comp.security.firewalls archive
Re: Firewall shows ports being used in sqeuence
Date: Tue Dec 06 2005 - 14:10:21 CET
On Tue 06 Dec 2005 08:40:15, Wolfgang Kueter
<wolfgang@shconnect.de> wrote:
> Wrong, it depends on the stack implentatin, in genaral the use
> of the port range from 1024 upwards as source-port is an
> absolutely normal stack behaivior.
>
> Sample netstat output snippet from an avarage win2000 box:
>
> C:\Dokumente und Einstellungen\wk>netstat -an
>
> Aktive Connections
>
> Proto Local Address Remoteaddress Status
>
> TCP 192.168.1.3:1123 192.168.1.254:445
> Established TCP 192.168.1.3:1131 192.168.1.254:143
> Established TCP 192.168.1.3:1132 192.168.1.254:143
> Established TCP 192.168.1.3:1133 192.168.1.254:22
> Established TCP 192.168.1.3:1910
> 146.48.98.96:80 Established TCP 192.168.1.3:1911
> 146.48.98.96:80 Established TCP 192.168.1.3:1924
> 192.168.1.4:139 Established TCP 192.168.1.3:1931
> 192.168.1.254:25 Established TCP
> 192.168.1.3:1934 64.233.183.124:80 Established
> TCP 192.168.1.3:3389 192.168.1.19:41835
> Established TCP 192.168.1.3:1939 64.233.183.124:80
> Established TCP 192.168.1.3:1946 212.60.1.145:119
> Established
>
> Wolfgang
>
I am the OP and I get the following sort of result.
(Apologies if the line wrap does not work properly.)
You can see the port numbers go from 2087 to 2093. I suspect this
morning they started at 1024 or something like that.
Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80
0/60 12:59 ACK
Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80
54/0 12:59 ACK
Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80
54/0 12:59 ACK
Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80
728/116 12:59 domino.newhall.gov.uk/web/html.nsf/full-
default.css
Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80
0/60 12:59 ACK
Pass SYSTEM HTTP/Out 62.107.125.121/2089
172.16.16.16/80 62/0 12:59 SYN
Pass Opera HTTP/Out 0.0.0.0/0 172.16.16.16/80 0/0 12:59
RDSD|RT:6|No.10000
Pass Opera HTTP/Out 62.107.125.121/2090 172.16.16.16/80
62/0 12:59 SYN
Pass Opera HTTP/Out 62.107.125.121/2086 194.201.98.217/80
2805/77235 12:59
194.201.98.217/Committee/CE_CommRepository.nsf/vSCByCD?
OpenForm&RestrictToCategory=Development+Committee&tip=committee
Pass named UDP/Out 62.107.125.121/1025 199.166.31.3/53
2188/4140 12:59 RDSD|RT:10|No.10000
Pass SYSTEM HTTP/Out 62.107.125.121/2088
172.16.16.16/80 62/0 12:59 RDSD|RT:10|No.10000
Pass Opera HTTP/Out 0.0.0.0/0 172.16.16.16/80 0/0 12:59
RDSD|RT:6|No.10000
Pass Opera HTTP/Out 62.107.125.121/2091 172.16.16.16/80
62/0 12:59 SYN
Pass Opera HTTP/Out 0.0.0.0/0 172.16.16.16/80 0/0 12:59
RDSD|RT:6|No.10000
Pass Opera HTTP/Out 62.107.125.121/2092 172.16.16.16/80
62/0 12:59 SYN
Pass Opera HTTP/Out 0.0.0.0/0 172.16.16.16/80 0/0 13:00
RDSD|RT:6|No.10000
Pass SYSTEM HTTP/Out 62.107.125.121/2092
172.16.16.16/80 62/0 13:00 SYN
Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80
62/0 13:00 SYN
Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80
0/62 13:00 ACK
Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80
1060/412 13:00 RDSD|RT:10|No.10000
Pass Opera HTTP/Out 62.107.125.121/2086 194.201.98.217/80
0/60 13:00 ACK
Pass Opera HTTP/Out 62.107.125.121/2086 194.201.98.217/80
54/0 13:00 ACK
Pass Opera HTTP/Out 62.107.125.121/2086 194.201.98.217/80
54/0 13:00 ACK
Pass Opera HTTP/Out 62.107.125.121/2086 194.201.98.217/80
0/60 13:00 ACK
Pass SYSTEM HTTP/Out 62.107.125.121/2089
172.16.16.16/80 62/0 13:00 RDSD|RT:10|No.10000
Pass Opera HTTP/Out 62.107.125.121/2090 172.16.16.16/80
62/0 13:00 RDSD|RT:10|No.10000
Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80
0/60 13:00 ACK
Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80
798/6133 13:00 www.google.com/search?as_q=fred
Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80
54/0 13:00 ACK
Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80
54/0 13:00 ACK
Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80
0/60 13:00 ACK
Pass Opera HTTP/Out 62.107.125.121/2091 172.16.16.16/80
62/0 13:00 RDSD|RT:10|No.10000
[I have changed my IP number slightly to mask it's actual value.]
Received on Sun Dec 11 14:24:29 2005