Bob, > I've been off bugtraq for a couple of weeks but I just saw these > messages. I have recently been putting logging into our cisco's rule > set so that I can see what traffic is being passed through our > network. I spotted traffic that appeared to be missed by the rules > as it had src port 0 and dst port 0. > Further investigation showed that it was ssh that was causing > this. I have looked at the packets using tcpdump and they look find > and what I would expect but the cisco is still reporting packets > from 0 to 0. Hmmm... I suspect that lines like this: %SEC-6-IPACCESSLOGP: list 100 denied udp 10.0.0.211(0) -> 10.0.0.255(0), 3 packets with '(0)' for the ports are generated when the router didn't know the port numbers rather than them actually being 0. If your access-list doesn't filter on higher level ports I wouldn't expect the router to bother parsing the TCP/UDP headers so it can't log the port numbers and just fills in with zeros to keep the format consistent. <time passes> Indeed... The access-list: access-list 123 permit ip any any log generates log messages like this: %SEC-6-IPACCESSLOGP: list 123 permitted tcp 10.0.1.24(0) -> 10.0.1.228(0), 5 packets with zero ports, whereas the access-list: access-list 123 permit udp any any range 0 65535 log access-list 123 permit tcp any any range 0 65535 log generates log message like this: %SEC-6-IPACCESSLOGP: list 123 permitted tcp 10.0.1.24(2862) -> 10.0.1.228(25), 5 packets with non-zero ports. Chris.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:01:51 PDT