Port 4662

Non-Technical Threads Chatting over the Back Fence
1

Hi all: I have been seeing a lot of traffic on port 4662 across our WANs via using Cisco’s nbar discovery. Cisco labels it a eDonkey, which is a file sharing system, but I have my doubts that is the culprit. Do you know of any other applications typically found in a mixed OES/Windows (eDir/AD) environment that might be making use of this port?

Also, I am not sure how to go about sniffing for this port traffic using Wireshark? Can someone help me out with this?

Thanks, Chris.

2

We run a mixed environment and near as I can tell have no traffic
running around on ports 4662.

“tcp.port==4662 || udp.port==4662” is an option for a wireshark display
filter, but also wireshark has built in filters for edonkey traffic.

If you are a switching environment, make sure to configure your switch
to span or mirror to your capture port.

Interesting reading:
http://www.speedguide.net/port.php?port=4662
http://isc.sans.edu/port.html?port=4662

With only this info, I wouldn’t rule out that you may indeed have some
emule/edonky traffic running around.

On 7/25/2012 9:17 AM, Chris wrote:[color=blue]

Hi all: I have been seeing a lot of traffic on port 4662 across our
WANs via using Cisco’s nbar discovery. Cisco labels it a eDonkey, which
is a file sharing system, but I have my doubts that is the culprit. Do
you know of any other applications typically found in a mixed
OES/Windows (eDir/AD) environment that might be making use of this port?
Also, I am not sure how to go about sniffing for this port traffic using
Wireshark? Can someone help me out with this?
Thanks, Chris.[/color]

3

On Wed, 25 Jul 2012 15:03:37 +0000, unsigned wrote:
[color=blue]

We run a mixed environment and near as I can tell have no traffic
running around on ports 4662.
[/color]
Close the port and see who complains.

4

On 25/07/2012 16:23, Bob Crandell wrote:[color=blue]

On Wed, 25 Jul 2012 15:03:37 +0000, unsigned wrote:
[color=green]

We run a mixed environment and near as I can tell have no traffic
running around on ports 4662.
[/color]
Close the port and see who complains.
[/color]

That was going to be my response

:slight_smile:

Lance

5

Lance Haig lhaig@haigmail.com wrote in news:QAUPr.1902$If2.644
@kovat.provo.novell.com:
[color=blue]

On 25/07/2012 16:23, Bob Crandell wrote:[color=green]

On Wed, 25 Jul 2012 15:03:37 +0000, unsigned wrote:
[color=darkred]

We run a mixed environment and near as I can tell have no traffic
running around on ports 4662.
[/color]
Close the port and see who complains.
[/color]

That was going to be my response

:slight_smile:

Lance[/color]

Doing that possibly drives something into a harder to detect mode.
Probably not a good thing for the situation when you are playing detective.

Besides, I thought IT was the enabler; the customer wants the thing now
and they want that bandwidth now and just make it happen with no notice :slight_smile:


Ciao, Dave

6

On Wed, 01 Aug 2012 08:24:07 +0000, Dave Taylor wrote:
[color=blue]

Lance Haig lhaig@haigmail.com wrote in news:QAUPr.1902$If2.644
@kovat.provo.novell.com:
[color=green]

On 25/07/2012 16:23, Bob Crandell wrote:[color=darkred]

On Wed, 25 Jul 2012 15:03:37 +0000, unsigned wrote:

We run a mixed environment and near as I can tell have no traffic
running around on ports 4662.
[/color][/color]

Besides, I thought IT was the enabler; the customer wants the thing now
and they want that bandwidth now and just make it happen with no notice
:)[/color]

Being the enabler is so yesterday.

7

w00t, being the disabler is ‘in’

On 8/1/2012 10:10 AM, Bob Crandell wrote:[color=blue]

Being the enabler is so yesterday.
[/color]