Can I tell if TCP traffic was sent by a firewall and not one of the hosts?

asked 2020-05-05 15:19:07 +0000

updated 2020-05-05 15:24:10 +0000

If I look at a trace, is it possible to tell whether a frame was sent be a switch or a firewall and not by one host or the other? Like if a socket it moving along and suddenly one of the hosts sends a reset, how do I know if I'm the victim of deep packet filtering by a switch? Is there something at the TCP or ethernet level that's a clue?

thanks

edit retag flag offensive close merge delete

Comments

Can you recreate this for a test? Have you looked at ip.ttl ?

Chuckc ( 2020-05-05 15:34:56 +0000 )edit

Thanks for answering. I can't reproduce it will but in my job, I see this kind of thing constantly. The ip.ttl is 125 in the latest example. What is that telling me please?

pappythesailor ( 2020-05-05 15:42:05 +0000 )edit

Maybe this helps - TCP RST and TTL

Chuckc ( 2020-05-05 15:46:52 +0000 )edit

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2020-05-05 16:07:59 +0000

smacznego
3 ●1 ●2

updated 2020-05-05 16:09:57 +0000

The ip.ttl is telling you a couple things. 1) After 125 more hops the packet will be discarded. 2) It could be telling you which device is actually sending that packet. Windows devices start with one TTL and Cisco devices, for example, will start with a different TTL. If you are seeing packets on the same network from the same IP but different TTL's, this would tell you that another device is "standing in" for the IP. Compare the TTL's of send packets with the same IP's. If you see a different TTL, this would indicate two different devices.