PIX packet capture explanation

Unanswered Question
Apr 22nd, 2010

Hi Expert,

Could someone help to explan the following packets about udp 45 and udp 47 captured from PIX, thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dtochilovsky Thu, 04/22/2010 - 08:26

Those look like DNS packets since the port is UDP 53. DNS request probably.  What is the server with IP 10.68.68.201?

hxhsu Fri, 04/23/2010 - 01:28

The 10.68.68.201 is a terminal server, my problem is the ip 61.20.223.89 to query DNS server 10.64.176.106, what does udp 45 mean ?

If I permit port 53 rule only, the DNS query was not work. it's need permit a range udp ports as 1 - 100 for this ip 61.20.223.89.

Jennifer Halim Fri, 04/23/2010 - 04:09

45 is just the length of the UDP packet. It is still a DNS packet (on UDP/53)

From your example:

   5: 13:54:07.974116 61.20.223.89.3835 > 10.64.176.106.53:  udp 45

Highlighted in red is the port number (53) - which is DNS.


dtochilovsky Fri, 04/23/2010 - 07:00

How are you creating rules?

UDP is stateless so you may need to allow both directions (outbound DNS requests and inbound DNS replies) if you are filtering on either direction.

Would help to see the access lists you are having problems with.

Kureli Sankar Fri, 04/23/2010 - 09:25

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-ascii-font-family:Cambria; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Cambria; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}    5: 13:54:07.974116 61.20.223.89.3835 > 10.64.176.106.53:  udp 45

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-ascii-font-family:Cambria; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Cambria; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

3835 is the udp source port used by the client 61.20.223.89

53 is the dns port that the DNS server 10.64.176.106 listens and responds to.

45 is the udp packet size.

-KS

Actions

This Discussion