs
[svchost.exe]

... Output shows >>>> Source ip & port >>> Destination ip & port >>>> Proto Type >>>> State ..
. Do u want to say .. By looking at Destination IP, we can knoow the application running on server

What mechanisms we can use to stop the global TCP synchronization.. so dat dare can be a less
bandwith consumption in d network at d time of congestion..??
Comments

I know it's Qos topic... But to prevent TCP global synchronization we can use WRED no idea about
wccp..!
..Use Cisco Waas or Riverbed
...​https://learningnetwork.cisco.com/thread/122469?fbclid=IwAR1lcOpywDriU_thpneAqTEPNSgz7aG2-Iit
uc7PdwpMXiq1CPkENazAKLo

How Many TCP session created during bgp neighbourship


establishment ???
Comments
1 for 1 bgp peer

The combination of SYN and FIN flag being set in TCP header is illegal and it belongs to the
category of illegal/abnormal flag combination because it calls for both establishment of
connection(via SYN) and termination of connection(via FIN).
The method to handle such illegal/abnormal flag combinations is not conveyed in the RFC of TCP.
So, such illegal/abnormal flag combinations are handled differently in various operating systems.
Different operating system also generate different kind of responses for such packets.
This is a very big concern for security community because attackers shall exploit these response
packets to determine the type of OS on the target system to craft his attack. So, such flag
combinations are always treated as malicious and modern intrusion detection systems detect such
combinations to avoid attacks
juniper way to deal this is :- set system internet-options tcp-drop-synfin-set
drops packet with both SYN and FIN bit high
Hi everyone I’m looking for some help on how to port forward on an ASA running version 9.8x I
created a network object with nat included and set up access list but still not working. I’m looking to
port forward for a cctv NVR (192.168.1.2) using public IP example 1.1.1.2/30 (1.1.1.1 ISP gateway)
and port 5150. Please advise with corrections or example on how to configure thanks
Here is what I find online and what I tried
Object network obj_192.168.1.2
Host 192.168.1.2
Nat (inside,outside) static 1.1.1.2 service tcp 5150 5150
Access-list outside-access extended permit tcp any object obj_192.168.1.2 eq 5150

https://www.youtube.com/watch?v=cKnAiiUgsgg&feature=youtu.be&fbclid=IwAR3QI6BW6rJmzJ6iDKDre
5zPgypxKq2kRMU4hCAlI_V60cSWbeIntCqcBmg

https://www.facebook.com/groups/networkproxy/permalink/1100580226767314/

Client send a TCP packet with Syn and Fin flag set to 1.
How server will respond to this packet?

Comments
The response depends on the type of Operating System,the combination of SYN and FIN flag being set in
TCP header is illegal and it belongs to the category of illegal/abnormal flag combination because it calls
for both establishment of connection(via SYN) and termination of connection(via FIN) the method to
handle such illegal/abnormal flag combinations is not conveyed in the RFC of TCP. So, such
illegal/abnormal flag combinations are handled differently in various operating systems. Different
operating system also generate different kind of responses for such packets.

The typical response to a packet with SYN and FIN bits set to one is a RST, since you are violating the
rules of TCP.

Hi All,
In BGP, the TCP connection will be created on port 179, so all the session at PE router will be
created on this particular port only. My question is how BGP will differentiate between these session,
like if a particular neighbor will down so how it will be identify that which session need to be drop as
all are created on port 179.
TCP: How many flags does TCP uses?? what is
ECN-Echo & CWR??

Comments
When buffer goes full of receiver and it wall Send exp-echo to sender and when buffer clear will send cwr
( congestion window reduced ) to sender

.. 8 flags in total, tcp ecn and CWR goes very handy ad it works along with ip header, if you see ip header
there is TOS feild, out of which 6 first field is used for precendence, and last two bits are set allong with
CWR and ECN bit in TCP. frankly speaking if you go for any product based company interview for
security profile, you are suppose to know all the flags and functionality ​:)​, i faced same question when i
was interviewed in Cisco/Juniper. ​:)​ Wiki contains enough information .. if in case there are some doubts
please feel free to reach out to me

..ack ,seq,psh,fin,urg,and what else


Cwr and ecn-echo

..​https://www.juniper.net/documentation/en_US/junos/topics/concept/cos-qfx-series-explicit-congestion-no
tification-understanding.html?fbclid=IwAR0eniOGNPNtSupMxLENgF74iEO2YHttHHujlo6QOHKzY-gcYuL
T0Lcgz4w

Andreas Gottlieb Nielsen​ shared a ​link​.


