Ask Your Question
0

What does SWE mean on a tcpdump Capture

asked 2018-04-12 16:08:14 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Hello everyone. I'm trying to dicpher a packet capture we just recently did and I don't seem to understand what SWE and SE responses are. Can I get some assistance with this? Please see below:

12:03:35.332676 IP 10.48.60.160.55718 > 10.190.94.5.443: SWE 266106874:266106874(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
12:03:35.334172 IP 10.190.94.5.443 > 10.48.60.160.55718: SE 1027427270:1027427270(0) ack 266106875 win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
12:03:35.383727 IP 10.48.60.160.55718 > 10.190.94.5.443: . ack 1 win 256
12:03:35.384597 IP 10.48.60.160.55718 > 10.190.94.5.443: F 1:1(0) ack 1 win 256
12:03:35.384971 IP 10.190.94.5.443 > 10.48.60.160.55718: R 1:1(0) ack 2 win 0
12:03:35.385053 IP 10.48.60.160.55719 > 10.190.94.5.443: SWE 2104724924:2104724924(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
12:03:35.385826 IP 10.190.94.5.443 > 10.48.60.160.55719: SE 2036877982:2036877982(0) ack 2104724925 win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
12:03:35.435365 IP 10.48.60.160.55719 > 10.190.94.5.443: . ack 1 win 256
12:03:35.436084 IP 10.48.60.160.55719 > 10.190.94.5.443: F 1:1(0) ack 1 win 256
12:03:35.436574 IP 10.190.94.5.443 > 10.48.60.160.55719: R 1:1(0) ack 2 win 0
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2018-04-12 18:14:14 +0000

Guy Harris gravatar image

Those are TCP packets for some protocol that tcpdump doesn't dissect (HTTP-over-SSL/TLS, probably, given that they're to and from port 443), so, after the IP addresses, the TCP flags are printed. They are:

  • F - FIN
  • S - SYN
  • R - RST
  • P - PSH
  • U - URG
  • E - ECN Echo
  • W - ECN Cwnd Reduced

If it's blank, no flags are set (which should never happen); if it's just a ".", it's an ACK-only packet (as everything except for the initial SYN should have ACK set, ACK isn't reported except for ACK-only packets).

ECN is Explicit Congestion Notification, specified in RFC 3168.

So:

  • "SWE" has SYN+ECN Echo+ECN Cwnd Reduced; it's an initial SYN, and is, to use the terminology in section 6.1.1 of RFC 3168, an "ECN-setup SYN packet". It indicates that the host sending the packet supports ECN.
  • "E" has SYN+ECN Echo set; it probably also has ACK set (as per the "ack" field in the packet), so it's a SYN+ACK response to the initial SYN, and it is, to use the terminology in section 6.1.1 of RFC 3168, an "ECN-setup SYN-ACK packet". It indicates that the host sending the packet supports ECN.
edit flag offensive delete link more

Comments

Also, from the tcpdump man page under the OUTPUT FORMAT section:


The general format of a TCP protocol line is:

src > dst: Flags [tcpflags], seq data-seqno, ack ackno, win window, urg urgent, options [opts], length len

Tcpflags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or '.' (ACK), or 'none' if no flags are set.


cmaynard gravatar imagecmaynard ( 2018-04-13 12:49:41 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-04-12 16:08:14 +0000

Seen: 1,340 times

Last updated: Apr 12