Info log TCPDUMP - Firewalls

This is a discussion on Info log TCPDUMP - Firewalls ; Hi, In my company i have configured my firewall (Smoothwall) to drop all traffic from all the subnet 192.168.0.0/24 except some port like http, https, ftp, pop. This configuration seams works fine, infact the other services that use different ports ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Info log TCPDUMP

  1. Info log TCPDUMP

    Hi,
    In my company i have configured my firewall (Smoothwall) to drop all traffic
    from all the subnet 192.168.0.0/24 except some port like http, https, ftp,
    pop.

    This configuration seams works fine, infact the other services that use
    different ports no Work.

    For curiosity, i use the command tcpdump to analyze the traffic and i didn't
    uderstand why the firewall log thousand of records regarding the trafficthat
    report below.
    What is the traffic mean? (please, don't suppose)
    The traffic mean that some user download by P2P with closed port or instead
    mean thet the user TRY to download by P2P?

    It is very strange, but i dont have the enought know-how to read correctly
    the tcpdump log.

    Can I help me?


    22:25:00.058138 IP 82.105.X.X.1287 > 192.168.0.100.6784: . ack 332387 win
    65535
    22:25:00.058832 IP 192.168.0.100.6784 > 82.105.X.X.1287: .
    333819:335251(1432) ack 0 win 5840
    22:25:00.131136 IP 82.105.X.X.1287 > 192.168.0.100.6784: . ack 335251 win
    65535
    22:25:00.131824 IP 192.168.0.100.6784 > 82.105.X.X.1287: .
    335251:336683(1432) ack 0 win 5840
    22:25:00.131945 IP 192.168.0.100.6784 > 82.105.X.X.1287: .
    336683:338115(1432) ack 0 win 5840
    22:25:00.132065 IP 192.168.0.100.6784 > 82.105.X.X.1287: .
    338115:339547(1432) ack 0 win 5840




  2. Re: Info log TCPDUMP

    On Wed, 28 Mar 2007, in the Usenet newsgroup comp.security.firewalls, in article
    , djx wrote:

    >For curiosity, i use the command tcpdump to analyze the traffic and i
    >didn't uderstand why the firewall log thousand of records regarding
    >the trafficthat report below.
    >What is the traffic mean? (please, don't suppose)


    There is not enough information. The log is showing an established
    connection between 82.105.X.X (what-ever that might be) port 1287, and
    192.168.0.100 port 6784. The traffic appears to be flowing from
    192.168.0.100 to 82.105.X.X. The RFC1918 address is probably local
    and you'd have to look at that system. The 82.105.X.X is Interbusiness.
    The port numbers are somewhat meaningless, as they are not "well known"
    services. Port 1287 is "registered" to RouteMatch, which is a motor
    transport management software - probably not what it's actually being
    used for.

    >It is very strange, but i dont have the enought know-how to read
    >correctly the tcpdump log.


    I'd increase the snaplen ( -s 1500) and look at what is inside the packet.
    I would also ask the user on 192.168.0.100 what is happening. Unless you
    are forwarding some port on your firewall to 192.168.0.100 port 6784,
    that host almost certainly initiated the connection. Why?

    I don't know what the laws are in Italy or the European Union, but you
    may want to check with the company legal advisor. Here in the USA, one
    can run into legal problems unless _written_ and _published_ company
    policy warns the employees that the computers are only for company
    business and that the company may/will be monitoring that usage.

    Old guy

  3. Re: Info log TCPDUMP

    Thnaks for your suggestion

    bye



+ Reply to Thread