Gathering network statistics on specific tcp ports

Similar Messages

• IPS - alarm on specific tcp port scan

  Hi there,
  My problem is:
  I want to create a rule on IPS 5.x, in which a TCP high port rage sweep triggers a low alarm, but if the sweep includes tcp 2400 port, than I receive a high level alarm. But in the same time I don't want any alarms, if theres is a full 3-way handshake to tcp 2400 ports . Is it possible at all?
  Thanks,
  Aa

  The short answer is no, it does not help thanks... Shortly because it was not an answer to my question ;-)
  After further investigation I found the so-called META engine, in which there is a "component list", in which you can define more signatures. The alarm is fired if all the selected events match.
  Unfortunately the component list doesn't allow you to add a custom signature the the list, so I had to clone the "normal" tcp port sweep engine (to keep teh original), than modify the original 3001 engine to fire on tcp port 2400 mathces. Then I added this signature and TCP high port sweep signature to the component list.
  In this way it works. If anyone can suggest an easier way - Welcome! But now I think that can be a useful info for others also.
  Bests,
  Aa

• BEFW11S4 UDP AND TCP PORT opening

  How do i open UDP AND TCP ports specifically TCP ports: 80, 6667, 28910, 29900, 29920
  UDP ports: 4321, 27900 Its for a networkable game i need to open these ports to play it.

  Ok But when i try disabling the numbers in the forwarding field i run out of spaces in the field to be able to disable them Is there an advanced firewall settings that i dont know about? I put in all of the range forwarding and put the range forwarding start for example 80 originally (TCP ports: 80, 6667, 28910, 29900, 29920
  UDP ports: 4321, 27900) The ones i try to disable i run out of fields to disable them in the forwarding for example there are 10 slots for disabling and Im trying to disable them on two numbers 192.168.1.101. and 192.168.1.100 So i need to disable them for both ip numbers I got 10 fields to enter it into them and 10 x 2 is more than the numbers..... You get me?? and on top of that i dont know if what i did was enough Linksys doesnt want to help me without paying 30 dollars so im just thinking i should buy a new router....... i mean they charge 39 dollars for a new router and they want me to pay 39 dollars for tech support it just doesnt make any sense........

• Monitoring TCP ports

  Utilizing a 1605, is there a MIB or another way to show amount of traffic by tcp or udp port on a particular interface?

  Brian
  If you want reporting on specific TCP ports and packet count is sufficient then an alternative to consider would be to create an access list and assign it to the interface (depending on your requirements you might want one access list for inbound and a similar access list for outbound). This access list would not necessarily deny anything. But it would have permit statements for the particular tcp ports that you are interested in and a permit any at the bottom. This way the access list would count packets for the TCP (or UDP) port.
  An example would be this:
  ip access-list extended count_in
  remark count tcp packets inbound
  permit tcp any any eq 23
  permit tcp any any eq 80
  permit tcp any eq 23 any
  permit tcp any eq 80 any
  permit any any
  ip access-list extended count_out
  remark count tcp packets outbound
  permit tcp any any eq 23
  permit tcp any any eq 80
  permit tcp any eq 23 any
  permit tcp any eq 80 any
  permit any any
  interface fastethernet0/0
  ip access-group count_in in
  ip access-group count_out out
  then show access-list count_in and show access-list count_out would show the number of hits for each line and you would have packet counts for your specific TCP ports.
  HTH
  Rick

• Create TCP port monitor to ping windows server or network device

  Dears
  I'm trying to create TCP port monitor which tests the ping of a remote network device or windows computer from the watcher node, but I don't know which port to use, is there a specific port number?
  Thanks
  Mohammad, IT NOC Team

  I also would like to share the following article with you. It is a sample script that will use netstat –an to check the TCP ports currently in a listening state on the local system 
  and parse the output to determine that the defined TCP port is in a listening state.
  http://operatingquadrant.com/2009/08/13/scom-locallly-monitoring-a-listening-tcp-port/
  Niki Han
  TechNet Community Support

