# -----Original Message----- # From: Rainer Gerhards [mailto:rgerhardsat_private] # Sent: Friday, January 31, 2003 4:27 PM # To: Carroll, Shawn; loganalysisat_private # Subject: RE: [logs] Cisco PIX logs # # # Shawn, # # > Don't want to sound pedantic, but how are you sure the packet # > you captured is the same one that generated the log message? # > What device/program did you do the capture with? # # It's not pedantic. I should have supplied the information firsthand. # # Firstly, this is not a single instance. I see a larger number of these # packets during the past days. *Just* the past few days, not before. # # The packet capture was taken on the machine in question # itself. It is a # Windows 2000 Server acting as a DNS server. I took the # capture with the # Microsoft network monitor that comes with the OS. # # Whenever I try to correlate what I see in the PIX logs with what I see # in the packet capture I end up with proper DNS # queries/responses in the # capture and those other ports in the PIX log. It is not # always the same # port in the PIX log, but always way above 1024. # # From the packet capture, it looks like the system is doing valid DNS # queries, and as of my testing, it actually is. # # Does this make more sense? Yep. Bizarre, though. Could be a bug on the pix. Putting a "disinterested 3rd party" (read: '*n?x box + tcpdump -s 1500 -w "dump.cap"') on the wire would tell you if an outbound UDP 5780 packet is being generated by the windows server, or both that AND the dns packet. I feel like something's missing. That's why I usually do FULL packet captures, and display-filter what's been captured. You know that you've seen all the packets on the wire during a certain time frame. Regards, Shawn _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 15:39:52 PST