Tcpdump log interpret

marcelomt · March 28, 2025, 5:33pm

Hello everyone

I installed tcpdump today, and when I run this command tcpdump -n port 25 I get the following result below.

Can someone help me interpret this log, because I searched on Google and didn’t find many results for tcpdump.

I blocked the IP via the hestiacp firewall GUI, I also blocked the IP manually in iptables but I couldn’t block it.

13:15:51.813241 IP 8x.xxx.xxx.xx8.38530 > my_ip.25: Flags [S], seq 259042867, win 29200, options [mss 1432,sackOK,TS val 4055544246 ecr 0,nop,wscale 10], length 0
13:15:52.815057 IP 8x.xxx.xxx.xx8.38530 > my_ip.25: Flags [S], seq 259042867, win 29200, options [mss 1432,sackOK,TS val 4055545248 ecr 0,nop,wscale 10], length 0
13:15:54.818874 IP 8x.xxx.xxx.xx8.38530 > my_ip.25: Flags [S], seq 259042867, win 29200, options [mss 1432,sackOK,TS val 4055547252 ecr 0,nop,wscale 10], length 0
13:16:04.113656 IP 8x.xxx.xxx.xx8.31620 > my_ip.25: Flags [S], seq 3464105495, win 29200, options [mss 1432,sackOK,TS val 4055556551 ecr 0,nop,wscale 10], length 0
13:16:05.114261 IP 8x.xxx.xxx.xx8.31620 > my_ip.25: Flags [S], seq 3464105495, win 29200, options [mss 1432,sackOK,TS val 4055557552 ecr 0,nop,wscale 10], length 0
13:16:07.118150 IP 8x.xxx.xxx.xx8.31620 > my_ip.25: Flags [S], seq 3464105495, win 29200, options [mss 1432,sackOK,TS val 4055559556 ecr 0,nop,wscale 10], length 0
13:16:16.461180 IP 8x.xxx.xxx.xx8.24792 > my_ip.25: Flags [S], seq 1548775370, win 29200, options [mss 1432,sackOK,TS val 4055568899 ecr 0,nop,wscale 10], length 0
13:16:17.461525 IP 8x.xxx.xxx.xx8.24792 > my_ip.25: Flags [S], seq 1548775370, win 29200, options [mss 1432,sackOK,TS val 4055569900 ecr 0,nop,wscale 10], length 0
13:16:19.466209 IP 8x.xxx.xxx.xx8.24792 > my_ip.25: Flags [S], seq 1548775370, win 29200, options [mss 1432,sackOK,TS val 4055571904 ecr 0,nop,wscale 10], length 0
13:16:28.876842 IP 8x.xxx.xxx.xx8.18818 > my_ip.25: Flags [S], seq 3161593825, win 29200, options [mss 1432,sackOK,TS val 4055581305 ecr 0,nop,wscale 10], length 0
13:16:29.878322 IP 8x.xxx.xxx.xx8.18818 > my_ip.25: Flags [S], seq 3161593825, win 29200, options [mss 1432,sackOK,TS val 4055582308 ecr 0,nop,wscale 10], length 0
13:16:31.882261 IP 8x.xxx.xxx.xx8.18818 > my_ip.25: Flags [S], seq 3161593825, win 29200, options [mss 1432,sackOK,TS val 4055584312 ecr 0,nop,wscale 10], length 0
13:16:41.193157 IP 8x.xxx.xxx.xx8.12356 > my_ip.25: Flags [S], seq 2454132227, win 29200, options [mss 1432,sackOK,TS val 4055593624 ecr 0,nop,wscale 10], length 0
13:16:42.194131 IP 8x.xxx.xxx.xx8.12356 > my_ip.25: Flags [S], seq 2454132227, win 29200, options [mss 1432,sackOK,TS val 4055594626 ecr 0,nop,wscale 10], length 0
13:16:44.200311 IP 8x.xxx.xxx.xx8.12356 > my_ip.25: Flags [S], seq 2454132227, win 29200, options [mss 1432,sackOK,TS val 4055596632 ecr 0,nop,wscale 10], length 0

sahsanu · March 28, 2025, 6:14pm

Hi @marcelomt

This topic doesn’t seem to be very related to Hestia

Why do you think so?

What you are seeing are SYN packets [S] from 8x.xxx.xxx.xx8 attempting to connect to your port 25. You don’t see any SYN-ACK packets because your firewall is dropping the connection as soon as the SYN packet arrives.

marcelomt · March 28, 2025, 7:24pm

Hello sahsanu!

In fact, it has nothing to do with Hestiacp. What I said was that through the Hestiacp panel, I added the IP 8x.xxx.xxx.xx8 to the firewall, blocking all ports, but the IP continues to knock on port 25.
And I wanted to understand what the log is saying. I only posted a few lines, but in the log, only that IP disappears from view.

When denying access to all ports, shouldn’t the IP 8x.xxx.xxx.xx8 stop knocking on the port?

sahsanu · March 28, 2025, 7:34pm

tcpdump is “listening” BEFORE iptables drops the connection so the knock is normal.

marcelomt · March 28, 2025, 7:46pm

Thanks friend, clarification…

system · April 27, 2025, 7:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.