May 27, 2017

I really need some help understanding TCP/IP flags.. SYN(Sequence number) and Acks.. I spend 5
days now and I have simply hit a wall trying to understand it! I have watched every single god damn

video on youtube, even used CBTnuggets but my mind cannot seem to understand it :(​ I'm feeling
so sad and depressed about it. Is there any friendly soul out here who could help me through this?? I
need baby steps to understand it.. I repeat.. I REALLY NEED this to be explained in the most simple
of ways.. so even a toddler can understand it! Anyone up for the task? I have tried the following

video and that didn't help even though it seems to be a good one for several people :/

https://www.youtube.com/watch?v=8XJPZttC4RM​&

I'm a visual learner, so i'm up for some Skype/Teamviewer!

Thanks in advance !

Comments
..I understand the basic handshake syn -> syn ack -> ack

Look below.. that's what I'm having a hard time understanding

.. I am having so much trouble understanding this:

I know its the finishing handshake, but see the FIN and acks?

Client: ---> [ACK] SEQ: 480 ACK: 18365 ---> server


Client: <--- [FIN, ACK] SEQ: 18365 ACK: 480 <--- server
Client: ---> [ACK] SEQ: 480 ACK: 18366 ---> server
Client: ----> [FIN,ACK] SEQ: 480 ACK: 18366 ---> server
Client: <---- [ACK] SEQ: 18366 ACK: 481

See how the ACKs and SEQ numbers change at each part?

..​http://packetlife.net/blog/2010/jun/7/understanding-tcp-sequence-acknowledgment-numbers/?fbclid=IwA
R04eViVG7TPZ-Wfpr4sNGwSGjM3EXPDlQLInoH0F32UK-lDo_7SPQVe6NU
Related to TLS and TCP
If i have two different clients requesting to form a TLS tunnel with a server .How will sever
differentiate between the two tunnel?
I Know HTTPS uses port 443 , but if both the clients want to use HTTPS , How will the server render
its services to two different clients on the same port number ?
This could be a lame question but please put in your suggestions .

Comments
.. IP Address Of both the client will be different so
For example
Client 1 will use socket of (Own ip add + Tcp + port number 443 )
Same as for client 2
https://www.facebook.com/groups/networkproxy/permalink/1091815314310472/
Can anybody explain to me that how could we recognize that the packet that is flow is tcp or udp
based. I know the difference between tcp and udp. Just need to know how could we check....thnx in
advance

Comments

..​Use packet capture tool to see it.


U can use wireshark or fiddler or many oth
..To add to ​Vikramjeet​, the flow majorly is by an application like HTTP tcp while dhcp and tftp is udp.

Packet capture is simple straight answer.

,..Use any network interceptor tool ..Example :- wireshark.. n check flow with packet stream .. also TCP
has protocol no 6 n UDP has 17 .. simple way to determine ..Hope I am able to explain .. ​:)

..​NetFlow
show ip cache flow
this output you all flow include TCP-WWW TCP-Telnet UDP-TFTP and other..

https://www.udemy.com/network-programming-from-scratch/?couponCode=BUYNPFSFB640INF&fbclid=I
wAR3AaTBs8LBdY4lif1xrywcqFGz1uz3n-uiTGR6g6BRb2MMKsWAn49z1gzQ

https://learningnetwork.cisco.com/thread/122469?fbclid=IwAR1lcOpywDriU_thpneAqTEPNSgz7aG2-Iituc
7PdwpMXiq1CPkENazAKLo
https://learningnetwork.cisco.com/thread/122469?fbclid=IwAR1lcOpywDriU_thpneAqTEPNSgz7aG2-Iituc
7PdwpMXiq1CPkENazAKLo

https://www.net.t-labs.tu-berlin.de/teaching/computer_networking/03.05.htm
https://avinashnetworking.wordpress.com/?fbclid=IwAR1tTkaQ31Q4KgDMRxWzpkZNLIsdK7tGATCH81
MdA_Eta2VwQDXpFAOCYek
https://avinashnetworking.wordpress.com/2016/09/25/tcp-mss-how-it-really-works/?fbclid=IwAR2XuWaL6
FJyc8A1beFgyFXpKMxQnH2cqNWVjMhav_rspFoXkk87HTuPA6Y
https://networkengineering.stackexchange.com/questions/45099/asa-conn-flags-explain?fbclid=IwAR0FY
4-d378La0j6LUGnus5S7TWXvjgHvCCk8z4eybOKyC5NrUfK5TcaW4s