• WCF NetTcpBinding, remote client Established TCP Ports do not recycle

  In our application we have bunch of WCF services(NetTcpBinding) hosted under Windows Service, we have a remote client/clients which is connecting to this wcf service.
  When Network connection drop between client and Server, I am seeing that Established TCP Ports does NOT get recycled, When we get Network connectivity back and remote client app try to connect to the service again, we see new TCP Ports getting created again,
  but old TCP Ports still remain open, we have set ReliableSession to true and ReceiveTimeOut to 10 min on our WCF Service.
  Could anyone know here why this connection never gets recycled, what we have to do specific to have them cleanedup if remote client either crashes or network connection drops.

  You are probably closing the TCP connection simultaneously from both the client and server.  There is a design issue with TCP going back to the 1970's that has never been fixed.  When connections are closed from both ends at the same time sometimes
  ports are left open in a half open / half close state.  The correct method for closing TCP is as follows
  1)  From application level client send command to stop server
  2) Client closes connection
  3) Server uses the on closed event to dispose server objects so no memory leak occurs.
  jdweng

• Disable Statistics for specific Tables

  Is it possible to disable statistics for specific tables???

  If you want to stop gathering statistics for certain tables, you would simply not call DBMS_STATS.GATHER_TABLE_STATS on those particular tables (I'm assuming that is how you are gathering statistics at the moment). The old statistics will remain around for the CBO, but they won't be updated. Is that really what you want?
  If you are currently using GATHER_SCHEMA_STATS to gather statistics, you would have to convert to calling GATHER_TABLE_STATS on each table. You'll probably want to have a table set up that lists what tables to exclude and use that in the procedure that calls GATHER_TABLE_STATS.
  Justin
  Distributed Database Consulting, Inc.
  http://www.ddbcinc.com/askDDBC

• Bypassing TCP port 25 restriction (i.e. worst ISP EVER; Mail is not allowed

  Hi
  The private company that runs my DOES NOT ALLOW Smtp connections on its "hi speed internet connection".
  Meaning that Mail cannot function and I have to check via webmail.
  I'm serious.
  Their FAQ states:
  Can I use email clients such as Microsoft Outlook or Outlook Express to send and receive emails?
  No, you will only be able to use web browser based email such as Hotmail or Gmail; this is due to limitations (on TCP port 25) which have been implemented to protect you against other computer users sending unsolicited bulk emails (SPAM) via your computer.
  Does anyone know a way to get around this as I NEED the functionality of Mail.....
  Also,
  Are all British ISPs this ridiculous?
  Dieing to find a solution to this....... Many Many Many Many Thanks
  PS. I already paid extra ($250USD) to enable 'super' internet which doesnt throttle VOIP, STREAMING, gaming, P2P etc.
  Luke

  Beginning January 1, 2006 Port 587 has been standardized as the port to use for authenticated SMTP servers although most will still work with Port 25 as well. More and more ISPs are blocking port 25 as various jurisdictions are holding them responsible for spam and/or viruses originating on their network. With unauthenticated SMTP anyone can send using that server whether they have an account or not. So the ISPs block that port with the sole exception of their own SMTP server so they can scan the messages for spam and viruses. With an authenticated SMTP server where a valid account id and password are required to send messages the provider of the server assumes the responsibility for scanning all traffic through their server thus relieving the ISP of the liability.
  Whether you think this is a big brother step or not, with estimates that spam on the internet is running as high as 70% of all email traffic, if it weren't for restrictions like this email would rapidly become an unusable tool. The only annoying thing I have found about this is how few ISP Tech Support people know about this. To often their solution is "you can only use another email provider through their webmail interface."

