Unusual destination traffic on ports (34631,35514,34763,34867......

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I started scheduling a TCPDUMP during the night because I noticed some
unusual traffic on my bandwidth charts. The destination is the same
server each time. Right below are the different names appended to the
originating server and below that is a dump of one of the sessions. Has
anyone seen this before... I have to get a report from the destination
server to see if this traffic is initializing a process.

myserver.domain.com.cplscrambler-in -> destination port 34631
myserver.domain.com.amt-esd-prot  -> destination port 35514
myserver.domain.com.rmiactivation -> destination port 34763
myserver.domain.com.ftranhc -> destination port 34867
myserver.domain.com.lmsocialserver -> destination port 35017

00:00:03.744938 IP myserver.domain.com.amt-esd-prot >
receiving.server.net.34514: S 1082456982:1082456982(0) win 5840 <mss
1460,sackOK,timestamp 1581494984 0,nop,wscale

00:00:03.747972 IP myserver.domain.com.amt-esd-prot >
receiving.server.net.34514: . ack 1126436661 win 5840
<nop,nop,timestamp 1581494988 11937219>

00:00:03.781196 IP myserver.domain.com.amt-esd-prot >
receiving.server.net.34514: . ack 1449 win 8688 <nop,nop,timestamp
1581495021 11937219>

00:00:03.781204 IP myserver.domain.com.amt-esd-prot >
receiving.server.net.34514: . ack 1461 win 8688 <nop,nop,timestamp
1581495021 11937219>

00:00:03.789326 IP myserver.domain.com.amt-esd-prot >
receiving.server.net.34514: . ack 2897 win 11584 <nop,nop,timestamp
1581495029 11937219>

00:00:03.791980 IP myserver.domain.com.amt-esd-prot >
receiving.server.net.34514: F 0:0(0) ack 3432 win 14480
<nop,nop,timestamp 1581495032 11937219>

Thanks in advance

Re: Unusual destination traffic on ports (34631,35514,34763,34867......

On 31 Jan 2006, in the Usenet newsgroup comp.security.misc, in article

Quoted text here. Click to load it

Read the man page again, and configure tcpdump to get both sides of the
conversation. All that can be said is that "myserver.domain.com" initiated
a connection to "receiving.server.net", transferred some data, then shut

Quoted text here. Click to load it

That's nice - but tells us nothing.  Is it one of your systems? Or does
the address point to "sekret.black_helicopters.int" ?

Quoted text here. Click to load it

Those are 'user-land' ports (1082 to 1111), so the names are meaningless.

Quoted text here. Click to load it

You could start by mentioning what operating system is on the originating
host.  Several seconds after midnight - a CRON job?  Depending on your
version of tcpdump, you might see if it has a -x option to dump the data
as hex and you may need to specify '-s 1500' to grab the entire packet.
Then read 'man 7 ascii' and see if the packet contents are text, and if
so, what they are saying.

        Old guy

Re: Unusual destination traffic on ports (34631,35514,34763,34867......

This is how I have tcpdump scheduled in cron for tonight:

50 23 * * * /usr/sbin/tcpdump -c 150000 -w dumpfile -n -s 0 -i eth1 not
'port 80' and not 'port 21' and not 'port 23' and not 'port 53' and not
'ether proto \arp'

Your right, at first my dump looked like this:
50 23 * * * /usr/sbin/tcpdump -c 100000 -w dumpfile -n -s 1500 src
myserver.domain.com -i eth1
This obviously gave only half the story. I wasn't sure at first how
long the dump would last according to the packets I had specified so I
tried to limit the traffic. Plus, I only wanted to see if my server was
initiating the connection so I only specified the source. Tonight I
should get the full story with the top most configuration.

P.S. I eliminated all the port 80,23,21,53 and ARP traffic to get the
longest dump I could. I already know what goes on these ports (I pretty
sure ;). If it restricts the dump to much I will back off a little. But
this will shorten the dump time significantly because of the services
running on this machine.

These two servers are on the same network. At first I thought cronjob
too but there isn't anything running of significant value. The OS is
Suse 9.1 and the opposite server is Novell.

After I get the dumpfile I usually check the dump with "tcpdump -r
dumpfile -x -X -vv" , etc..... I use -A as well.   I will post
tonight's dump tomorrow.


Re: Unusual destination traffic on ports (34631,35514,34763,34867......

On 1 Feb 2006, in the Usenet newsgroup comp.security.misc, in article

Quoted text here. Click to load it


OK - look at the time you started (23:50) - what ELSE is in the various
crontabs on the system. Assuming you are using Vixie-cron (rather than
anacron or fcron), check /etc/crontab (and /etc/anacrontab) as well as
the crontabs for _every_ user  (which may be in /var/spool/cron/crontabs/).
Also see if there is anything in /etc/cron.d/*.   The reason I'm pointing
there is your original post showed the packets at 3 seconds after
midnight. What's running then?   You also want to check to see if you are
running an 'at' daemon - someone could have run an 'at' job, and scheduled
it for midnight.

Also, depending on what you see, you may want to take some snapshots of the
output of 'ps auxw' about that time. Anything unusual running?

Quoted text here. Click to load it

Why would you be talking to Novell? Are you running windoze boxes? I
haven't had to worry about Novell since 3.12, and they were still defaulting
to IPX then. It looked as if there was some data transfer, and that you
initiated the connection. What is running on those 34631 - 35514 range
of ports on the Novell box?

How often do these boxes normally talk? You might get away with snarfing
all traffic between them, to see if anything on the Novell box triggered

Quoted text here. Click to load it

I normally use just a nice wide terminal and look at the headers. At
least initially, looking at the headers should identify packets that you
will want to look at more closely.

        Old guy

Site Timeline