Gibson; Ch 8; packet capture log; Clarification on src/dst port

gunther123gunther123 Member Posts: 12 ■□□□□□□□□□
In Darril Gibson's book, Security+ Get Certified Get Ahead, Ch 8, Practice Question 16, he provides a sample packet capture log of:

"16:12:50, src 10.80.1.5:3389, dst 192.168.1.100:8080, syn/ack"

The question asks what this entry shows?

The answer says "...a source (src) system with an IP of 10.80.1.5 sent a connection attempt using port 3389..." 3389 is the RDP port.

I'm confused on why the source port is 3389 as opposed to the destination port. If 10.80.1.5 is sending a connection attempt for RDP, shouldn't the dst port be 3389? The RDP client could use any open, high-level port to open the connection. I'm not very experienced with reading packet logs, so I'm hoping someone with some insight could help shed some light here.

Thank you.

-Michael

Comments

  • NotHackingYouNotHackingYou Member Posts: 1,460 ■■■■■■■■□□
    I would guess that what Darril means here is that 3389 was the egress port on 10.80.1.5. Keep in mind that in TCP, there really are two port numbers we care about - source machine's egress port and destination machine's ingress port. When data flows back to the original source from the original destination, it will egress the original destination port and ingress the original source port.
    When you go the extra mile, there's no traffic.
  • yparkypark Member Posts: 120 ■■■□□□□□□□
    I believe CarlSaiyed nailed it but to expand further, the entire handshake would've looked something like this:

    src 192.168.1.100:8080, dst 10.80.1.5:3389, syn
    src 10.80.1.5:3389, dst 192.168.1.100:8080, syn/ack
    src 192.168.1.100:8080, dst 10.80.1.5:3389, ack

    192.168.1.100 would be the host initiating RDP to host 10.80.1.5.
    2022 Goals: [PCNSE] [JNCIS-SP] [JNCIS-SEC] [JNCIS-DevOps]
  • gunther123gunther123 Member Posts: 12 ■□□□□□□□□□
    Thank you. After looking at the entire answer, I noticed at the end that it stated:

    "...this entry indicates that it is a SYN/ACK (syncrhonize/acknowledge) packet establishing a connection."

    And after reviewing the 3-way handshake and with ypark's explanation, it is clear that 10.80.1.5 is the server/target of the RDP session and therefore makes perfect sense that port 3389 would be associated with that IP in the questions sample.

    Thanks!
  • techtiatechtia Member Posts: 144
    Man you would have to give me multiple choice of A, B, C, or D.

    I can't help you here without that.
  • dhay13dhay13 Member Posts: 580 ■■■■□□□□□□
    Basic 3 way handshake. Fire up Wireshark and capture some packets and break them down. ypark explained it pretty good. Take a look at that explanation and reverse engineer it. It might make more sense then.
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    As already said...the syn/ack is an important piece of information. Although with the choices of answers you can help narrow down the correct choice...they can help you identify the context.
Sign In or Register to comment.