Home
Certification Preparation
CompTIA
Security+
Gibson; Ch 8; packet capture log; Clarification on src/dst port
gunther123
In Darril Gibson's book, Security+ Get Certified Get Ahead, Ch 8, Practice Question 16, he provides a sample packet capture log of:
"16:12:50, src 10.80.1.5:3389, dst 192.168.1.100:8080, syn/ack"
The question asks what this entry shows?
The answer says "...a source (src) system with an IP of 10.80.1.5 sent a connection attempt using port 3389..." 3389 is the RDP port.
I'm confused on why the source port is 3389 as opposed to the destination port. If 10.80.1.5 is sending a connection attempt for RDP, shouldn't the dst port be 3389? The RDP client could use any open, high-level port to open the connection. I'm not very experienced with reading packet logs, so I'm hoping someone with some insight could help shed some light here.
Thank you.
-Michael
Find more posts tagged with
Comments
NotHackingYou
I would guess that what Darril means here is that 3389 was the egress port on 10.80.1.5. Keep in mind that in TCP, there really are two port numbers we care about - source machine's egress port and destination machine's ingress port. When data flows back to the original source from the original destination, it will egress the original destination port and ingress the original source port.
ypark
I believe CarlSaiyed nailed it but to expand further, the entire handshake would've looked something like this:
src 192.168.1.100:8080, dst 10.80.1.5:3389, syn
src 10.80.1.5:3389, dst 192.168.1.100:8080, syn/ack
src 192.168.1.100:8080, dst 10.80.1.5:3389, ack
192.168.1.100 would be the host initiating RDP to host 10.80.1.5.
gunther123
Thank you. After looking at the entire answer, I noticed at the end that it stated:
"...this entry indicates that it is a SYN/ACK (syncrhonize/acknowledge) packet establishing a connection."
And after reviewing the 3-way handshake and with ypark's explanation, it is clear that 10.80.1.5 is the server/target of the RDP session and therefore makes perfect sense that port 3389 would be associated with that IP in the questions sample.
Thanks!
techtia
Man you would have to give me multiple choice of A, B, C, or D.
I can't help you here without that.
dhay13
Basic 3 way handshake. Fire up Wireshark and capture some packets and break them down. ypark explained it pretty good. Take a look at that explanation and reverse engineer it. It might make more sense then.
TechGuru80
As already said...the syn/ack is an important piece of information. Although with the choices of answers you can help narrow down the correct choice...they can help you identify the context.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
