No Title
February 3, 2008 4:12 PM   Subscribe

Do you have the destination IPs? You can tracert the IP address and you'll see what it resolves to.

What you revealed isnt much. The items like nsjtp-data are the names of the ports. Youre better off googling those names or changing the app to reveal the port numbers instead of the names.
posted by damn dirty ape at 4:49 PM on February 3, 2008

Looks like a portscan from the source. nsjtp-data is port 1688, saiseh is port 1644, isis-ambc is port 1643; so if these packets are in order, something is scanning down the port range looking for open ports (probably to exploit).

You could block the source IP if you want to clean up the capture, but you'd be better off making sure that you have a firewall in place that blocks all incoming packets if they're not part of an existing stream, or unless you explicitly enable a specific service to receive packets from random, unknown hosts.

At this point, everyone should have such a firewall protecting them. I saw a statistic somewhere which stated that your average unpatched windows system will be infected within 3 minutes of being attached to the internet if not protected by a firewall (sorry, can't find a ref -- feel free to discount this assertion if you like, but the fact remains that connecting a system without ensuring that it's protected first is crazy)
posted by 5MeoCMP at 4:59 PM on February 3, 2008

Looks like a portscan from the source. nsjtp-data is port 1688, saiseh is port 1644, isis-ambc is port 1643

Nope, looks more like local dynamically allocated port numbers; endpoints for outgoing HTTP requests. XP seems to use 1024-5000 by default. Vista (and BSD's, OS X, probably Linux) uses 49152-65535, probably to avoid intersecting with services which might like to use those ports.

This article explains how to change it if desired.
posted by Freaky at 5:39 PM on February 3, 2008

What Freaky said, but more generally, only one half of the port pair is probably going to be accurately identified as a service, and if you're not on the server, it'll be the far end. Wireshark happily reports standard service names for well-known ports anyhow, but if it's the near end of a connection for which you're the client: ignore the service name.
posted by mendel at 9:01 PM on February 3, 2008

Just to amplify that a bit, here are the first few things I ever learned about TCP/IP.

First: Anything capable of TCP/IP connections is called a host.

Second: an IP address does not, in general, identify a host. It identifies a network interface on that host. Remember: Hosts don't have IP addresses. Interfaces have IP addresses.

If you have a single host with several network interfaces, each one of those will (in general) have its own IP address. In some cases, it makes sense for all of a single host's interfaces to be given the same address (for example, I do this on my laptop: the wireless LAN port and the Ethernet port are both assigned 192.168.119.1) but this is not a general requirement.

Third: TCP/IP connections are made between interfaces, not necessarily between hosts. It's perfectly possible for a given host to talk to itself via TCP/IP. In fact, it's even possible for a given interface to talk to itself via TCP/IP.

There is a loopback interface available on every host, and it's always accessible via the reserved TCP/IP address 127.0.0.1 (actually any address in the range 127.0.0.1 through 127.255.255.255 will do; 127.0.0.1 is the one conventionally used). The loopback interface is often used to allow programs running on a given host to make TCP/IP connections to services running on that same host in exactly the same way as would be done for services running on some other host.

Fourth: there is a 16-bit port number associated with each end of every TCP/IP connection. You can uniquely identify a given TCP/IP connection with four numbers: the source IP address, the source port number, the destination IP address, and the destination port number.

Fifth: TCP-accessible services running on a host will bind to a particular interface and port number. That means that incoming connection requests to that interface's IP address, bearing that port number, will succeed.

Multiple connections can share a given IP address and port number, as long as they do so only at one end. For example: every connection that anybody makes to the Metafilter server is going to involve port 80 and IP address 74.53.68.130, and these numbers will show up as the destination IP and port for all packets going to Metafilter, and the source IP and port for all packets coming from Metafilter. Connecting to a given port doesn't "use it up".

When host Alice initiates a TCP connection to host Bob, she sets the source IP address on the outgoing connection request packet to match the interface the connection request is going out on; sets the source port number to some arbitrary number; and sets the destination port number to the well-known port number the service she wants will be bound to (e.g. port 80 for HTTP requests).

The only restriction on the source port number is that it must be one that is not already in use for an existing connection from the same source IP to the same destination IP and destination port. Different systems will have different policies for choosing source port numbers, as Freaky mentioned.

Connection request packets go out with only the SYN flag set, and you'll see that in Wireshark.

Bob will reply to that connection request with a packet whose destination IP address and port number match the source IP and port in the initial request, whose source IP and port match the destination IP and port in the initial request, and whose SYN and ACK flags are both set.

Finally, Alice will send Bob a third packet with just ACK set. This sequence is generally referred to as the three-way handshake.

If you set Wireshark up to show you only the traffic involving one particular external host (put ip.addr == ip.addr.goes.here in the Filter box and click Apply) and visit that host with your web browser, you will easily see the three-way handshake happening.

Subsequent packets that form part of that connection will use the same source and destination IP addresses and port numbers as those used during the three-way handshake.

Freaky's point is that because Alice's source port numbers are essentially arbitrary, and because Windows has a tendency to use well-known port numbers when it's allocating source port numbers, Wireshark might mislead you about which service is in use. If you see two well-known ports identified in a given packet, you can be pretty sure this is what's going on. Check the three-way handshake at the start of the connection to get a better idea. After right-clicking on a given TCP packet, selecting Follow TCP Stream, and closing the stream dump window, you will find that the Filter is set up to select all the packets in that stream, and the three-way handshake will be right at the top).

Disconnecting TCP connections cleanly involves another little dance using the FIN and ACK flags, that I'll let you have the pleasure of figuring out yourself. Use filtering as before to limit distractions.

Finally, a TCP connection can be aborted at any time, from either end, using a packet containing the RST flag. Those will be the ones that Wireshark is showing you in red.

There is much more to TCP than this, and it's all worth learning (TCP is actually a really interesting mixture of elegance, practicality and design flaws). But these basics should get you going.
posted by flabdablet at 4:06 PM on February 4, 2008

« Older Moving Grad-Students: Two of u...   |   Are there any urban gardening ... Newer »

This thread is closed to new comments.