Quake3 protocol - Security

This is a discussion on Quake3 protocol - Security ; This may be considered off topic for this news group, but I've encountered some very helpful people here, so here goes: Is the Quake3 Protocol used for anything else other than playing Quake? The reason I'm asking, is I occasionally ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Quake3 protocol

  1. Quake3 protocol

    This may be considered off topic for this news group, but I've
    encountered some very helpful people here, so here goes:

    Is the Quake3 Protocol used for anything else other than playing Quake?

    The reason I'm asking, is I occasionally run ethereal when I see the
    lights on my hub at work start to max out. And I've noticed that
    protocol showing up in the results. I did nslookup on the ip address
    and it's one of the network admins. So, before I say anything, if I do,
    I want to have all my ducks in a row.

    TIA,

    Andy C.(never #)


  2. Re: Quake3 protocol

    On 21 Dec 2006, in the Usenet newsgroup comp.os.linux.security, in article
    <1166709499.840855.87190@79g2000cws.googlegroups.co m>, Andy C.(never #) wrote:

    >This may be considered off topic for this news group,


    No - it's on-topic.

    >Is the Quake3 Protocol used for anything else other than playing Quake?


    What do you mean by "Quake3 Protocol"? If you mean something spewing
    UDP packets in the 26000-27000 port range, then the answer is a maybe.
    If you mean it's something that 'ethereal' or 'wireshark' is identifying
    the stuff as 'Quake3', then probably not.

    >The reason I'm asking, is I occasionally run ethereal when I see the
    >lights on my hub at work start to max out. And I've noticed that
    >protocol showing up in the results.


    If you look at ftp://ftp.iana.org/assignments/protocol-numbers, there is
    no Quake (let alone Quake3) protocol. If you're making the decision based
    on the port number being 26000/udp, or 27960/udp or similar, I suspect
    that you need more evidence. While those ports are used for Quake
    servers, there is no law/rule that any packet destined for that port
    must be Quake. Not knowing what the packets or traffic look like, I can't
    give you a plausible explanation of what they _might_ be, but obviously
    they _could_ (not necessarily _are_) innocent. (How's that for treading
    lightly?)

    >I did nslookup on the ip address and it's one of the network admins. So,
    >before I say anything, if I do, I want to have all my ducks in a row.


    Where are you... IP says state-side. See that there is a _written_
    company policy in place before you even think about it. This can run into
    all kinds of nasty labor relations problems. Where is the traffic going?
    Is it local - check the systems (wander on by and see what the displays
    are showing). If it's going outside (where), who controls the firewall?

    Old guy

  3. Re: Quake3 protocol

    Moe Trin wrote:
    >SNIP
    > What do you mean by "Quake3 Protocol"? If you mean something spewing
    > UDP packets in the 26000-27000 port range, then the answer is a maybe.
    > If you mean it's something that 'ethereal' or 'wireshark' is identifying
    > the stuff as 'Quake3', then probably not.

    After I do a capture, I do several sorts to get a better idea of what's
    going on. First I sort by origin and make sure that it isn't any of my
    machines that are spewing. Then I sort by protocol. Ethereal lists all
    the usual suspects, TCP, UDP, ARP, STP, even IPX. In scrolling through
    these sorts you can see what is hogging the intranet. That's how I came
    across Quake3 protocol.

    > Where are you... IP says state-side. See that there is a _written_
    > company policy in place before you even think about it. This can run into
    > all kinds of nasty labor relations problems. Where is the traffic going?
    > Is it local - check the systems (wander on by and see what the displays
    > are showing). If it's going outside (where), who controls the firewall?

    Yes, totally US. Only been out of the country one time: walking day
    trip to Mexico. Won't ever go back. Would really like to visit Canada.
    Alberta and BC look like Wyoming on steroids.

    But I digress. Yes, written company policy about misusing company
    equipment. I could be doing it, too, except that I'm using the internet
    to get information and most of it relates directly to my job duties. I
    like playing games as much as the next guy, but when you do it at work
    that's another matter. Plus, eventually, they're going to get curious
    as to why everything seems to slow down at certain times of the day.

    >
    > Old guy


    Thanks, again.


  4. Re: Quake3 protocol

    On 21 Dec 2006, in the Usenet newsgroup comp.os.linux.security, in article
    <1166732546.533070.306610@i12g2000cwa.googlegroups. com>, Andy C.(never #)
    wrote:

    >Moe Trin wrote:


    >> If you mean it's something that 'ethereal' or 'wireshark' is identifying
    >> the stuff as 'Quake3', then probably not.


    >After I do a capture, I do several sorts to get a better idea of what's
    >going on. First I sort by origin and make sure that it isn't any of my
    >machines that are spewing. Then I sort by protocol. Ethereal lists all
    >the usual suspects, TCP, UDP, ARP, STP, even IPX.


    Those are all defined protocols that can be carried in an IP packet. In
    addition, there are over 180 different protocols besides IP that can be
    found in an Ethernet frame.

    >In scrolling through these sorts you can see what is hogging the intranet.
    >That's how I came across Quake3 protocol.


    Well, as stated there is no official protocol as such. If Ethereal is
    identifying it as such, it would be because of characteristics of the
    packet. I can't help there - we don't have that problem.

    >> Where are you... IP says state-side.


    >Yes, totally US. Only been out of the country one time: walking day
    >trip to Mexico. Won't ever go back.


    Border towns, any more than tourist traps, and (very often) "large"
    cities are not representative of a country.

    >Would really like to visit Canada. Alberta and BC look like Wyoming on
    >steroids.


    Do it! It's a cliche to say that there's a whole world out there, but
    there is. In my mis-spent youth, I spent over ten years out there seeing
    what there is to see while working overseas. There is a lot, and it's
    worth seeing.

    >But I digress. Yes, written company policy about misusing company
    >equipment.


    That's a legal requirement - the company can get in horribly deep weeds
    if they take actions in the absence of such a policy that is at least
    semi-actively enforced. Our employees know these policies, and know
    that misuse isn't tolerated, so we don't have the problem. The only
    non-business traffic on our wires is ten channels of "Internet Radio"
    (because we're in buildings that basically block radio reception).
    The employee association has set up computers in the break areas
    (that are not connected to the company wires) for "personal" use. That's
    how I often post to the newsgroups.

    >I could be doing it, too, except that I'm using the internet to get
    >information and most of it relates directly to my job duties.


    It's one of the best sources of Linux support, and well worth while
    for other services as well. We're allowed access to _read_ Usenet on
    the job, but are not allowed to post (NDAs and all that).

    >I like playing games as much as the next guy, but when you do it at work
    >that's another matter. Plus, eventually, they're going to get curious
    >as to why everything seems to slow down at certain times of the day.


    When you spend most of your working day staring at the screen, playing
    computer games is absolutely the _LAST_ thing on my list of exciting
    things to be doing.

    Old guy

+ Reply to Thread