Technical data
Troubleshooting Techniques and Tools
1.2 Isolating Problems
• window
The number of bytes of receive buffer space available from the other direction
on this connection.
•
urgent
Indicates there is urgent data in the packet.
• options
The TCP options enclosed in angle brackets. For example:
<mss 1024>
The
src
,
dst
, and
flags
fields are always present. The other fields depend on the
contents of the packet’s TCP protocol header and are output only if appropriate.
Examples
The following example shows the opening portion of an RLOGIN session from
host rtsg to host csam:
rtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss 1024>
csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024>
rtsg.1023 > csam.login: . ack 1 win 4096
rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096
csam.login > rtsg.1023: . ack 2 win 4096
rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096
csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077
csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1
csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1
The example shows the following sequence of communication:
• The first line indicates that TCP port 1023 on system rtsg sent a packet
to port login on host csam. The S indicates that the SYN flag was set.
The packet sequence number was 768512 and it contained no data. (The
notation is first:last(nbytes), which means sequence numbers first up to but
not including last, which is nbytes bytes of user data.) There was no piggy-
backed ack, the available receive window was 4096 bytes and there was a
max-segment-size
option requesting an
mss
of 1024 bytes.
• Host csam replies with a similar packet except that it includes a piggy-backed
ack for the SYN sent by rtsg.
• Host rtsg then sends an ack reply to the SYN sent by csam. The period (.)
means no flags were set. The packet contained no data, so there is no data
sequence number. Note that the ack sequence number is a small integer (1).
The first time
tcpdump
sees a TCP conversation, it displays the sequence
number from the packet.
• On subsequent packets of the conversation, the difference between the current
packet’s sequence number and this initial sequence number is displayed.
Thus, sequence numbers after the first can be interpreted as relative byte
positions in the conversation’s data stream (with the first data byte each
direction being 1). The -S option overrides this feature, causing the original
sequence numbers to be output.
• The sixth line indicates that host rtsg sends host csam 19 bytes of data (bytes
2 through 20 in the rtsg-to-csam side of the conversation). The PUSH flag is
set in the packet.
Troubleshooting Techniques and Tools 1–17