[Dshield] Port 6800 probes mostly from one source.

Jonathan C. Webster jwebster03 at snet.net
Sat Jan 8 06:04:41 GMT 2005

Hello All,

Over the past three days I have seen 150 or so probes to my port 6800, mostly from one source. These have been 
noted in the DShield report without explanation. So here is tcpdump's  reading of a packet.

# /usr/sbin/tcpdump -vvvr p6800
02:24:36.929311 host-24-225-217-161.patmedia.net.1861 > XXXX.6800: S [tcp sum ok] 3291595145:3291595145(0) win 
16384 <mss 1322,nop,nop,sackOK> (DF) (ttl 101, id 19639, len 48)

Three packets had previously been captured with

#/usr/sbin/tcpdump -np -c 3 -w p6800 dst port 6800

The three packets were alike except for the time and the id. While I saw port 6800 probes from 9 different 
sources, only four made more than 10 trys and that one made 81.

So the questions: what is being attempted? Could I have gotten more info with different tcpdump options?

Jonathan Webster

More information about the list mailing list