Interpretation of ra output...
Russell Fulton
r.fulton at auckland.ac.nz
Mon Mar 13 15:06:37 EST 2000
Thanks Carter,
On Mon, 13 Mar 2000 05:11:31 -0800 Carter Bullard
<cbullard at nortelnetworks.com> wrote:
> Hey Russell,
> My interpretation is that someone is doing something
> using TCP SYN packets, but using some of your addresses
> as the source. You, of course, receive the SYN_ACK's,
> and of course your machine doesn't have a TCP in the
> right state for the ACK, so it RST's it.
Duh!! I have worked this out before in other cases like this. I got
hung up on whether I had the directions right and had not thought too
hard about what would cause this garbage.
I assume, since you have not corrected me that my interpretation of the
order and direction were correct. This illustrates the advantage of
diplaying all the state information in ra. ra as distributed displays
all these as RST and you have to use fullra to get any idea what is
actually happening. Further more you are left with the impression that
the traffic was 'initiated' by the address listed as source.
And thanks for the explaination of the TTL values -- most useful.
Cheers, Russell
More information about the argus
mailing list