From owner-freebsd-questions Tue Jan 12 14:36:01 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA21639 for freebsd-questions-outgoing; Tue, 12 Jan 1999 14:34:29 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from smtp03.wxs.nl (smtp03.wxs.nl [195.121.6.37]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA21628 for ; Tue, 12 Jan 1999 14:34:26 -0800 (PST) (envelope-from asmodai@wxs.nl) Received: from daemon.ninth-circle.org ([195.121.57.64]) by smtp03.wxs.nl (Netscape Messaging Server 3.6) with ESMTP id AAA24FB; Tue, 12 Jan 1999 23:33:45 +0100 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Tue, 12 Jan 1999 23:41:24 +0100 (CET) Organization: Ninth Circle Enterprises From: Jeroen Ruigrok/Asmodai To: Keith Woodworth Subject: RE: Tcpdump interpretation Cc: freebsd-questions Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 12-Jan-99 Keith Woodworth wrote: > > Can someone tell me what these results mean? I think someone is pinging > me then they get redirected to our primary nameserver but I'm probably > way off base. Also whats up with udp port 28800? Or udp 4? UDP 28800 falls outside of IANA's numberlist afaik and thus can be a port used for anything... > This started happening as far as I can tell about 2 days ago. Its all > been from different address's too. > > I'm IP 204.244.99.101. citytel1.citytel.net is the primary NS of > citytel.net > I see ICMP so I think ping...is that right? NO, ICMP does more than just do `ping'. Ping uses ICMP echo messages. And are very recognisable: 23:34:26.426702 host1.com > host2.com: icmp: echo request 23:34:26.426752 host2.com > host1.com: icmp: echo reply > 00:03:32.181470 204.244.99.101 > cx185912-a.orng1.occa.home.com: icmp: > 204.244.99.101 udp port 28800 unreachable port 28800 may be blocked by a filter/firewall > 00:03:45.601911 usr2-d1.cwnet.com.28800 > 204.244.99.101.28800: udp 4 > 00:03:45.602609 204.244.99.101 > usr2-d1.cwnet.com: icmp: 204.244.99.101 > udp port 28800 unreachable Are you visiting pages with banners or something like that? Because those things tend to create hits as well on weird UDP/TCP ports. > 00:03:46.056422 204.244.99.101.4115 > citytel1.citytel.net.domain: > 11238+ (45) 4115 is also unassigned and thus not identifiable. > 00:03:50.311193 210.109.115.6.28800 > 204.244.99.101.28800: udp 4 > Too me it look as if I'm being pinged. Why I dont know since I"m only on > a dialup line. Handy reading: http://www.isi.edu/in-notes/iana/assignments/port-numbers Someone more traversed in tcpdump might want to say something I haven't... --- Jeroen Ruigrok van der Werven A veil of smoke is what I am, asmodai(at)wxs.nl I wait and I wait... Network/Security Specialist BSD & picoBSD: The Power to Serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message