OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Christian, Chris (chris.christianintel.com)
Date: Mon Jan 28 2002 - 18:35:42 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Perry,

    Yes, the client and server are on different subnets.
    This is something that is required. There are several
    router hops in the middle are indeed passing the packets.

    traceroute to 10.9.138.243 (10.9.138.243), 30 hops max, 40 byte packets
     1 jf1or-60 (10.241.60.3) 0.518 ms 0.451 ms 0.418 ms
     2 jfeg1.eg.intel.com (10.9.224.9) 1.041 ms 0.680 ms 0.736 ms
     3 egjf1-pos5-1-0.eg.intel.com (10.9.224.1) 1.046 ms 0.811 ms 0.749 ms
     4 umbra2 (10.9.138.243) 0.737 ms 1.004 ms 0.751 ms

    Client tcpdump:

    % tcpdump -i eth0 -nep | grep 10.9.138.243
    tcpdump: listening on eth0
    00:31:23.621805 0:4:ac:da:9c:da 0:0:c:7:ac:3 0800 67: 10.241.60.243.2807 >
    10.9.138.243.69: 25 WRQ "/tftpboot/foo"
    00:31:23.626398 0:e0:34:5:19:1 0:4:ac:da:9c:da 0800 60: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:31:28.622396 0:e0:34:5:19:1 0:4:ac:da:9c:da 0800 60: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:31:33.612894 0:4:ac:da:9c:da 0:0:c:7:ac:3 0800 67: 10.241.60.243.2807 >
    10.9.138.243.1040: udp 25
    00:31:38.612867 0:4:ac:da:9c:da 0:0:c:7:ac:3 0800 67: 10.241.60.243.2807 >
    10.9.138.243.1040: udp 25
    00:31:38.613245 0:e0:34:5:19:1 0:4:ac:da:9c:da 0800 60: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:31:43.612871 0:4:ac:da:9c:da 0:0:c:7:ac:3 0800 67: 10.241.60.243.2807 >
    10.9.138.243.1040: udp 25
    00:31:48.604423 0:e0:34:5:19:1 0:4:ac:da:9c:da 0800 60: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:31:53.602879 0:4:ac:da:9c:da 0:0:c:7:ac:3 0800 67: 10.241.60.243.2807 >
    10.9.138.243.1040: udp 25
    00:31:58.595150 0:e0:34:5:19:1 0:4:ac:da:9c:da 0800 60: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:32:03.595694 0:e0:34:5:19:1 0:4:ac:da:9c:da 0800 60: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:32:08.596115 0:e0:34:5:19:1 0:4:ac:da:9c:da 0800 60: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:32:13.596581 0:e0:34:5:19:1 0:4:ac:da:9c:da 0800 60: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:32:18.597122 0:e0:34:5:19:1 0:4:ac:da:9c:da 0800 60: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:32:23.597545 0:e0:34:5:19:1 0:4:ac:da:9c:da 0800 60: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4

    Server tcpdump:

    % tcpdump -i eth0 -nep | grep 10.241.60.243
    Kernel filter, protocol ALL, datagram packet socket
    tcpdump: listening on eth0
    00:31:23.628865 < 0:d0:d3:37:8b:54 0:0:0:0:0:1 ip 67: 10.241.60.243.2807 >
    10.9.138.243.tftp: 25 WRQ "/tftpboot/foo"
    00:31:23.632462 > 0:0:0:0:0:0 0:50:8b:e1:fd:7e ip 46: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:31:28.628663 > 0:0:0:0:0:0 0:50:8b:e1:fd:7e ip 46: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:31:33.619784 < 0:d0:d3:37:8b:54 0:0:0:0:0:1 ip 67: 10.241.60.243.2807 >
    10.9.138.243.1040: udp 25
    00:31:38.619599 > 0:0:0:0:0:0 0:50:8b:e1:fd:7e ip 46: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:31:38.619816 < 0:d0:d3:37:8b:54 0:0:0:0:0:1 ip 67: 10.241.60.243.2807 >
    10.9.138.243.1040: udp 25
    00:31:43.619768 < 0:d0:d3:37:8b:54 0:0:0:0:0:1 ip 67: 10.241.60.243.2807 >
    10.9.138.243.1040: udp 25
    00:31:48.610554 > 0:0:0:0:0:0 0:50:8b:e1:fd:7e ip 46: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:31:53.609758 < 0:d0:d3:37:8b:54 0:0:0:0:0:1 ip 67: 10.241.60.243.2807 >
    10.9.138.243.1040: udp 25
    00:31:58.601505 > 0:0:0:0:0:0 0:50:8b:e1:fd:7e ip 46: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:32:03.601979 > 0:0:0:0:0:0 0:50:8b:e1:fd:7e ip 46: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:32:08.602458 > 0:0:0:0:0:0 0:50:8b:e1:fd:7e ip 46: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:32:13.602933 > 0:0:0:0:0:0 0:50:8b:e1:fd:7e ip 46: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:32:18.603409 > 0:0:0:0:0:0 0:50:8b:e1:fd:7e ip 46: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4
    00:32:23.603885 > 0:0:0:0:0:0 0:50:8b:e1:fd:7e ip 46: 10.9.138.243.1040 >
    10.241.60.243.2807: udp 4

    Chris Christian
    SMG-It - Network Security Engineer
    Intel Corporation

    -----Original Message-----
    From: waglewirex.com [mailto:waglewirex.com]
    Sent: Monday, January 28, 2002 4:26 PM
    To: chris.christianintel.com
    Cc: immunix-userswirex.com
    Subject: RE: TFTP on Immunix 7.0 (How To)

    > The tcpdump looks like: (tcpdump -I eth0 -n | grep 10.241.60.243)

    The client and the server are on different subnets? Is the thing in
    the middle passing the packets to the clients subnet? What does
    tcpdump look like on the client's subnet?

    Also, add "-e" and "-p" options to the tcpdump and grep for the
    client's mac address (catches ARP, etc).

    -- Perry
    _______________________________________________
    Immunix-users mailing list
    Immunix-usersmail.wirex.com
    http://mail.wirex.com/mailman/listinfo/immunix-users