Rookie with a packet sniffer

10/05/2007, 22h13

I'm studying for my CCNA and trying to understand the traffic
happening on my small network. I have a few rookie questions if
anyone has alot of patience and a few minutes it would be much
appreciated.

Question 1:

Source: 192.168.0.1 ~ Destination: 255.255.255.255 ~ Port: UDP 520 ~
Length: 52

This is my router doing a broadcast (right?)... Are broadcasts always
on UDP 520? Does that port have a common name? The "broadcast port"
etc? When I google it I find two definitions (1) EFS (2) router
<RIP,RIPv2>... whats efs? its the RIP part that really interests/
confuses me. Im using a DLink gaming router right now.... do "home"
routers use RIP as their routing protocol?

Question 2:

Source: 192.168.0.1 ~ Destination 192.168.1.255 ~ Port: UDP 37062 ~
Length: 156
Source: 192.168.0.1 ~ Destination 192.168.1.255 ~ Port: UDP 37063 ~
Length: 173
Source: 192.168.0.1 ~ Destination 192.168.1.255 ~ Port: UDP 37064 ~
Length: 181
Source: 192.168.0.1 ~ Destination 192.168.1.255 ~ Port: UDP 37065 ~
Length: 180

Sometimes I'll see 10+ of these go by per second. Note the incremental
ports. Am I correct to assume it has something to do with NAT / PAT?

10/05/2007, 23h24

On May 10, 4:13 pm, Dennis <dennispub...@hotmail.com> wrote:
> I'm studying for my CCNA and trying to understand the traffic
> happening on my small network. I have a few rookie questions if
> anyone has alot of patience and a few minutes it would be much
> appreciated.
>
> Question 1:
>
> Source: 192.168.0.1 ~ Destination: 255.255.255.255 ~ Port: UDP 520 ~
> Length: 52
>
> This is my router doing a broadcast (right?)... Are broadcasts always
> on UDP 520? Does that port have a common name? The "broadcast port"
> etc? When I google it I find two definitions (1) EFS (2) router
> <RIP,RIPv2>... whats efs? its the RIP part that really interests/
> confuses me. Im using a DLink gaming router right now.... do "home"
> routers use RIP as their routing protocol?

UDP Port 520 is used for RIP, one of the common internal routing
protocols (OSPF is another). It's used by routers to talk to each
other to figure out what your network looks like and how to forward
packets.

11/05/2007, 13h48

"Dennis" <dennispublic@hotmail.com> wrote in message
news:1178831617.744737.183200@y5g2000hsa.googlegro ups.com...
> I'm studying for my CCNA and trying to understand the traffic
> happening on my small network. I have a few rookie questions if
> anyone has alot of patience and a few minutes it would be much
> appreciated.
>
>
> Question 1:
>
> Source: 192.168.0.1 ~ Destination: 255.255.255.255 ~ Port: UDP 520 ~
> Length: 52
>
> This is my router doing a broadcast (right?)... Are broadcasts always
> on UDP 520? Does that port have a common name? The "broadcast port"
> etc? When I google it I find two definitions (1) EFS (2) router
> <RIP,RIPv2>... whats efs? its the RIP part that really interests/
> confuses me. Im using a DLink gaming router right now.... do "home"
> routers use RIP as their routing protocol?
>
>
>
> Question 2:
>
> Source: 192.168.0.1 ~ Destination 192.168.1.255 ~ Port: UDP 37062 ~
> Length: 156
> Source: 192.168.0.1 ~ Destination 192.168.1.255 ~ Port: UDP 37063 ~
> Length: 173
> Source: 192.168.0.1 ~ Destination 192.168.1.255 ~ Port: UDP 37064 ~
> Length: 181
> Source: 192.168.0.1 ~ Destination 192.168.1.255 ~ Port: UDP 37065 ~
> Length: 180
>
> Sometimes I'll see 10+ of these go by per second. Note the incremental
> ports. Am I correct to assume it has something to do with NAT / PAT?
>

Dennis,

Any port < 1024 can usually be referred to in the well known ports list:

http://www.iana.org/assignments/port-numbers

This isn't always 100% correct, as not everyone plays by the rules. The
above list contains more known port numbers than just the first 1023, but
anything 1024 and above is fair game. To really know what the traffic is,
you need to look inside the packet. It's not always easy to tell exactly
what is in there, but sometimes it becomes very obvious. If your sniffer is
also a protocol analyzer, it may determine some of the specifics of the
data - depending on the protocol.

Any time you don't know about a specific port - do some googling. Here (in
the newsgroup) you can possibly get a quick answer, but you can really find
out lots of good info when you search for ip specific stuff through the
search engines. You may want to invest in a good book on TCP/IP - there is
a lot to discover. This was really more an IP questions than a packet
sniffer question - just the sniffer you discover it.

