Archive

TCP Dump Splunk question, please Help!

Builder

I have noticed that reading an output of a TCP dump is as follows:

  1. The requesting Host sends a synchronization flag (SYN) in a TCP segment to create a connection.

  2. The receiving Host 192.168.2.165 receives the SYN flag and returns an acknowledgment flag (ACK).

  3. The requesting Host 192.168.2.10 receives the SYN flag and returns it's own ACK flag.

But only 104 of my the network transactions are [SYN] or [SYN,ACK], the rest of the 14,711 are mostly just [ACK], which makes it even more confusing.

Whats this about and for what reason, how does I read it then?

I just want to create a splunk search that can basically group up each start and end transaction, How can this be done?

Tags (1)
1 Solution

Legend

The ACKs after the initial 3-way handshake are to acknowledge received packets, so you'll be seeing a lot of those. Without these ACK flags set the TCP delivery mechanisms wouldn't work. More information for instance here: http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Data_transfer

You can identify a unique transmission by creating a transaction based on the source host, source port, destination host and destination value.

View solution in original post

SplunkTrust
SplunkTrust

I would strongly recommend going to Amazon and finding either the Stevens or Comer series on TCP/IP (or Both!) and studying up. You need to properly understand the protocols themselves before trying to use Splunk to process TCPDUMP data.

http://www.amazon.com/TCP-Illustrated-Protocols-Addison-Wesley-Professional/dp/0321336313

http://www.amazon.com/Internetworking-TCP-IP-Vol-5th/dp/0131876716

Builder

Thanks guys, its going to be a good journey studying TCP/IP connections with those references, ill be sure to get the ebook version for both.

Although there are so many different tools out there that pretty much snoop different varieties of TCP Dump outputs, question is which one would be best to Splunk in the future?

0 Karma

Motivator

Then, download a protocol analyzer to analyze the TCP connection data flow.

Example:
http://www.wireshark.org/

0 Karma

Legend

The ACKs after the initial 3-way handshake are to acknowledge received packets, so you'll be seeing a lot of those. Without these ACK flags set the TCP delivery mechanisms wouldn't work. More information for instance here: http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Data_transfer

You can identify a unique transmission by creating a transaction based on the source host, source port, destination host and destination value.

View solution in original post

Legend

The best way to create the transaction is described in my answer. The ack sequence ID's change all the time so you will have a hard time creating a transaction out of only that.

0 Karma

Builder

Could you please give me an example of what one transaction would look like only for the [ACK] events?

0 Karma

Legend

No...that's not what's happening. The layers aren't interacting in that way. The TCP packets carry data, in this case HTTP data. You should read up on the OSI model and how it works. TCP is acting as a transport. HTTP works on top of it.

Builder

I see, so what I can see in the TCP dumps is that the TCP Transport layer as the 'Source' is sending a request to the HTTP session layer as the destination to actually begin handling the data?

0 Karma

Legend

I think you're confusing terms here. HTTP traffic happens on the session layer whereas establishing TCP connections happens on the transport layer.

"HTTP/1.1 200 OK" is not a request, it is a response. It can be a response to both a POST and a GET (or most other HTTP methods as well for that matter).

0 Karma

Builder

Thanks, so basically the first Ack is a Get and the next two Acks are the Responses but the first three are only the 3-way handshake Acks for the connection creation.

One more question though, is this "HTTP HTTP/1.1 200 OK" considered to be a GET request?, as in a response GET from the POST before it?

0 Karma