[Dshield] UDP 21626 Traffic

jayjwa jayjwa at atr2.ath.cx
Sun Feb 5 01:41:15 GMT 2006


What do you make of these? Don't they look interesting? This started one day- 
lots of traffic to this one port: UDP 21626. That's a high UDP port, kind of 
uncommon. There hasn't been any activity since these packets were recorded.
Below are a few of the more interesting looking frames. I did some checking 
around, but no info was to be found regarding this particular port.


Frame 1 (171 bytes on wire, 171 bytes captured)
     Arrival Time: Jan 26, 2006 19:55:43.961168000
     Time delta from previous packet: 0.000000000 seconds
     Time since reference or first frame: 0.000000000 seconds
     Frame Number: 1
     Packet Length: 171 bytes
     Capture Length: 171 bytes
     Protocols in frame: sll:ip:udp:data
Linux cooked capture
     Packet type: Unicast to us (0)
     Link-layer address type: 512
     Link-layer address length: 0
     Source: <MISSING>
     Protocol: IP (0x0800)
Internet Protocol, Src: 222.8.101.15 (222.8.101.15), Dst: 64.179.12.75 (64.179.12.75)
     Version: 4
     Header length: 20 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
         0000 00.. = Differentiated Services Codepoint: Default (0x00)
         .... ..0. = ECN-Capable Transport (ECT): 0
         .... ...0 = ECN-CE: 0
     Total Length: 155
     Identification: 0xd1d4 (53716)
     Flags: 0x00
         0... = Reserved bit: Not set
         .0.. = Don't fragment: Not set
         ..0. = More fragments: Not set
     Fragment offset: 0
     Time to live: 108
     Protocol: UDP (0x11)
     Header checksum: 0xec67 [correct]
         Good: True
         Bad : False
     Source: 222.8.101.15 (222.8.101.15)
     Destination: 64.179.12.75 (64.179.12.75)
User Datagram Protocol, Src Port: 9869 (9869), Dst Port: 21626 (21626)
     Source port: 9869 (9869)
     Destination port: 21626 (21626)
     Length: 135
     Checksum: 0xa4a3 [correct]
Data (127 bytes)

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 9b d1 d4 00 00 6c 11 ec 67 de 08 65 0f   E.......l..g..e.
0020  40 b3 0c 4b 26 8d 54 7a 00 87 a4 a3 64 31 3a 61   @..K&.Tz....d1:a
0030  64 32 3a 69 64 32 30 3a 07 3a 9a 4b 69 0b 89 44   d2:id20:.:.Ki..D
0040  78 bc 42 f9 ea f6 c8 67 44 88 f1 26 39 3a 69 6e   x.B....gD..&9:in
0050  66 6f 5f 68 61 73 68 32 30 3a 89 04 d3 de cf 4e   fo_hash20:.....N
0060  89 9a 0a ae 52 8e 8b c9 38 80 89 9c 28 ce 34 3a   ....R...8...(.4:
0070  70 6f 72 74 69 39 38 36 39 65 35 3a 74 6f 6b 65   porti9869e5:toke
0080  6e 30 3a 65 31 3a 71 31 33 3a 61 6e 6e 6f 75 6e   n0:e1:q13:announ
0090  63 65 5f 70 65 65 72 31 3a 74 38 3a 7f f7 3d e8   ce_peer1:t8:..=.
00a0  1c ce 5c 9d 31 3a 79 31 3a 71 65                  ..\.1:y1:qe

Frame 2 (142 bytes on wire, 142 bytes captured)
     Arrival Time: Jan 26, 2006 20:01:10.821553000
     Time delta from previous packet: 326.860385000 seconds
     Time since reference or first frame: 326.860385000 seconds
     Frame Number: 2
     Packet Length: 142 bytes
     Capture Length: 142 bytes
     Protocols in frame: sll:ip:udp:data
Linux cooked capture
     Packet type: Unicast to us (0)
     Link-layer address type: 512
     Link-layer address length: 0
     Source: <MISSING>
     Protocol: IP (0x0800)
Internet Protocol, Src: 218.191.113.59 (218.191.113.59), Dst: 64.179.12.75 (64.179.12.75)
     Version: 4
     Header length: 20 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
         0000 00.. = Differentiated Services Codepoint: Default (0x00)
         .... ..0. = ECN-Capable Transport (ECT): 0
         .... ...0 = ECN-CE: 0
     Total Length: 126
     Identification: 0x700e (28686)
     Flags: 0x00
         0... = Reserved bit: Not set
         .0.. = Don't fragment: Not set
         ..0. = More fragments: Not set
     Fragment offset: 0
     Time to live: 108
     Protocol: UDP (0x11)
     Header checksum: 0x4568 [correct]
         Good: True
         Bad : False
     Source: 218.191.113.59 (218.191.113.59)
     Destination: 64.179.12.75 (64.179.12.75)
User Datagram Protocol, Src Port: 16909 (16909), Dst Port: 21626 (21626)
     Source port: 16909 (16909)
     Destination port: 21626 (21626)
     Length: 106
     Checksum: 0x4c39 [correct]
Data (98 bytes)

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 7e 70 0e 00 00 6c 11 45 68 da bf 71 3b   E..~p...l.Eh..q;
0020  40 b3 0c 4b 42 0d 54 7a 00 6a 4c 39 64 31 3a 61   @..KB.Tz.jL9d1:a
0030  64 32 3a 69 64 32 30 3a 46 bb 80 b8 73 b1 97 72   d2:id20:F...s..r
0040  ed 2b a2 9a 8e 1c fb e5 bd 1c a0 d3 36 3a 74 61   .+..........6:ta
0050  72 67 65 74 32 30 3a 46 bb 80 b8 73 b1 97 72 ed   rget20:F...s..r.
0060  2b a2 9a 8e 1c fb e5 bd 1c a0 d4 65 31 3a 71 39   +..........e1:q9
0070  3a 66 69 6e 64 5f 6e 6f 64 65 31 3a 74 38 3a 1f   :find_node1:t8:.
0080  73 03 8d 7e 8b 42 60 31 3a 79 31 3a 71 65         s..~.B`1:y1:qe

