To all SuSE gurus I noticed alot of Internet activity on gkrellm, when I was doing "absolutely nothing" so I did a tcpdump tcpdump said I was getting alot of "hits" : 15:10:17.493363 81.73.223.218.64664 > 217.128.180.65.gnutella-svc: S 243854740:243854740(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) 15:10:19.281615 24.88.113.247.4937 > 217.128.180.65.gnutella-svc: S 144007945:144007945(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) tcpdump also picked up the following lines of which I am enclosing only a few... ################################################################ # Note I am ... # inet addr:217.128.180.65 P-t-P:217.128.180.1 Mask:255.255.255.255 # using SuSE8.2 and SuSEfirewall2 ################################################################ # Start ... 15:09:47.312195 217.128.180.65.iad1 > 217.128.180.1.53163: S 2378061313:2378061313(0) win 5840 <mss 1460,sackOK,timestamp 30613 0,nop,wscale 0> (DF) ... 15:09:50.311594 217.128.180.65.iad1 > 217.128.180.1.53163: S 2378061313:2378061313(0) win 5840 <mss 1460,sackOK,timestamp 30913 0,nop,wscale 0> (DF) ... 15:09:56.311587 217.128.180.65.iad1 > 217.128.180.1.53163: S 2378061313:2378061313(0) win 5840 <mss 1460,sackOK,timestamp 31513 0,nop,wscale 0> (DF) ... 15:10:08.311586 217.128.180.65.iad1 > 217.128.180.1.53163: S 2378061313:2378061313(0) win 5840 <mss 1460,sackOK,timestamp 32713 0,nop,wscale 0> (DF) # End ################################################################ My question to all is "Can anyone help me help understand the above lines?" Which is to ask "Why am I (my ip address=217.128.180.65) trying to connect to 217.128.180.1.53163 as shown in the following line... 15:10:08.311586 217.128.180.65.iad1 > 217.128.180.1.53163: S 2378061313:2378061313(0) win 5840 <mss 1460,sackOK,timestamp 32713 0,nop,wscale 0> (DF) ########## Analyse ########## # 1 "S" is the flag representation of "SYN". This is a session establishment request which is the first part of any TCP connection. # 2 snort.org lists iad1 as follows... 1030 1030/udp iad1 BBN IAD 1030 1030/tcp iad1 BBN IAD # 3 /etc/services agrees with snort.org definition... vi /etc/services... # The Registered Ports are in the range 1024-49151. # # Port Assignments: # ... iad1 1030/tcp # BBN IAD # 4 So I asked myself "What is port "BBN IAD". Using google I learned that someone else had already asked the same question ******* start ************ What is port "BBN IAD".".
I did a scan of a NT 4.0 SP6a server and found the following iad1 1030/tcp BBN IAD
This is probably a dynamically assigned port (or one of them) used by a program supporting MS RPC over TCP. There is a program out there that can query the "portmapper" listening on port 135/tcp, dump the list of MS RPC servers, and--if you are lucky--provide some clues regarding the nature of a service running on a given port, e.g. IfId: 469d6ec0-0d87-11ce-b13f-00aa003bac6c version 16.0 Annotation: MS Exchange System Attendant Public Interface UUID: 469d6ec0-0d87-11ce-b13f-00aa003bac6c Binding: ncacn_ip_tcp:172.16.15.37[1058] RpcMgmtInqIfIds succeeded Interfaces: 4 469d6ec0-0d87-11ce-b13f-00aa003bac6c v16.0 83d72bf0-0d89-11ce-b13f-00aa003bac6c v6.0 67df7c70-0f04-11ce-b13f-00aa003bac6c v3.0 06ed1d30-d3d3-11cd-b80e-00aa004b9c30 v1.0 RpcMgmtInqServerPrincName succeeded Name: MSExchangeSA RpcMgmtInqStats succeeded Stats[0]: 60342 Stats[1]: 0 Stats[2]: 48 Stats[3]: 51 Look for a file called (approximately) rpctools-1.0.zip. If you have the package where Microsoft puts all useful stuff they neglect to include in the base system (resource kit?), you may find a similar program there. (BTW: I have a feeling MS RPC is a can of worms waiting to be open.) ******* end ************ To sum up my question: "I receiving alot of port scans (aren't we all?) but why, am I (my ip address=217.128.180.65), trying to connect to 217.128.180.1.53163 (see line below) ? 15:10:08.311586 217.128.180.65.iad1 > 217.128.180.1.53163: S 2378061313:2378061313(0) win 5840 <mss 1460,sackOK,timestamp 32713 0,nop,wscale 0> (DF) TIA James