[Dshield] Port 6800 probes mostly from one source.
Jonathan C. Webster
jwebster03 at snet.net
Sat Jan 8 06:04:41 GMT 2005
Over the past three days I have seen 150 or so probes to my port 6800, mostly from one source. These have been
noted in the DShield report without explanation. So here is tcpdump's reading of a packet.
# /usr/sbin/tcpdump -vvvr p6800
02:24:36.929311 host-24-225-217-161.patmedia.net.1861 > XXXX.6800: S [tcp sum ok] 3291595145:3291595145(0) win
16384 <mss 1322,nop,nop,sackOK> (DF) (ttl 101, id 19639, len 48)
Three packets had previously been captured with
#/usr/sbin/tcpdump -np -c 3 -w p6800 dst port 6800
The three packets were alike except for the time and the id. While I saw port 6800 probes from 9 different
sources, only four made more than 10 trys and that one made 81.
So the questions: what is being attempted? Could I have gotten more info with different tcpdump options?
More information about the list