Frame 3 (142 bytes on wire, 142 bytes captured)
     Arrival Time: Jan 26, 2006 20:01:40.107353000
     Time delta from previous packet: 29.285800000 seconds
     Time since reference or first frame: 356.146185000 seconds
     Frame Number: 3
     Packet Length: 142 bytes
     Capture Length: 142 bytes
     Protocols in frame: sll:ip:udp:data
Linux cooked capture
     Packet type: Unicast to us (0)
     Link-layer address type: 512
     Link-layer address length: 0
     Source: <MISSING>
     Protocol: IP (0x0800)
Internet Protocol, Src: 61.93.90.248 (61.93.90.248), Dst: 64.179.12.75 (64.179.12.75)
     Version: 4
     Header length: 20 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
         0000 00.. = Differentiated Services Codepoint: Default (0x00)
         .... ..0. = ECN-Capable Transport (ECT): 0
         .... ...0 = ECN-CE: 0
     Total Length: 126
     Identification: 0xd936 (55606)
     Flags: 0x00
         0... = Reserved bit: Not set
         .0.. = Don't fragment: Not set
         ..0. = More fragments: Not set
     Fragment offset: 0
     Time to live: 108
     Protocol: UDP (0x11)
     Header checksum: 0x8fe5 [correct]
         Good: True
         Bad : False
     Source: 61.93.90.248 (61.93.90.248)
     Destination: 64.179.12.75 (64.179.12.75)
User Datagram Protocol, Src Port: 26890 (26890), Dst Port: 21626 (21626)
     Source port: 26890 (26890)
     Destination port: 21626 (21626)
     Length: 106
     Checksum: 0xfe3e [correct]
Data (98 bytes)

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 7e d9 36 00 00 6c 11 8f e5 3d 5d 5a f8   E..~.6..l...=]Z.
0020  40 b3 0c 4b 69 0a 54 7a 00 6a fe 3e 64 31 3a 61   @..Ki.Tz.j.>d1:a
0030  64 32 3a 69 64 32 30 3a 77 1b de 5b f1 64 91 c7   d2:id20:w..[.d..
0040  63 38 0f d9 55 fa 64 46 ee 08 89 68 36 3a 74 61   c8..U.dF...h6:ta
0050  72 67 65 74 32 30 3a 88 e4 21 a4 0e 9b 6e 38 9c   rget20:..!...n8.
0060  c7 f0 26 aa 05 9b b9 11 f7 76 96 65 31 3a 71 39   ..&......v.e1:q9
0070  3a 66 69 6e 64 5f 6e 6f 64 65 31 3a 74 38 3a 40   :find_node1:t8:@
0080  98 50 d7 45 19 61 c5 31 3a 79 31 3a 71 65         .P.E.a.1:y1:qe

Frame 4 (106 bytes on wire, 106 bytes captured)
     Arrival Time: Jan 26, 2006 20:04:21.673487000
     Time delta from previous packet: 161.566134000 seconds
     Time since reference or first frame: 517.712319000 seconds
     Frame Number: 4
     Packet Length: 106 bytes
     Capture Length: 106 bytes
     Protocols in frame: sll:ip:udp:data
Linux cooked capture
     Packet type: Unicast to us (0)
     Link-layer address type: 512
     Link-layer address length: 0
     Source: <MISSING>
     Protocol: IP (0x0800)
Internet Protocol, Src: 218.2.84.37 (218.2.84.37), Dst: 64.179.12.75 (64.179.12.75)
     Version: 4
     Header length: 20 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
         0000 00.. = Differentiated Services Codepoint: Default (0x00)
         .... ..0. = ECN-Capable Transport (ECT): 0
         .... ...0 = ECN-CE: 0
     Total Length: 90
     Identification: 0x7ede (32478)
     Flags: 0x00
         0... = Reserved bit: Not set
         .0.. = Don't fragment: Not set
         ..0. = More fragments: Not set
     Fragment offset: 0
     Time to live: 106
     Protocol: UDP (0x11)
     Header checksum: 0x568f [correct]
         Good: True
         Bad : False
     Source: 218.2.84.37 (218.2.84.37)
     Destination: 64.179.12.75 (64.179.12.75)
User Datagram Protocol, Src Port: 17585 (17585), Dst Port: 21626 (21626)
     Source port: 17585 (17585)
     Destination port: 21626 (21626)
     Length: 70
     Checksum: 0x66b2 [correct]
Data (62 bytes)

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 5a 7e de 00 00 6a 11 56 8f da 02 54 25   E..Z~...j.V...T%
0020  40 b3 0c 4b 44 b1 54 7a 00 46 66 b2 64 31 3a 61   @..KD.Tz.Ff.d1:a
0030  64 32 3a 69 64 32 30 3a da 7a f7 36 f2 98 0d 8f   d2:id20:.z.6....
0040  76 82 e4 85 cf 2c 8a 98 9d a2 4e f9 65 31 3a 71   v....,....N.e1:q
0050  34 3a 70 69 6e 67 31 3a 74 38 3a 64 bb 79 2f 08   4:ping1:t8:d.y/.
0060  d5 2f 10 31 3a 79 31 3a 71 65                     ./.1:y1:qe


j


More information about the list mailing list