Re: Port 0 oddities

[chris () RIPE NET (Chris Fletcher)]

Bob,

> I've been off bugtraq for a couple of weeks but I just saw these
> messages. I have recently been putting logging into our cisco's rule
> set so that I can see what traffic is being passed through our
> network. I spotted traffic that appeared to be missed by the rules
> as it had src port 0 and dst port 0.

> Further investigation showed that it was ssh that was causing
> this. I have looked at the packets using tcpdump and they look find
> and what I would expect but the cisco is still reporting packets
> from 0 to 0.

Hmmm... I suspect that lines like this:

  %SEC-6-IPACCESSLOGP: list 100 denied udp 10.0.0.211(0) -> 10.0.0.255(0), 3 packets

with '(0)' for the ports are generated when the router didn't know the
port numbers rather than them actually being 0. If your access-list doesn't
filter on higher level ports I wouldn't expect the router to bother
parsing the TCP/UDP headers so it can't log the port numbers and just
fills in with zeros to keep the format consistent.

<time passes>

Indeed...

The access-list:

  access-list 123 permit ip any any log

generates log messages like this:

  %SEC-6-IPACCESSLOGP: list 123 permitted tcp 10.0.1.24(0) -> 10.0.1.228(0), 5 packets

with zero ports, whereas the access-list:

  access-list 123 permit udp any any range 0 65535 log
  access-list 123 permit tcp any any range 0 65535 log

generates log message like this:

  %SEC-6-IPACCESSLOGP: list 123 permitted tcp 10.0.1.24(2862) -> 10.0.1.228(25), 5 packets

with non-zero ports.

Chris.