Re: [FW1] Scary traffic - long

[cbrenton <cbrenton () sover net>]

On Mon, 21 Dec 1998, roger nebel wrote:

> just an fyi, f/w-1 logging guesses at the service (tftp in this case)
> based on the destination port (tftp=69).

Its not so much that it "guesses" as it "assumes" that traffic headed to a
well known port is of a traffic type that is associated with that service
but you are essentially correct, you have no idea what is in the payload
based on the service port.

> also, the "tftp"
> broadcast was a full 5 seconds earlier than the icmp packets in the
> example.  they may not be related at all.  

Good catch. I had not really noticed this before so I went back and
checked the delay on the other 2 log entries I found which where similar.
The second shows a delay of 32 seconds from TFTP broadcast to system
response while the third entry had a delay of 49 seconds. This is not a
big gap but certainly an eternity in networking. I think you are really on
to something here.

Unfortunately, this makes me feel worse, not better as it implies that
some form of traffic was being transmitted _after_ the TFTP broadcast
which is not showing up in the logs. Its the only logical explanation for
the time delays.

Thanks for the insight,
Chris
-- 
**************************************
cbrenton () sover net

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529
* Mastering Network Security
http://www.amazon.com/exec/obidos/ISBN%3D0782123430/002-0346046-8151850