Wireshark · Ethereal-users: Re: [Ethereal-users] Quick Question from a very novice user

Ethereal-users: Re: [Ethereal-users] Quick Question from a very novice user

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Ulf Lamping <ulf.lamping@xxxxxx>

Date: Sun, 12 Mar 2006 16:25:25 +0100

Darwin Roach S. wrote:

Hello, a friend of mine and I were doing some captures on a VoIP ATAdevice to find out which port the TFTP client was using to connect toit´s TFTP Server (supposed to be 69), but when we saw the capture wenoticed that the capture showed a strange port as source port, like1134 or something (is not that one but something like that) and thedestination port was indeed 69, no I don´t get that, shouldn´t therequest come from the same por 69?, otherwise how can I set a firewallfor instance to block or allow that service in a network if the sourceport is random or not 69?.My friend tells me that it seems logical and said that even Httpwould go out with any source port from the computer but as destinationpor 80 for instance, then the NAT does it´s job and expects the answerinto that very port 80 from the web, but then translated the port 80into the source port (any port other than 80) the original computerhas for that request. All of that doesn´t seem logical to me becauseI´ve set many firewalls up and I know that if I block port 69 from LANto WAN then nobody will be able to use TFTP for instance same for port80 for HTTP and any other port, and the blocking can be from insidethe network to the outside or viceversa.Can somebody please clarify this to me?We used a RJ-45 Grandstream ATA for VoIP, connected into a networkcard in a SUSE linux computer and that same computer connected intothe internet with another card, so we could make the capture.Thanks and sorry if I am being too basic or if the questions seemsstupid :)

The server will listen to packets on the tftp port 69. The client canchoose any port it likes, usually a "random" port above around 1024 isused, that's how TCP and UDP works.

Please note that when sending packets the client will use the*destination* port 69, while the server uses *source* port 69 for thesame "connection". So the source port is always the one the packet iscoming from.

Both firewall and NAT will know the direction of the traffic so it's adifferent thing if the packet is coming from the LAN or the WAN.


Regards, ULFL

References:
- [Ethereal-users] Quick Question from a very novice user
  - From: Darwin Roach S.

Prev by Date: [Ethereal-users] Quick Question from a very novice user
Next by Date: Re: [Ethereal-users] Every packet is retransmitted
Previous by thread: [Ethereal-users] Quick Question from a very novice user
Next by thread: [Ethereal-users] Percentage Utilisation of a trunk port
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$