Cheers, This is fairly OT, but if this list doesn''t know, I''m under cross fire for a reason, yet to be found... ;) One of my firewalls gets hit by *lots* of packets from random source IPs and varying source ports. Measured by thumb, it''s more frequent than 1 per second -- thus rendering the log file almost useless [1]. Does anyone know, which apps use UDP port 8497 and TCP port 6346? Apparently, the latter one is Bearshare, a P2P client. Anyway, this got logged *far* less than the first one. And I cannot find any reference to this asking google. I just added rules, that take care of them -- dropping them silently, not flooding my log file. :) Problem "fixed", but I would be happy to know the reason anyway. TIA karsten [1] default net2all policy logging -- Davision - Atelier fuer Gestaltung / Internet / Multimedia UNIX / Linux Netzwerke und Schulungen Telefon 06151/273859 Fax 06151/273862
Karsten Bräckelmann wrote:> > Cheers, > > This is fairly OT, but if this list doesn''t know, I''m under cross fire > for a reason, yet to be found... ;) > > One of my firewalls gets hit by *lots* of packets from random source IPs > and varying source ports. Measured by thumb, it''s more frequent than 1 > per second -- thus rendering the log file almost useless [1]. > > Does anyone know, which apps use UDP port 8497 and TCP port 6346? > > Apparently, the latter one is Bearshare, a P2P client. Anyway, this got > logged *far* less than the first one. And I cannot find any reference to > this asking google. > > I just added rules, that take care of them -- dropping them silently, > not flooding my log file. :) Problem "fixed", but I would be happy to > know the reason anyway. TIAMay be tricky to pinpoint, Karsten, if you don''t have a specific tcp-udp port combination. A list like this may suggest: http://forums.hardwarezone.com/showthread.php?s=&threadid=298051&forumid=4 apps like the game Aliens vs. Predator or even PalTalk. Udp port 8497 could actually be anything. Random source ip''s seems to point towards p2p clients, though.. -- Patrick Benson Stockholm, Sweden
> > Does anyone know, which apps use UDP port 8497 and TCP port 6346? > > > > Apparently, the latter one is Bearshare, a P2P client. Anyway, this got > > logged *far* less than the first one. And I cannot find any reference to > > this asking google. > > > > I just added rules, that take care of them -- dropping them silently, > > not flooding my log file. :) Problem "fixed", but I would be happy to > > know the reason anyway. TIA > > May be tricky to pinpoint, Karsten, if you don''t have a specific tcp-udp > port combination.Yeah, but there doesn''t seem to be any tcp packets -- other than the mentioned, which hits that firewall less by order of magnitudes.> A list like this may suggest: > http://forums.hardwarezone.com/showthread.php?s=&threadid=298051&forumid=4 > > apps like the game Aliens vs. Predator or even PalTalk. Udp port 8497 > could actually be anything. Random source ip''s seems to point towards > p2p clients, though..Strange thing is, it''s pretty quite in the logs, now that I silently drop those packets. No other ports in a range around them are tried. I actually thought of p2p clients myself. It''s not a fixed IP, so maybe it was assigned to a machine running a p2p client before. I will keep an eye on it and occasionally check, if the situation changes. Thanks... karsten -- Davision - Atelier fuer Gestaltung / Internet / Multimedia UNIX / Linux Netzwerke und Schulungen Telefon 06151/273859 Fax 06151/273862
Sorry to quote myself. Problem solved, FYI only.> I actually thought of p2p clients myself. It''s not a fixed IP, so maybe > it was assigned to a machine running a p2p client before. I will keep an > eye on it and occasionally check, if the situation changes.Seems, this actually was the case. Apparently a p2p software uses this port by default [1] and aggressively keeps trying for quite some time, even if there isn''t any response. After a while the packet flood decreased on that machine, and hopefully will end entirely soon. Well, I may hope at least. ;) Thanks for your time, and sorry to have bothered you with this. karsten [1] Although google doesn''t really know about it. That port isn''t documented, which really makes me wonder. -- Davision - Atelier fuer Gestaltung / Internet / Multimedia UNIX / Linux Netzwerke und Schulungen Telefon 06151/273859 Fax 06151/273862