First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Can I tell if TCP traffic was sent by a firewall and not one of the hosts?

  • retag add tags

If I look at a trace, is it possible to tell whether a frame was sent be a switch or a firewall and not by one host or the other? Like if a socket it moving along and suddenly one of the hosts sends a reset, how do I know if I'm the victim of deep packet filtering by a switch? Is there something at the TCP or ethernet level that's a clue?

thanks

pappythesailor's avatar
1
pappythesailor
asked 2020-05-05 15:19:07 +0000, updated 2020-05-05 15:24:10 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Can you recreate this for a test? Have you looked at ip.ttl ?

Chuckc's avatar Chuckc (2020-05-05 15:34:56 +0000) edit
more
  • delete

Thanks for answering. I can't reproduce it will but in my job, I see this kind of thing constantly. The ip.ttl is 125 in the latest example. What is that telling me please?

pappythesailor's avatar pappythesailor (2020-05-05 15:42:05 +0000) edit
more
  • delete

Maybe this helps - TCP RST and TTL

Chuckc's avatar Chuckc (2020-05-05 15:46:52 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

Sometimes the IP TTL can give a clue. Sometimes the timing of the packets as well. As usual, it depends.

Jaap's avatar
13.7k
Jaap
answered 2020-05-05 15:58:33 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

The ip.ttl is telling you a couple things. 1) After 125 more hops the packet will be discarded. 2) It could be telling you which device is actually sending that packet. Windows devices start with one TTL and Cisco devices, for example, will start with a different TTL. If you are seeing packets on the same network from the same IP but different TTL's, this would tell you that another device is "standing in" for the IP. Compare the TTL's of send packets with the same IP's. If you see a different TTL, this would indicate two different devices.

smacznego's avatar
3
smacznego
answered 2020-05-05 16:07:59 +0000, updated 2020-05-05 16:09:57 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you, Bubba. I understand. If anyone has any other tricks too, I'm glad to learn.

pappythesailor's avatar pappythesailor (2020-05-05 16:15:21 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer