1. Home
  2. Networking Firewalls
  3. Info log TCPDUMP

Info log TCPDUMP

Hi, In my company i have configured my firewall (Smoothwall) to drop all traffic from all the subnet 192.168.0.0/24 except some port like http, https, ftp, pop.

This configuration seams works fine, infact the other services that use different ports no Work.

For curiosity, i use the command tcpdump to analyze the traffic and i didn't uderstand why the firewall log thousand of records regarding the trafficthat report below. What is the traffic mean? (please, don't suppose) The traffic mean that some user download by P2P with closed port or instead mean thet the user TRY to download by P2P?

It is very strange, but i dont have the enought know-how to read correctly the tcpdump log.

Can I help me?

22:25:00.058138 IP 82.105.X.X.1287 > 192.168.0.100.6784: . ack 332387 win 65535 22:25:00.058832 IP 192.168.0.100.6784 > 82.105.X.X.1287: . 333819:335251(1432) ack 0 win 5840 22:25:00.131136 IP 82.105.X.X.1287 > 192.168.0.100.6784: . ack 335251 win 65535 22:25:00.131824 IP 192.168.0.100.6784 > 82.105.X.X.1287: . 335251:336683(1432) ack 0 win 5840 22:25:00.131945 IP 192.168.0.100.6784 > 82.105.X.X.1287: . 336683:338115(1432) ack 0 win 5840 22:25:00.132065 IP 192.168.0.100.6784 > 82.105.X.X.1287: . 338115:339547(1432) ack 0 win 5840
Reply to
djx
Loading thread data ...

There is not enough information. The log is showing an established connection between 82.105.X.X (what-ever that might be) port 1287, and

192.168.0.100 port 6784. The traffic appears to be flowing from 192.168.0.100 to 82.105.X.X. The RFC1918 address is probably local and you'd have to look at that system. The 82.105.X.X is Interbusiness. The port numbers are somewhat meaningless, as they are not "well known" services. Port 1287 is "registered" to RouteMatch, which is a motor transport management software - probably not what it's actually being used for.

I'd increase the snaplen ( -s 1500) and look at what is inside the packet. I would also ask the user on 192.168.0.100 what is happening. Unless you are forwarding some port on your firewall to 192.168.0.100 port 6784, that host almost certainly initiated the connection. Why?

I don't know what the laws are in Italy or the European Union, but you may want to check with the company legal advisor. Here in the USA, one can run into legal problems unless _written_ and _published_ company policy warns the employees that the computers are only for company business and that the company may/will be monitoring that usage.

Old guy

Reply to
Moe Trin

Thnaks for your suggestion

bye

Reply to
djx

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.