It would appear to be an ICMP type 3 warning. The system furry (a router
or a target host) appears to be telling "conrad" that the destination UDP
port is not reachable. I've similar things when my logd falls down.
--
J. Eric Josephson
"Sylar, John"
<JSylar@erac. To: "Users NTOP (E-mail)" <[EMAIL PROTECTED]>
com> cc:
Sent by: Subject: [Ntop] Funny thing....
ntop-admin@un
ipi.it
02/20/2002
09:06 AM
Please
respond to
ntop
Anyone seen this:
Installed Ntop build 27/12/2001 (final) on a freshly built W2K machine, AD
integrated, no other apps running or installed. Let Ntop run for a few
hours, then opened ICMPWatch and found this:
ICMP Statistics
<snip>
Time Source Dest Packet
Tue Feb 19 20:19:56 2002 furry conrad 192.168.0.1 udp port 2069
unreachable
Tue Feb 19 20:19:58 2002 furry conrad 192.168.0.1 udp port 2069
unreachable
Tue Feb 19 20:20:00 2002 furry conrad 192.168.0.1 udp port 2069
unreachable
Tue Feb 19 20:20:05 2002 furry conrad 192.168.0.1 udp port 2069
unreachable
Tue Feb 19 20:20:16 2002 furry conrad 192.168.0.1 udp port 2071
unreachable
Tue Feb 19 20:20:18 2002 furry conrad 192.168.0.1 udp port 2071
unreachable
Tue Feb 19 20:20:20 2002 furry conrad 192.168.0.1 udp port 2071
unreachable
Tue Feb 19 20:20:24 2002 furry conrad 192.168.0.1 udp port 2071
unreachable
Tue Feb 19 20:29:42 2002 furry conrad 192.168.0.1 udp port 2074
unreachable
Tue Feb 19 20:29:44 2002 furry conrad 192.168.0.1 udp port 2074
unreachable
Tue Feb 19 20:29:46 2002 furry conrad 192.168.0.1 udp port 2074
unreachable
Tue Feb 19 20:29:50 2002 furry conrad 192.168.0.1 udp port 2074
unreachable
Tue Feb 19 21:36:56 2002 furry conrad 192.168.0.1 udp port 2122
unreachable
Tue Feb 19 21:36:58 2002 furry conrad 192.168.0.1 udp port 2122
unreachable
Tue Feb 19 21:37:00 2002 furry conrad 192.168.0.1 udp port 2122
unreachable
Tue Feb 19 21:37:04 2002 furry conrad 192.168.0.1 udp port 2122
unreachable
Tue Feb 19 21:37:16 2002 furry conrad 192.168.0.1 udp port 2123
unreachable
..ad nauseum...
</snip>
It *looks like* my Ntop machine is doing a UDP port scan of the other hosts
on the segment. I've never seen this behavior from a W2K machine before, so
I don't know if its the OS or the app. Before I get out the sniffer and
begin tearing the app apart, just want to check to see if this has been
observed before....
Both machines PIII 450M, 196M RAM, W2K build 2195, Service Pack 2, on the
same segment, tied by a Compaq OfficeConnect 10/100 hub. Both machines are
hardened (don't laugh, its possible) with no extra services or apps. The
machine Conrad is a AD domain controller (DNS, LDAP, DHCP, SMTP, FTP, SSH).
Best regards,
Sam
---------------------------------
"You can't be a real country unless you have a beer and an airline. It
helps
if you have some kind of football team or some nuclear weapons, but at the
very least you need a beer." -Frank Zappa
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listmanager.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listmanager.unipi.it/mailman/listinfo/ntop
