Hi Dustin, Am Mittwoch, 2. Februar 2005 18:21 schrieb Dustin: > sessions & packets, but w/ higher amount of data. We would like to know > exactly what this traffic is, why is the majority of traffic lumped into > "port 0"?
Can you specify the protocol? For TCP and UDP it is a reserved port not to be used (RFC 1700). In case it's UDP Port 0 see: http://www.networkpenetration.com/port0.html Maybe it's used for OS fingerprinting: "As the specifics are not clear different OS's have differnet ways of handling traffic using port 0 thus they can be fingerprinted." "Recommendations: Although port 0 is a valid TCP / UDP port number, it is highly recommend that one should block any traffic using this port at your firewall. No program should be listening on port 0 and no program should connect from port 0 thus it should be blocked. " Portscanners like nmap or xprobe use normally TCP-flags or ICMP packets. But there other scanners who use the port 0 OS fingerprinting. See http://gobbler.sourceforge.net/ Sven. -- Dipl.math.oec. Sven Uebelacker <[EMAIL PROTECTED]> Hamburg University of Technology, Computer Center Room 2.094, Schwarzenbergstr. 95, D-21073 Hamburg, Germany tel: +49-40-42878-4375 fax: +49-40-42878-2803 GnuPG: 0x420F0947, DSA 1024, 2004-10-04 fp: 1CC9 1CBB D440 95D4 53C0 15C7 20D9 A035 420F 0947
pgpLG1B2VKB2b.pgp
Description: PGP signature
_______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
