tcpdump results question
Results 1 to 6 of 6

Thread: tcpdump results question

  1. #1
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242

    tcpdump results question

    I ran tcpdump last night on my home network. Turned off all the PCs save for a W2K server I run and the Linux box running tcpdump. I saved the tcpdump results to a file so I could give it a looksee and I've noticed a lot of traffic between the server and an ISP ip address, which I'm guessing may be a router (not sure though). The typical entry for these packets is:

    06:42:24.046391 IP 192.168.1.10.1048 > nr12-216-196-183-105.fuse.net.2509: UDP, length 116

    I googled port 2509 udp and came up with a port description of "fjmpss". I tried googling a series of keywords but came up with little. The traffic is very frequent, occurring several times a minute. Every ten or fifteen minutes, it comes back the other way (from the fuse.net address to my server). The length of the packets is almost always 116, sometimes jumps to 276. Also, checked on port 1048 and found it's a "neod2" port, something to do with Sun.

    Any ideas what these packets are? I can't say I'm too concerned given it's between my server and the ISP's device, but I'd still like to know. Thanks.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Well given that the direction is indicated as outbound (&gt and that the source port of your local machine is 1048 (within the popular source ephemeral ports that M$ uses), I'd say it was a safe bet that the traffic originated on your system. Another thing you can do is add in a '-X -s 512' to get a hex dump of the packet (truncated at 512 bytes) when you run the tcpdump, that might provide clues what it is possibly doing. Would also recommend that you identify on the local system what program is responsible for the connection (don't remember if the netstat in W2k has the program option, usually a -b or -p, just do from the command prompt: netstat /help to get options). If it doesn't have that option, you can get FPORT from foundstone to tell you the same thing...then you'll know what program is responsible and from that and the hex dump figure out what is going on...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Broken:

    You anywhere near Cincinnatti?

    You use Cincinnatti Bell as your ISP?

    because that's fuse.net...

    They are outbound UDP packets from a "random" port to UDP 2509 _UDP_ on the Cincinnatti Bell server... It's almost like some kind of "Keepalive" thing. Does that give you some clues?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    Yeah, Fuse/Zoomtown is the ISP. And I'm in Cincy (Shawnee country as I call it...I like to know whose bones I'm walkin' on).

    I pretty much figure it's a "keep alive" thing. I just wanted to check it out though. I'm onsite today, may run tcpdump again tonight, or maybe ngrep, and capture the packet.

    I'm still on the steep part of the learning curve with packets, so bear with me.



    Let me add, I'm using a dyndns client and providing some webservices via that server.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  5. #5
    Junior Member
    Join Date
    Jun 2006
    Posts
    5
    Run ethereal on one of your machines, it will try to disect the stream and see if it is anything that it knows about. Do you have any firewalls running on your network and have you patched the W2K machine up to date?

  6. #6
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    Do you have any firewalls running on your network and have you patched the W2K machine up to date?
    Yup, running IPcop on that network and my stuff's always patched. Just haven't had time to follow up on this one. There's only 30 hours in a day...
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides