Info log TCPDUMP

Hi,
In my company i have configured my firewall (Smoothwall) to drop all traffic
from all the subnet 192.168.0.0/24 except some port like http, https, ftp,
pop.

This configuration seams works fine, infact the other services that use
different ports no Work.

For curiosity, i use the command tcpdump to analyze the traffic and i didn't
uderstand why the firewall log thousand of records regarding the trafficthat
report below.
What is the traffic mean? (please, don't suppose)
The traffic mean that some user download by P2P with closed port or instead
mean thet the user TRY to download by P2P?

It is very strange, but i dont have the enought know-how to read correctly
the tcpdump log.

Can I help me?


22:25:00.058138 IP 82.105.X.X.1287 > 192.168.0.100.6784: . ack 332387 win
65535
22:25:00.058832 IP 192.168.0.100.6784 > 82.105.X.X.1287: .
333819:335251(1432) ack 0 win 5840
22:25:00.131136 IP 82.105.X.X.1287 > 192.168.0.100.6784: . ack 335251 win
65535
22:25:00.131824 IP 192.168.0.100.6784 > 82.105.X.X.1287: .
335251:336683(1432) ack 0 win 5840
22:25:00.131945 IP 192.168.0.100.6784 > 82.105.X.X.1287: .
336683:338115(1432) ack 0 win 5840
22:25:00.132065 IP 192.168.0.100.6784 > 82.105.X.X.1287: .
338115:339547(1432) ack 0 win 5840

Re: Info log TCPDUMP

On Wed, 28 Mar 2007, in the Usenet newsgroup comp.security.firewalls, in article
, djx wrote:

>For curiosity, i use the command tcpdump to analyze the traffic and i
>didn't uderstand why the firewall log thousand of records regarding
>the trafficthat report below.
>What is the traffic mean? (please, don't suppose)

There is not enough information. The log is showing an established
connection between 82.105.X.X (what-ever that might be) port 1287, and
192.168.0.100 port 6784. The traffic appears to be flowing from
192.168.0.100 to 82.105.X.X. The RFC1918 address is probably local
and you'd have to look at that system. The 82.105.X.X is Interbusiness.
The port numbers are somewhat meaningless, as they are not "well known"
services. Port 1287 is "registered" to RouteMatch, which is a motor
transport management software - probably not what it's actually being
used for.

>It is very strange, but i dont have the enought know-how to read
>correctly the tcpdump log.

I'd increase the snaplen ( -s 1500) and look at what is inside the packet.
I would also ask the user on 192.168.0.100 what is happening. Unless you
are forwarding some port on your firewall to 192.168.0.100 port 6784,
that host almost certainly initiated the connection. Why?

I don't know what the laws are in Italy or the European Union, but you
may want to check with the company legal advisor. Here in the USA, one
can run into legal problems unless _written_ and _published_ company
policy warns the employees that the computers are only for company
business and that the company may/will be monitoring that usage.

Old guy

Re: Info log TCPDUMP

Thnaks for your suggestion

bye