They are wasting your time. The only information you have given us is a r ange of 19nnn-29nnn port numbers. Those could be literally anything, and the same numbers could be used for something else the next day. It's absurd for them to expect you to go back six months. I f they cannot trap actual packets when it is happening, there is no way you are ever going to figur e it out after the fact. Short of tracing on ports 19000-29999, and saving the data for 6 months, what i s there left to do?
On Mon, 23 Oct 2006 09:57:37 -0700, Schuh, Richard <[EMAIL PROTECTED]> wrot e: >Alan, > >If we knew when to trace, it might be a viable option; however, we never hear about it when it is happening. Sometimes we don't hear until over a month after the fact. The first time we were told of a problem was 6 months after the first occurrence. The ports change each month, so we cannot know which to trace until the blitz starts. The network people are not even aw are of it while it is happening. Someone from InfoSec who is reviewing the logs after the fact detects that it happened. > >The only good thing about it is that it is only on our internal/test net work. > >Regards, >Richard Schuh