Hi all: I have been seeing a lot of traffic on port 4662 across our WANs via using Cisco’s nbar discovery. Cisco labels it a eDonkey, which is a file sharing system, but I have my doubts that is the culprit. Do you know of any other applications typically found in a mixed OES/Windows (eDir/AD) environment that might be making use of this port?
Also, I am not sure how to go about sniffing for this port traffic using Wireshark? Can someone help me out with this?
Thanks, Chris.
We run a mixed environment and near as I can tell have no traffic
running around on ports 4662.
“tcp.port==4662 || udp.port==4662” is an option for a wireshark display
filter, but also wireshark has built in filters for edonkey traffic.
If you are a switching environment, make sure to configure your switch
to span or mirror to your capture port.
Interesting reading:
http://www.speedguide.net/port.php?port=4662
http://isc.sans.edu/port.html?port=4662
With only this info, I wouldn’t rule out that you may indeed have some
emule/edonky traffic running around.
On 7/25/2012 9:17 AM, Chris wrote:[color=blue]
Hi all: I have been seeing a lot of traffic on port 4662 across our
WANs via using Cisco’s nbar discovery. Cisco labels it a eDonkey, which
is a file sharing system, but I have my doubts that is the culprit. Do
you know of any other applications typically found in a mixed
OES/Windows (eDir/AD) environment that might be making use of this port?
Also, I am not sure how to go about sniffing for this port traffic using
Wireshark? Can someone help me out with this?
Thanks, Chris.[/color]
On Wed, 25 Jul 2012 15:03:37 +0000, unsigned wrote:
[color=blue]
We run a mixed environment and near as I can tell have no traffic
running around on ports 4662.
[/color]
Close the port and see who complains.
On 25/07/2012 16:23, Bob Crandell wrote:[color=blue]
On Wed, 25 Jul 2012 15:03:37 +0000, unsigned wrote:
[color=green]We run a mixed environment and near as I can tell have no traffic
running around on ports 4662.
[/color]
Close the port and see who complains.
[/color]
That was going to be my response
Lance
Lance Haig lhaig@haigmail.com wrote in news:QAUPr.1902$If2.644
@kovat.provo.novell.com:
[color=blue]
On 25/07/2012 16:23, Bob Crandell wrote:[color=green]
On Wed, 25 Jul 2012 15:03:37 +0000, unsigned wrote:
[color=darkred]We run a mixed environment and near as I can tell have no traffic
running around on ports 4662.
[/color]
Close the port and see who complains.
[/color]That was going to be my response
Lance[/color]
Doing that possibly drives something into a harder to detect mode.
Probably not a good thing for the situation when you are playing detective.
Besides, I thought IT was the enabler; the customer wants the thing now
and they want that bandwidth now and just make it happen with no notice
–
Ciao, Dave
On Wed, 01 Aug 2012 08:24:07 +0000, Dave Taylor wrote:
[color=blue]
Lance Haig lhaig@haigmail.com wrote in news:QAUPr.1902$If2.644
@kovat.provo.novell.com:
[color=green]On 25/07/2012 16:23, Bob Crandell wrote:[color=darkred]
On Wed, 25 Jul 2012 15:03:37 +0000, unsigned wrote:
We run a mixed environment and near as I can tell have no traffic
running around on ports 4662.
[/color][/color]Besides, I thought IT was the enabler; the customer wants the thing now
and they want that bandwidth now and just make it happen with no notice
:)[/color]
Being the enabler is so yesterday.
w00t, being the disabler is ‘in’
On 8/1/2012 10:10 AM, Bob Crandell wrote:[color=blue]
Being the enabler is so yesterday.
[/color]