Seeing odd traffic on port 80 - non HTTP
This is a discussion on Seeing odd traffic on port 80 - non HTTP within the Ethereal Development forums, part of the Networking and Network Related category; I am currently running a guest access network on a linux box and I noticed this morning that I'm ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-02-2006
|
|||
|
|||
Seeing odd traffic on port 80 - non HTTP
I am currently running a guest access network on a linux box and I
noticed this morning that I'm seeing very odd traffic traffic on port 80 (it's non-http). While i know who is doing it, I have no way of contacting this person and it is causing my proxy-server no-end of grief. Is there any way based on the below output to determine what application this coming from? No. Time Source Destination Protocol Info 1 0.000000 10.255.255.53 82.1.233.239 TCP 4182 > http [FIN, ACK] Seq=0 Ack=0 Win=64512 Len=0 Frame 1 (60 bytes on wire, 60 bytes captured) Arrival Time: Mar 2, 2006 12:51:10.853501000 Time delta from previous packet: 0.000000000 seconds Time since reference or first frame: 0.000000000 seconds Frame Number: 1 Packet Length: 60 bytes Capture Length: 60 bytes Protocols in frame: eth:ip:tcp Ethernet II, Src: WwPcbaTe_d0:e1:6c (00:0f:1f:d0:e1:6c), Dst: QuantaCo_43:3a:eb (00:c0:9f:43:3a:eb) Destination: QuantaCo_43:3a:eb (00:c0:9f:43:3a:eb) Source: WwPcbaTe_d0:e1:6c (00:0f:1f:d0:e1:6c) Type: IP (0x0800) Trailer: 1056005046C7 Internet Protocol, Src: 10.255.255.53 (10.255.255.53), Dst: 82.1.233.239 (82.1.233.239) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x5567 (21863) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (0x06) Header checksum: 0x5f43 [correct] Good: True Bad : False Source: 10.255.255.53 (10.255.255.53) Destination: 82.1.233.239 (82.1.233.239) Transmission Control Protocol, Src Port: 4182 (4182), Dst Port: http (80), Seq: 0, Ack: 0, Len: 0 Source port: 4182 (4182) Destination port: http (80) Sequence number: 0 (relative sequence number) Acknowledgement number: 0 (relative ack number) Header length: 20 bytes Flags: 0x0011 (FIN, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...1 = Fin: Set Window size: 64512 Checksum: 0xe470 [correct] No. Time Source Destination Protocol Info 2 0.000058 10.255.255.53 61.177.35.58 TCP 4184 > http [FIN, ACK] Seq=0 Ack=0 Win=64512 Len=0 Frame 2 (60 bytes on wire, 60 bytes captured) Arrival Time: Mar 2, 2006 12:51:10.853559000 Time delta from previous packet: 0.000058000 seconds Time since reference or first frame: 0.000058000 seconds Frame Number: 2 Packet Length: 60 bytes Capture Length: 60 bytes Protocols in frame: eth:ip:tcp Ethernet II, Src: WwPcbaTe_d0:e1:6c (00:0f:1f:d0:e1:6c), Dst: QuantaCo_43:3a:eb (00:c0:9f:43:3a:eb) Destination: QuantaCo_43:3a:eb (00:c0:9f:43:3a:eb) Source: WwPcbaTe_d0:e1:6c (00:0f:1f:d0:e1:6c) Type: IP (0x0800) Trailer: 10580050BBB2 Internet Protocol, Src: 10.255.255.53 (10.255.255.53), Dst: 61.177.35.58 (61.177.35.58) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x5568 (21864) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (0x06) Header checksum: 0x3a48 [correct] Good: True Bad : False Source: 10.255.255.53 (10.255.255.53) Destination: 61.177.35.58 (61.177.35.58) Transmission Control Protocol, Src Port: 4184 (4184), Dst Port: http (80), Seq: 0, Ack: 0, Len: 0 Source port: 4184 (4184) Destination port: http (80) Sequence number: 0 (relative sequence number) Acknowledgement number: 0 (relative ack number) Header length: 20 bytes Flags: 0x0011 (FIN, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...1 = Fin: Set Window size: 64512 Checksum: 0x1fdb [correct] 
|
|
03-02-2006
|
|||
|
|||
|
Re: Seeing odd traffic on port 80 - non HTTP
Forgot to mention, the source is always this user but the destination