Hope that s,

Jim

10/05/2007, 22h13	#1
Dennis Messages: n/a Hébergeur:	Rookie with a packet sniffer I'm studying for my CCNA and trying to understand the traffic happening on my small network. I have a few rookie questions if anyone has alot of patience and a few minutes it would be much appreciated. Question 1: Source: 192.168.0.1 ~ Destination: 255.255.255.255 ~ Port: UDP 520 ~ Length: 52 This is my router doing a broadcast (right?)... Are broadcasts always on UDP 520? Does that port have a common name? The "broadcast port" etc? When I google it I find two definitions (1) EFS (2) router <RIP,RIPv2>... whats efs? its the RIP part that really interests/ confuses me. Im using a DLink gaming router right now.... do "home" routers use RIP as their routing protocol? Question 2: Source: 192.168.0.1 ~ Destination 192.168.1.255 ~ Port: UDP 37062 ~ Length: 156 Source: 192.168.0.1 ~ Destination 192.168.1.255 ~ Port: UDP 37063 ~ Length: 173 Source: 192.168.0.1 ~ Destination 192.168.1.255 ~ Port: UDP 37064 ~ Length: 181 Source: 192.168.0.1 ~ Destination 192.168.1.255 ~ Port: UDP 37065 ~ Length: 180 Sometimes I'll see 10+ of these go by per second. Note the incremental ports. Am I correct to assume it has something to do with NAT / PAT?

10/05/2007, 23h24	#2
robertwessel2@yahoo.com Messages: n/a Hébergeur:	Re: Rookie with a packet sniffer On May 10, 4:13 pm, Dennis <dennispub...@hotmail.com> wrote: > I'm studying for my CCNA and trying to understand the traffic > happening on my small network. I have a few rookie questions if > anyone has alot of patience and a few minutes it would be much > appreciated. > > Question 1: > > Source: 192.168.0.1 ~ Destination: 255.255.255.255 ~ Port: UDP 520 ~ > Length: 52 > > This is my router doing a broadcast (right?)... Are broadcasts always > on UDP 520? Does that port have a common name? The "broadcast port" > etc? When I google it I find two definitions (1) EFS (2) router > <RIP,RIPv2>... whats efs? its the RIP part that really interests/ > confuses me. Im using a DLink gaming router right now.... do "home" > routers use RIP as their routing protocol? UDP Port 520 is used for RIP, one of the common internal routing protocols (OSPF is another). It's used by routers to talk to each other to figure out what your network looks like and how to forward packets.

11/05/2007, 13h48	#3
Scooby Messages: n/a Hébergeur:	Re: Rookie with a packet sniffer "Dennis" <dennispublic@hotmail.com> wrote in message news:1178831617.744737.183200@y5g2000hsa.googlegro ups.com... > I'm studying for my CCNA and trying to understand the traffic > happening on my small network. I have a few rookie questions if > anyone has alot of patience and a few minutes it would be much > appreciated. > > > Question 1: > > Source: 192.168.0.1 ~ Destination: 255.255.255.255 ~ Port: UDP 520 ~ > Length: 52 > > This is my router doing a broadcast (right?)... Are broadcasts always > on UDP 520? Does that port have a common name? The "broadcast port" > etc? When I google it I find two definitions (1) EFS (2) router > <RIP,RIPv2>... whats efs? its the RIP part that really interests/ > confuses me. Im using a DLink gaming router right now.... do "home" > routers use RIP as their routing protocol? > > > > Question 2: > > Source: 192.168.0.1 ~ Destination 192.168.1.255 ~ Port: UDP 37062 ~ > Length: 156 > Source: 192.168.0.1 ~ Destination 192.168.1.255 ~ Port: UDP 37063 ~ > Length: 173 > Source: 192.168.0.1 ~ Destination 192.168.1.255 ~ Port: UDP 37064 ~ > Length: 181 > Source: 192.168.0.1 ~ Destination 192.168.1.255 ~ Port: UDP 37065 ~ > Length: 180 > > Sometimes I'll see 10+ of these go by per second. Note the incremental > ports. Am I correct to assume it has something to do with NAT / PAT? > Dennis, Any port < 1024 can usually be referred to in the well known ports list: http://www.iana.org/assignments/port-numbers This isn't always 100% correct, as not everyone plays by the rules. The above list contains more known port numbers than just the first 1023, but anything 1024 and above is fair game. To really know what the traffic is, you need to look inside the packet. It's not always easy to tell exactly what is in there, but sometimes it becomes very obvious. If your sniffer is also a protocol analyzer, it may determine some of the specifics of the data - depending on the protocol. Any time you don't know about a specific port - do some googling. Here (in the newsgroup) you can possibly get a quick answer, but you can really find out lots of good info when you search for ip specific stuff through the search engines. You may want to invest in a good book on TCP/IP - there is a lot to discover. This was really more an IP questions than a packet sniffer question - just the sniffer you discover it. Hope that s, Jim

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email