PIX packet capture explanation

hxhsu · ‎04-22-2010

Hi Expert,

Could someone help to explan the following packets about udp 45 and udp 47 captured from PIX, thanks.

dtochilovsky · ‎04-22-2010

Those look like DNS packets since the port is UDP 53. DNS request probably. What is the server with IP 10.68.68.201?

hxhsu · ‎04-23-2010

The 10.68.68.201 is a terminal server, my problem is the ip 61.20.223.89 to query DNS server 10.64.176.106, what does udp 45 mean ?

If I permit port 53 rule only, the DNS query was not work. it's need permit a range udp ports as 1 - 100 for this ip 61.20.223.89.

Jennifer Halim · ‎04-23-2010

45 is just the length of the UDP packet. It is still a DNS packet (on UDP/53)

From your example:

5: 13:54:07.974116 61.20.223.89.3835 > 10.64.176.106.53: udp 45

Highlighted in red is the port number (53) - which is DNS.

dtochilovsky · ‎04-23-2010

How are you creating rules?

UDP is stateless so you may need to allow both directions (outbound DNS requests and inbound DNS replies) if you are filtering on either direction.

Would help to see the access lists you are having problems with.

Kureli Sankar · ‎04-23-2010

5: 13:54:07.974116 61.20.223.89.3835 > 10.64.176.106.53: udp 45

3835 is the udp source port used by the client 61.20.223.89

53 is the dns port that the DNS server 10.64.176.106 listens and responds to.

45 is the udp packet size.

-KS