is varied boo...@gmail.com wrote: > I am currently running a guest access network on a linux box and I > noticed this morning that I'm seeing very odd traffic traffic on port > 80 (it's non-http). While i know who is doing it, I have no way of > contacting this person and it is causing my proxy-server no-end of > grief. Is there any way based on the below output to determine what > application this coming from? > > No. Time Source Destination > Protocol Info > 1 0.000000 10.255.255.53 82.1.233.239 TCP > 4182 > http [FIN, ACK] Seq=0 Ack=0 Win=64512 Len=0 > > Frame 1 (60 bytes on wire, 60 bytes captured) > Arrival Time: Mar 2, 2006 12:51:10.853501000 > Time delta from previous packet: 0.000000000 seconds > Time since reference or first frame: 0.000000000 seconds > Frame Number: 1 > Packet Length: 60 bytes > Capture Length: 60 bytes > Protocols in frame: eth:ip:tcp > Ethernet II, Src: WwPcbaTe_d0:e1:6c (00:0f:1f:d0:e1:6c), Dst: > QuantaCo_43:3a:eb (00:c0:9f:43:3a:eb) > Destination: QuantaCo_43:3a:eb (00:c0:9f:43:3a:eb) > Source: WwPcbaTe_d0:e1:6c (00:0f:1f:d0:e1:6c) > Type: IP (0x0800) > Trailer: 1056005046C7 > Internet Protocol, Src: 10.255.255.53 (10.255.255.53), Dst: > 82.1.233.239 (82.1.233.239) > Version: 4 > Header length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..0. = ECN-Capable Transport (ECT): 0 > .... ...0 = ECN-CE: 0 > Total Length: 40 > Identification: 0x5567 (21863) > Flags: 0x04 (Don't Fragment) > 0... = Reserved bit: Not set > .1.. = Don't fragment: Set > ..0. = More fragments: Not set > Fragment offset: 0 > Time to live: 128 > Protocol: TCP (0x06) > Header checksum: 0x5f43 [correct] > Good: True > Bad : False > Source: 10.255.255.53 (10.255.255.53) > Destination: 82.1.233.239 (82.1.233.239) > Transmission Control Protocol, Src Port: 4182 (4182), Dst Port: http > (80), Seq: 0, Ack: 0, Len: 0 > Source port: 4182 (4182) > Destination port: http (80) > Sequence number: 0 (relative sequence number) > Acknowledgement number: 0 (relative ack number) > Header length: 20 bytes > Flags: 0x0011 (FIN, ACK) > 0... .... = Congestion Window Reduced (CWR): Not set > .0.. .... = ECN-Echo: Not set > ..0. .... = Urgent: Not set > ...1 .... = Acknowledgment: Set > .... 0... = Push: Not set > .... .0.. = Reset: Not set > .... ..0. = Syn: Not set > .... ...1 = Fin: Set > Window size: 64512 > Checksum: 0xe470 [correct] > > No. Time Source Destination > Protocol Info > 2 0.000058 10.255.255.53 61.177.35.58 TCP > 4184 > http [FIN, ACK] Seq=0 Ack=0 Win=64512 Len=0 > > Frame 2 (60 bytes on wire, 60 bytes captured) > Arrival Time: Mar 2, 2006 12:51:10.853559000 > Time delta from previous packet: 0.000058000 seconds > Time since reference or first frame: 0.000058000 seconds > Frame Number: 2 > Packet Length: 60 bytes > Capture Length: 60 bytes > Protocols in frame: eth:ip:tcp > Ethernet II, Src: WwPcbaTe_d0:e1:6c (00:0f:1f:d0:e1:6c), Dst: > QuantaCo_43:3a:eb (00:c0:9f:43:3a:eb) > Destination: QuantaCo_43:3a:eb (00:c0:9f:43:3a:eb) > Source: WwPcbaTe_d0:e1:6c (00:0f:1f:d0:e1:6c) > Type: IP (0x0800) > Trailer: 10580050BBB2 > Internet Protocol, Src: 10.255.255.53 (10.255.255.53), Dst: > 61.177.35.58 (61.177.35.58) > Version: 4 > Header length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..0. = ECN-Capable Transport (ECT): 0 > .... ...0 = ECN-CE: 0 > Total Length: 40 > Identification: 0x5568 (21864) > Flags: 0x04 (Don't Fragment) > 0... = Reserved bit: Not set > .1.. = Don't fragment: Set > ..0. = More fragments: Not set > Fragment offset: 0 > Time to live: 128 > Protocol: TCP (0x06) > Header checksum: 0x3a48 [correct] > Good: True > Bad : False > Source: 10.255.255.53 (10.255.255.53) > Destination: 61.177.35.58 (61.177.35.58) > Transmission Control Protocol, Src Port: 4184 (4184), Dst Port: http > (80), Seq: 0, Ack: 0, Len: 0 > Source port: 4184 (4184) > Destination port: http (80) > Sequence number: 0 (relative sequence number) > Acknowledgement number: 0 (relative ack number) > Header length: 20 bytes > Flags: 0x0011 (FIN, ACK) > 0... .... = Congestion Window Reduced (CWR): Not set > .0.. .... = ECN-Echo: Not set > ..0. .... = Urgent: Not set > ...1 .... = Acknowledgment: Set > .... 0... = Push: Not set > .... .0.. = Reset: Not set > .... ..0. = Syn: Not set > .... ...1 = Fin: Set > Window size: 64512 > Checksum: 0x1fdb [correct]
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 02:08 PM.
