{{ SECURITY Network packet Forensic }}
Chapter 5. Telnet (Telecommunication Network Protocol) packet analysis
Before checking the telnet PCAP log, let's see what is {TCP KEEP ALIVE} packet means.
This packet is normally using to check for dead peers or prevent the disconnection due to network inactivity.
Normally a null packet with ACK flag will send to peer. But in our example, it has a duplicated packet data from previous sent packet with [PSH, ACK].
- TCP KEEP ALIVE
Following is an example of TCP connection. [using Follow TCP Stream menu]
Step 1 has negotiation of sub-options procedure for the telnet connection. After that there is a login prompt as like Step 2. Login has echo characters for the input, but password has no echo characters. Step 3. is an exit the telnet connection.
At the first time, there will be a 3 way handshaking procedure like before for TCP session establishment for port 23 of the destination.
-
SYN > SYNC,ACK > ACK
And for disconnection, there are FIN,ACK procedure like below.
Reference
'Security&Encryption > Network Packet Forensic' 카테고리의 다른 글
| TCP Port Scan (0) | 2016.03.06 |
|---|---|
| Analysis for SMTP (0) | 2016.03.06 |
| Analysis HTTP Contents (0) | 2016.03.03 |
| File Magic Number (0) | 2016.03.02 |
| FTP packet analysis (0) | 2016.02.29 |