#fakap community speaks: Spot the differences

So between this log

11:01:41.777269 IP 202.162.xx.xx.https > 10.x.x.29.48686: S 1079777274:1079777274(0) ack 2718539688 win 0
11:01:41.777323 IP 10.x.x.29.48686 > 202.162.xx.xx.https: . ack 1 win 5840
11:01:41.777885 IP 202.162.xx.xx.https > 10.x.x.29.48683: . ack 24 win 17497
11:01:41.782016 IP 202.162.26.134.https > 10.x.x.29.48683: F 1:1(0) ack 24 win 17520
11:01:41.782061 IP 10.x.x.29.48683 > 202.162.xx.xx.https: . ack 2 win 5840
11:01:44.777326 IP 10.x.x.29.48686 > 202.162.xx.xx.https: . ack 1 win 5840
11:01:50.776415 IP 10.x.x.29.48686 > 202.162.xx.xx.https: . ack 1 win 5840
11:01:50.787092 IP 202.162.xx.xx.https > 10.x.xx.29.48686: R 1079777275:1079777275(0) win 0
11:01:50.789752 IP 10.x.x.29.48689 > 202.162.xx.xx.https: S 2722147698:2722147698(0) win 5840 652889 0,nop,wscale 2>

and this

10.1.2.29 -> 10.1.2.30 TCP 48593 > https [ACK] Seq=56 Ack=154 Win=5840 Len=0 TSV=27532799 TSER=614240779 20 3.683661 10.1.2.29 -> 10.1.2.30 SSL Continuation Data
21 3.683823 10.1.2.30 -> 10.1.2.29 SSL Continuation Data
22 3.723426 10.1.2.29 -> 10.1.2.30 TCP 48593 > https [ACK] Seq=62 Ack=173 Win=5840 Len=0 TSV=27532839 TSER=614240810 23 12.545924 10.1.2.29 -> 10.1.2.30 SSL Continuation Data
24 12.546238 10.1.2.30 -> 10.1.2.29 SSL Continuation Data
25 12.546274 10.1.2.29 -> 10.1.2.30 TCP 48593 > https [ACK] Seq=70 Ack=204 Win=5840 Len=0 TSV=27541663 TSER=614249674 26 12.546368 10.1.2.29 -> 10.1.2.30 SSL Continuation Data
27 12.546612 10.1.2.30 -> 10.1.2.29 SSL Continuation Data
28 12.579455 10.1.2.29 -> 10.1.2.30 TCP 51669 > 63897 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=27541696 TSER=0 WS=2
29 12.579602 10.1.2.30 -> 10.1.2.29 TCP 63897 > 51669 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=614249708 TSER=27541696 WS=2
30 12.579632 10.1.2.29 -> 10.1.2.30 TCP 51669 > 63897 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=27541696 TSER=614249708

and this...

20 1.534676 10.1.2.29 -> 10.1.2.30 TCP 40449 > https [ACK] Seq=142 Ack=178 Win=5840 Len=0 TSV=42089389 TSER=686612920
21 1.581564 10.1.2.29 -> 10.1.2.30 SSL [Unreassembled Packet]
22 1.581856 10.1.2.30 -> 10.1.2.29 SSL [Unreassembled Packet]
23 1.581890 10.1.2.29 -> 10.1.2.30 TCP 40449 > https [ACK] Seq=143 Ack=179 Win=5840 Len=0 TSV=42089436 TSER=686612967
24 1.877598 10.1.2.29 -> 10.1.2.30 SSL [Unreassembled Packet]
25 1.877810 10.1.2.30 -> 10.1.2.29 SSL [Unreassembled Packet]
26 1.877842 10.1.2.29 -> 10.1.2.30 TCP 40449 > https [ACK] Seq=144 Ack=180 Win=5840 Len=0 TSV=42089732 TSER=686613263
27 1.941587 10.1.2.29 -> 10.1.2.30 SSL [Unreassembled Packet]
28 1.941887 10.1.2.30 -> 10.1.2.29 SSL [Unreassembled Packet]
29 1.941938 10.1.2.29 -> 10.1.2.30 TCP 40449 > https [ACK] Seq=145 Ack=181 Win=5840 Len=0 TSV=42089797 TSER=686613328

Which one is not legit? :D Ok to be fair, perhaps accessing this kind of log using ethereal will gives u a lot clearer picture. But I guess there's no harm trying. :D

Btw thanks for your tolerance on my postings. Kinda bored, perhaps this kind of excercise can help our brain lil bit.

Comments

kakisembang said...: I think no 2 is definitely legit, the other 1,3 seems 50/50.. but i guess number 1 is not legit, because of it has no SSL encryption header; Commented @ May 26, 2006 6:51 PM

Anonymous said...: 1 and 3 .. coz 3 have tcp conn.
(I'm an idiot); Commented @ May 28, 2006 3:52 AM

#fakap community speaks

kerna kefakapan berleluasa....

Spot the differences

Comments

Archives