Re: Info log TCPDUMP



On Wed, 28 Mar 2007, in the Usenet newsgroup comp.security.firewalls, in article
<cEAOh.30854$6.29046@xxxxxxxxxxxxxxxxxxxxx>, djx wrote:

For curiosity, i use the command tcpdump to analyze the traffic and i
didn't uderstand why the firewall log thousand of records regarding
the trafficthat report below.
What is the traffic mean? (please, don't suppose)

There is not enough information. The log is showing an established
connection between 82.105.X.X (what-ever that might be) port 1287, and
192.168.0.100 port 6784. The traffic appears to be flowing from
192.168.0.100 to 82.105.X.X. The RFC1918 address is probably local
and you'd have to look at that system. The 82.105.X.X is Interbusiness.
The port numbers are somewhat meaningless, as they are not "well known"
services. Port 1287 is "registered" to RouteMatch, which is a motor
transport management software - probably not what it's actually being
used for.

It is very strange, but i dont have the enought know-how to read
correctly the tcpdump log.

I'd increase the snaplen ( -s 1500) and look at what is inside the packet.
I would also ask the user on 192.168.0.100 what is happening. Unless you
are forwarding some port on your firewall to 192.168.0.100 port 6784,
that host almost certainly initiated the connection. Why?

I don't know what the laws are in Italy or the European Union, but you
may want to check with the company legal advisor. Here in the USA, one
can run into legal problems unless _written_ and _published_ company
policy warns the employees that the computers are only for company
business and that the company may/will be monitoring that usage.

Old guy
.



Relevant Pages

  • Re: ZoneAlarm log shows probes *from* 127.0.0.1 ?
    ... > dump,probably windows machines. ... day) and since its a dialup connection, it would be related to howoften ... firewall log, this only happens sometimes... ... Use a port listener,bind it to port 80 on the loopback, play around ...
    (comp.security.firewalls)
  • Re: [opensuse] Firewall & UDP [ERRATA]
    ... correctly, although your squid machine initiates the connection on a semi-ramdom port, the samba server replies to it, with a specific source-port. ... If so you can add a custom rule allowing all connections from that specific source port and from the samba server. ... What I asked you to confirm is that if the response from the samba-server has a specific source port, mentioned in the firewall log as STP. ...
    (SuSE)
  • Re: [opensuse] Firewall & UDP
    ... correctly, although your squid machine initiates the connection on a semi-ramdom port, the samba server replies to it, with a specific source-port. ... If so you can add a custom rule allowing all connections from that specific source port and from the samba server. ... What I asked you to confirm is that if the response from the samba-server has a specific source port, mentioned in the firewall log as STP. ...
    (SuSE)
  • Info log TCPDUMP
    ... from all the subnet 192.168.0.0/24 except some port like http, https, ftp, ... uderstand why the firewall log thousand of records regarding the trafficthat ... The traffic mean that some user download by P2P with closed port or instead ... 333819:335251ack 0 win 5840 ...
    (comp.security.firewalls)
  • Re: trouble creating policy to access port on internal nic?
    ... Make sure this access rule is on top of the firewall policies list. ... I can see that port 6502 is being denied with the ... I created a firewall policy that allowed ports 6502-6503 for tcp (receive ... I get the same Denied - default rule in the firewall log. ...
    (microsoft.public.isa)