Ask Your Question
0

Can I tell if TCP traffic was sent by a firewall and not one of the hosts?

asked 2020-05-05 15:19:07 +0000

pappythesailor gravatar image

updated 2020-05-05 15:24:10 +0000

If I look at a trace, is it possible to tell whether a frame was sent be a switch or a firewall and not by one host or the other? Like if a socket it moving along and suddenly one of the hosts sends a reset, how do I know if I'm the victim of deep packet filtering by a switch? Is there something at the TCP or ethernet level that's a clue?

thanks

edit retag flag offensive close merge delete

Comments

Can you recreate this for a test? Have you looked at ip.ttl ?

Chuckc gravatar imageChuckc ( 2020-05-05 15:34:56 +0000 )edit

Thanks for answering. I can't reproduce it will but in my job, I see this kind of thing constantly. The ip.ttl is 125 in the latest example. What is that telling me please?

pappythesailor gravatar imagepappythesailor ( 2020-05-05 15:42:05 +0000 )edit

Maybe this helps - TCP RST and TTL

Chuckc gravatar imageChuckc ( 2020-05-05 15:46:52 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2020-05-05 16:07:59 +0000

smacznego gravatar image

updated 2020-05-05 16:09:57 +0000

The ip.ttl is telling you a couple things. 1) After 125 more hops the packet will be discarded. 2) It could be telling you which device is actually sending that packet. Windows devices start with one TTL and Cisco devices, for example, will start with a different TTL. If you are seeing packets on the same network from the same IP but different TTL's, this would tell you that another device is "standing in" for the IP. Compare the TTL's of send packets with the same IP's. If you see a different TTL, this would indicate two different devices.

edit flag offensive delete link more

Comments

Thank you, Bubba. I understand. If anyone has any other tricks too, I'm glad to learn.

pappythesailor gravatar imagepappythesailor ( 2020-05-05 16:15:21 +0000 )edit
0

answered 2020-05-05 15:58:33 +0000

Jaap gravatar image

Sometimes the IP TTL can give a clue. Sometimes the timing of the packets as well. As usual, it depends.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-05-05 15:19:07 +0000

Seen: 381 times

Last updated: May 05