Archive
Highlighted

TCP Dump Splunk question, please Help!

Builder

I have noticed that reading an output of a TCP dump is as follows:

  1. The requesting Host sends a synchronization flag (SYN) in a TCP segment to create a connection.

  2. The receiving Host 192.168.2.165 receives the SYN flag and returns an acknowledgment flag (ACK).

  3. The requesting Host 192.168.2.10 receives the SYN flag and returns it's own ACK flag.

But only 104 of my the network transactions are [SYN] or [SYN,ACK], the rest of the 14,711 are mostly just [ACK], which makes it even more confusing.

Whats this about and for what reason, how does I read it then?

I just want to create a splunk search that can basically group up each start and end transaction, How can this be done?

Tags (1)
Highlighted

Re: TCP Dump Splunk question, please Help!

Legend

The ACKs after the initial 3-way handshake are to acknowledge received packets, so you'll be seeing a lot of those. Without these ACK flags set the TCP delivery mechanisms wouldn't work. More information for instance here: http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Data_transfer

You can identify a unique transmission by creating a transaction based on the source host, source port, destination host and destination value.

View solution in original post

Highlighted

Re: TCP Dump Splunk question, please Help!

Builder

Thanks, so basically the first Ack is a Get and the next two Acks are the Responses but the first three are only the 3-way handshake Acks for the connection creation.

One more question though, is this "HTTP HTTP/1.1 200 OK" considered to be a GET request?, as in a response GET from the POST before it?

0 Karma
Highlighted

Re: TCP Dump Splunk question, please Help!

Legend

I think you're confusing terms here. HTTP traffic happens on the session layer whereas establishing TCP connections happens on the transport layer.

"HTTP/1.1 200 OK" is not a request, it is a response. It can be a response to both a POST and a GET (or most other HTTP methods as well for that matter).

0 Karma
Highlighted

Re: TCP Dump Splunk question, please Help!

Builder

I see, so what I can see in the TCP dumps is that the TCP Transport layer as the 'Source' is sending a request to the HTTP session layer as the destination to actually begin handling the data?

0 Karma
Highlighted

Re: TCP Dump Splunk question, please Help!

Legend

No...that's not what's happening. The layers aren't interacting in that way. The TCP packets carry data, in this case HTTP data. You should read up on the OSI model and how it works. TCP is acting as a transport. HTTP works on top of it.

Highlighted

Re: TCP Dump Splunk question, please Help!

Builder

Could you please give me an example of what one transaction would look like only for the [ACK] events?

0 Karma
Highlighted

Re: TCP Dump Splunk question, please Help!

Legend

The best way to create the transaction is described in my answer. The ack sequence ID's change all the time so you will have a hard time creating a transaction out of only that.

0 Karma
Highlighted

Re: TCP Dump Splunk question, please Help!

SplunkTrust
SplunkTrust

I would strongly recommend going to Amazon and finding either the Stevens or Comer series on TCP/IP (or Both!) and studying up. You need to properly understand the protocols themselves before trying to use Splunk to process TCPDUMP data.

http://www.amazon.com/TCP-Illustrated-Protocols-Addison-Wesley-Professional/dp/0321336313

http://www.amazon.com/Internetworking-TCP-IP-Vol-5th/dp/0131876716

Highlighted

Re: TCP Dump Splunk question, please Help!

Motivator

Then, download a protocol analyzer to analyze the TCP connection data flow.

Example:
http://www.wireshark.org/

0 Karma