Shawn, > Don't want to sound pedantic, but how are you sure the packet > you captured is the same one that generated the log message? > What device/program did you do the capture with? It's not pedantic. I should have supplied the information firsthand. Firstly, this is not a single instance. I see a larger number of these packets during the past days. *Just* the past few days, not before. The packet capture was taken on the machine in question itself. It is a Windows 2000 Server acting as a DNS server. I took the capture with the Microsoft network monitor that comes with the OS. Whenever I try to correlate what I see in the PIX logs with what I see in the packet capture I end up with proper DNS queries/responses in the capture and those other ports in the PIX log. It is not always the same port in the PIX log, but always way above 1024. From the packet capture, it looks like the system is doing valid DNS queries, and as of my testing, it actually is. Does this make more sense? Rainer _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 15:30:46 PST