Monday, January 11, 2010

Identifying TCP Retries

When looking at packet dumps, distinguishing TCP retry packets from network scanning is straightforward. Look for these characteristics:

  1. Source ports will remain the same across all packets, as this is the same connection attempt.
  2. The TCP Sequence numbers will also remain the same, for the same reason.
  3. IP ID numbers will increment, because the sending host is creating a new packet each time.
  4. Time stamps will increment equally. This is due to the TCP back-off algorithm that waits an increasing amount of time before resending the next retransmission attempt. Usually the time before attempts will double; for example 3, then 6 then 12 seconds between attempts.

No comments:

Blog Archive