On Saturday 20 September 2003 16.20, James PEARSON wrote:
My question to all is "Can anyone help me help understand the above lines?"
Which is to ask "Why am I (my ip address=217.128.180.65) trying to connect to 217.128.180.1.53163 as shown in the following line...
15:10:08.311586 217.128.180.65.iad1 > 217.128.180.1.53163: S 2378061313:2378061313(0) win 5840 <mss 1460,sackOK,timestamp 32713 0,nop,wscale 0> (DF)
########## Analyse ########## # 1 "S" is the flag representation of "SYN". This is a session establishment request which is the first part of any TCP connection.
# 2 snort.org lists iad1 as follows... 1030 1030/udp iad1 BBN IAD 1030 1030/tcp iad1 BBN IAD
Perhaps, but that is the source port, so that is uninteresting. When an application requests a port for a connection, it is given a port at random > 1023, the fact that it's 1030 is most likely accidental and the next time you see it I'll bet it has changed The destination port is more interesting. It is used by kinternet/qinternet + smpppd. Could it perhaps be that you have one of those running? Its default is to try to connect to a server running on your gateway if it can't find a local server running, and that IP does look like your gateway.