Here with another question :) Not sure if it is a dumb one .. I was experimenting with the tcpdump command and want to know how to analyse the logs once captured For example: 06:47:41.060885 IP > ip-.us-west-2.compute.internal.ssh: Flags [.], ack 144, win 256, length 0 06:47:41.779943 IP ip-6.us-west-2.compute.internal.ssh > : Flags [P.], seq 144:208, ack 1, win 284, length 64
What do the fields indicate and how do you confirm there is an issue with the traffic? Thankyou
The first field is the time when the packet arrived, as hour:minute:second, with "second" being seconds and fractions of a second.
The second field is the protocol running atop the link layer - IPv4, in this case.
For IP packets:
The third field is the IP address or host name of the host sending the packet, along with, for TCP and UDP packets, the source port. The first packet came from port 12601, and the second packet came from ip-.us-west-2.compute.internal's ssh port (port 22).
The fourth field (separated from the third field with a ">" character, indicating the direction of the packet, i.e. it's pointing to the right, so the packet is coming from the third field to the fourth field) is the IP address or host name of the host receiving the packet, along with, for TCP and UDP packets, the destination port.
"Flags [...]" is the TCP segment flags. "P" is the Push (PSH) flag, so the first packet doesn't have any flags set (other than ACK), and the second one has the Push flag set.
"seq" is the sequence number in the packet and the sequence number that the next data after that packet would have.
"ack" is the acknowledgment number in the packet. tcpdump shows sequence and acknowledgment numbers relative to the initial sequence number by default.
"length" is the length of the data in the TCP segment.
By knowing what issue you're looking for and seeing whether it's present. Tcpdump doesn't dissect all protocol layers, so it might not show issues at all layers. Wireshark might show more information, but, again, you'd need to know what sort of issues could be present and how to identify them.