From: 畴惑闭 (ygescape@gmail.com)
Date: 02/12/06
Message-ID: <004901c62fff$423df340$aa3083a8@guru> From: 畴惑闭 <ygescape@gmail.com> Subject: tcptrace-bugs Any 'TCP connection information' is abnormal. Date: Mon, 13 Feb 2006 03:07:56 +0900
Hello.
The attached file is the tcpdump data about NTinfoscan attack of 1999 DARPA DATA SET.
But, TCP connection information by tcptrace(v6.6.7) of this data is abnormal.
The result is shown as follows:
=================================================================================
TCP connection info:
1: 172.16.112.100:20 - 206.48.44.18:20 (a2b) 4> 4< (reset)
2: 206.48.44.18:1056 - 172.16.112.100:23 (c2d) 4> 3< (reset)
3: 206.48.44.18:1057 - 172.16.112.100:80 (e2f) 4> 3<
4: 206.48.44.18:1058 - 172.16.112.100:80 (g2h) 5> 4< (complete)
5: 206.48.44.18:1059 - 172.16.112.100:80 (i2j) 5> 4< (complete)
6: 206.48.44.18:1060 - 172.16.112.100:80 (k2l) 5> 4< (complete)
7: 206.48.44.18:1061 - 172.16.112.100:80 (m2n) 5> 4< (complete)
8: 206.48.44.18:1062 - 172.16.112.100:80 (o2p) 5> 4< (complete)
9: 206.48.44.18:1063 - 172.16.112.100:80 (q2r) 3> 2<
10: 172.16.112.100:80 - 206.48.44.18:1063 (s2t) 3> 2<
11: 206.48.44.18:1078 - 172.16.112.100:80 (u2v) 5> 4< (complete)
12: 206.48.44.18:1079 - 172.16.112.100:80 (w2x) 5> 4< (complete)
13: 206.48.44.18:1080 - 172.16.112.100:80 (y2z) 5> 4< (complete)
14: 206.48.44.18:1081 - 172.16.112.100:139 (aa2ab) 9> 7< (complete)
15: 206.48.44.18:1083 - 172.16.112.100:139 (ac2ad) 618> 616< (complete)
16: 206.48.44.18:1057 - 172.16.112.100:80 (ae2af) 1> 0< (reset) (unidirectional)
=================================================================================
The connection 9 and 10 must be one connection.
It seems a bug.
Could you analyze this problem?
Best Regards.
P.S.
Please doesn't bulletin my e-mail address in your homepage or others...
This archive was generated by hypermail 2.1.7 : 02/13/06 EST