Bugtraq mailing list archives
Re: Port 0 oddities
From: chris () RIPE NET (Chris Fletcher)
Date: Thu, 2 Jul 1998 19:22:05 +0200
Bob,
I've been off bugtraq for a couple of weeks but I just saw these messages. I have recently been putting logging into our cisco's rule set so that I can see what traffic is being passed through our network. I spotted traffic that appeared to be missed by the rules as it had src port 0 and dst port 0.
Further investigation showed that it was ssh that was causing this. I have looked at the packets using tcpdump and they look find and what I would expect but the cisco is still reporting packets from 0 to 0.
Hmmm... I suspect that lines like this: %SEC-6-IPACCESSLOGP: list 100 denied udp 10.0.0.211(0) -> 10.0.0.255(0), 3 packets with '(0)' for the ports are generated when the router didn't know the port numbers rather than them actually being 0. If your access-list doesn't filter on higher level ports I wouldn't expect the router to bother parsing the TCP/UDP headers so it can't log the port numbers and just fills in with zeros to keep the format consistent. <time passes> Indeed... The access-list: access-list 123 permit ip any any log generates log messages like this: %SEC-6-IPACCESSLOGP: list 123 permitted tcp 10.0.1.24(0) -> 10.0.1.228(0), 5 packets with zero ports, whereas the access-list: access-list 123 permit udp any any range 0 65535 log access-list 123 permit tcp any any range 0 65535 log generates log message like this: %SEC-6-IPACCESSLOGP: list 123 permitted tcp 10.0.1.24(2862) -> 10.0.1.228(25), 5 packets with non-zero ports. Chris.
Current thread:
- Re: Port 0 oddities Simon Halsall (Jul 01)
- Re: Port 0 oddities Chris Fletcher (Jul 02)
- Re: Port 0 oddities Niels Bakker (Jul 02)