What is this port 0 traffic, pls?
This is a discussion on What is this port 0 traffic, pls? within the Linux Security forums, part of the System Security and Security Related category; Hello and greetings. This is not a real, urgent and unavoidable problem, but I am curious, and wonder if someone ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-01-2004
|
|||
|
|||
What is this port 0 traffic, pls?
Hello and greetings.
This is not a real, urgent and unavoidable problem, but I am curious, and wonder if someone can shed some light on, or explain to me what this might be about. TIA. I am currently getting traffic from 82.84.210.186. # host 82.84.210.186 186.210.84.82.in-addr.arpa domain name pointer ppp-82-84-210-186.cust-adsl.tiscali.it. There are 4 packets every (slightly over) 10 minutes, and the packets are spaced at 3, 6 and 12 seconds from the preceding. I can (and will) disconnect and reconnect to get a new IP address, and that will (99 and 44/100 percent sure) end this issue, for me. However, and as I said, I am curious, and would like to know just what this is about. It has been going on for many hours, now. Here is one such packet captured with ethereal: ethereal 0.9.13 Compiled with GTK+ 1.2.10, with GLib 1.2.10, with libpcap 0.6, with libz 1.1.4, with UCD-SNMP 4.2.5, without ADNS Running on Linux 2.4.20-19.7 Frame 120 (76 bytes on wire, 76 bytes captured) Arrival Time: Apr 30, 2004 21:01:55.366407000 Time delta from previous packet: 0.000450000 seconds Time relative to first packet: 328.152580000 seconds Frame Number: 120 Packet Length: 76 bytes Capture Length: 76 bytes Linux cooked capture Packet type: Unicast to us (0) Link-layer address type: 512 Link-layer address length: 0 Source: <MISSING> Protocol: IP (0x0800) Internet Protocol, Src Addr: 82.84.210.185 (82.84.210.185), Dst Addr: 142.167.18.105 (142.167.18.105) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 60 Identification: 0xe328 (58152) Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 54 Protocol: TCP (0x06) Header checksum: 0x9b75 (correct) Source: 82.84.210.185 (82.84.210.185) Destination: 142.167.18.105 (142.167.18.105) Transmission Control Protocol, Src Port: 52126 (52126), Dst Port: 0 (0), Seq: 1133398483, Ack: 0, Len: 0 Source port: 52126 (52126) Destination port: 0 (0) Sequence number: 1133398483 Header length: 40 bytes Flags: 0x0002 (SYN) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Window size: 5840 Checksum: 0xff20 (correct) Options: (20 bytes) Maximum segment size: 1412 bytes SACK permitted Time stamp: tsval 371850494, tsecr 0 NOP Window scale: 0 (multiply by 1) 0000 00 00 02 00 00 00 00 01 81 3f 00 3d 00 00 08 00 .........?.=.... 0010 45 00 00 3c e3 28 40 00 36 06 9b 75 52 54 d2 b9 E..<.(@.6..uRT.. 0020 8e a7 12 69 cb 9e 00 00 43 8e 49 d3 00 00 00 00 ...i....C.I..... 0030 a0 02 16 d0 ff 20 00 00 02 04 05 84 04 02 08 0a ..... .......... 0040 16 29 fc fe 00 00 00 00 01 03 03 00 .).......... Thanks and best wishes. 
|
|
05-04-2004
|
|||
|
|||
|
Re: What is this port 0 traffic, pls?
Coward_Today_ <postmaster@127.0.0.1> wrote:
[...] > Transmission Control Protocol, Src Port: 52126 (52126), Dst Port: 0 (0), Port 0 is used to remotely fingerprint an OS. You should read this [1] to get a further understanding of Port 0 Fingerprinting. [1] http://www.networkpenetration.com/port0.html p.s. you really should use an email address that someone can reply on. -- I don't know why I did it, I don't know why I enjoyed it, and I don't know why I'll do it again.
|
|
05-04-2004
|
|||
|
|||
|
Re: What is this port 0 traffic, pls?
On Tue, 04 May 2004 10:18:41 -0400, Markus Koenig wrote:
> Coward_Today_ <postmaster@127.0.0.1> wrote: > > [...] > >> Transmission Control Protocol, Src Port: 52126 (52126), Dst Port: 0 >> (0), > > Port 0 is used to remotely fingerprint an OS. You should read this [1] > to get a further understanding of Port 0 Fingerprinting. > > [1] http://www.networkpenetration.com/port0.html > Thanks. That's a good, clear explanation, and might have been exactly what was happening. I would not have found it without your help. This packet matches the "P2" test on that page, and might have been the only one of the 7 that the ISP was letting through. > p.s. you really should use an email address that someone can reply on. I'll send my address to you with my personal appreciation, and regret any inconvenience. Thanks again!
|
Linear Mode
