Date: Tue, 12 Jan 1999 23:41:24 +0100 (CET) From: Jeroen Ruigrok/Asmodai <asmodai@wxs.nl> To: Keith Woodworth <kwoody@citytel.net> Cc: freebsd-questions <freebsd-questions@FreeBSD.ORG> Subject: RE: Tcpdump interpretation Message-ID: <XFMail.990112234124.asmodai@wxs.nl> In-Reply-To: <Pine.BSF.3.91.990112134334.1459A-100000@mybsd.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12-Jan-99 Keith Woodworth wrote: > > Can someone tell me what these results mean? I think someone is pinging > me then they get redirected to our primary nameserver but I'm probably > way off base. Also whats up with udp port 28800? Or udp 4? UDP 28800 falls outside of IANA's numberlist afaik and thus can be a port used for anything... > This started happening as far as I can tell about 2 days ago. Its all > been from different address's too. > > I'm IP 204.244.99.101. citytel1.citytel.net is the primary NS of > citytel.net > I see ICMP so I think ping...is that right? NO, ICMP does more than just do `ping'. Ping uses ICMP echo messages. And are very recognisable: 23:34:26.426702 host1.com > host2.com: icmp: echo request 23:34:26.426752 host2.com > host1.com: icmp: echo reply > 00:03:32.181470 204.244.99.101 > cx185912-a.orng1.occa.home.com: icmp: > 204.244.99.101 udp port 28800 unreachable port 28800 may be blocked by a filter/firewall > 00:03:45.601911 usr2-d1.cwnet.com.28800 > 204.244.99.101.28800: udp 4 > 00:03:45.602609 204.244.99.101 > usr2-d1.cwnet.com: icmp: 204.244.99.101 > udp port 28800 unreachable Are you visiting pages with banners or something like that? Because those things tend to create hits as well on weird UDP/TCP ports. > 00:03:46.056422 204.244.99.101.4115 > citytel1.citytel.net.domain: > 11238+ (45) 4115 is also unassigned and thus not identifiable. > 00:03:50.311193 210.109.115.6.28800 > 204.244.99.101.28800: udp 4 > Too me it look as if I'm being pinged. Why I dont know since I"m only on > a dialup line. Handy reading: http://www.isi.edu/in-notes/iana/assignments/port-numbers Someone more traversed in tcpdump might want to say something I haven't... --- Jeroen Ruigrok van der Werven A veil of smoke is what I am, asmodai(at)wxs.nl I wait and I wait... Network/Security Specialist <http://home.wxs.nl/~asmodai>; BSD & picoBSD: The Power to Serve <http://www.freebsd.org>; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.990112234124.asmodai>