• Smbclient wants to connect to TCP port 139

  On my Powerbook, using Little Snitch under certain conditions (undetermined) I get the following message repeatedly, I am not connected to a network (except for Airport) or printer:
  The application "smbclient" wants to connect to 192.168.131.65 on TCP port 139 (netbios-ssn)
  What is this all about - thanks.
  PB G4 Al 17"    

  Airport is as much of a network as Ethernet is. Port 139 is the normal port for SMB connections. (At the terminal, try "grep 139 /etc/services".) What you want to do is figure out where your Powerbook was connecting to a Windows file or printer server on network 192.168.0.0 or 192.168.131.0. Are either of those the network address for your Airport network? You can see this in your Network settings.
  Login Items is the first place to look for an alias that might trigger an automated mount, but another application (other than the Finder) could be looking for a file server, too (as another posted mentioned). You could try to grep for "192.168.131.65" in all the files in your Preferences folder, except if you have 10.4 they might all be binary now and you'd have to convert them to xml text first, using plutil (again in Terminal).

• LMS 4.2 Why is TCP port 514 used and how to close it?

  An internal security scan showed that TCP port 514 is open on the Cisco Prime LMS 4.2.4 server.  The security team is concerned that this port is commonly used for rsh, which is not encrypted and may use plain text logins or poorly authenticated logins.  The port being open is documented in the "Installing and Migrating ..." manual for LMS 4.2 where it says that this TCP port 514 is used for Remote Copy Protocol in the direction from the server to device.  The well-known port associated with a service is usually on the target host, not on the host that initiates the connection, so this is a little confusing.  I see that there is no rsh service in /etc/inetd.conf, but there is an rsh service in /etc/xinetd.conf.  This LMS is not configured to use RCP for anything, as far as I can tell.
  Can I close TCP port 514 on this server without disasterous results, and how do I do that?
  Or, how do I satisfy the security team that having this port open is not a security concern?
  Thanks for any help.
  Dave

  I have a love/hate relationship with security audits like that. Happy to know the profile of a server but then hating to have to justify everything their "report" "concludes" (95% of which is usually just dressed up too output from Nessus or whatever).
  Problem is with appliance servers running a packaged application like LMS, mucking with the OS settings (rc files etc.) can break things in unexpected ways. I'm more in favor of putting it on a segmented network and applying access-control lists or firewall rules inbound vs. trying to take apart the system and put it back together using only the parts you think are necessary (a bit of hyperbole there but it's to make a point).
  Call it defense in depth and declare victory and then move on with using the tool to actually manage the network instead of defending its configuration to the Stasi.

• Database link TCP ports

  We installed database link between two Oracle databases. Does anybody know on whitch TCP port it communicate ? I know only about port 1521. Problem is that we have firewall between computers and we need to enable Oracle communication between them.

  avalanche333 wrote:
  I am attempting to create a database link from a very locked down server (Database A) to Database B which is on my internal network.
  Can someone tell me what ports I need to open in the firewall for a database link to work correctly? My Database B instance is a XE instance running on the default port 1521.
  Thanks,Hans and Devotee have given you the best info so far. I'd like to expand and clarify slightly on their comments.
  There is really nothing special about a db-link. It is just another client process, being used by the 'client' database. It uses exactly the same networking pieces as does sqlplus on the same machine. All of the same considerations are there ... tnsnames.ora on the client machine matching up with the listener configuration on the target machine, listener ports, port redirection for establishing the actual server process, etc. I would start by getting a sqlplus connection working. When you have that, you know you have all of your network configuration issues resolved. At that point any issues you have with the dblink will be in the link definition itself.
  And as Hans pointed out, databases don't run on port 1521. It is a conceptual mistake to think of the database as "running" on any port. By default the listener uses port 1521 to listen for connection requests. The database knows nothing about that. It is also very easy, and not that uncommon, to configure the listener to use another port instead of or in addition to 1521, so it is also a mistake to treat port 1521 as if it were some immutable value.

• Listing and closing open TCP ports

  Hi,
  For security reasons I would like to have as few open TCP ports as possible on my iMac, leaving open only those that I feel are worthwhile having enabled. How can I go about to
  a) identify which TCP ports are currently open on the system
  b) identify the processes that have opened the ports and understand the origin and purpose of those process
  c) disable the processes that have ports open, if I feel that there is no good reason for having them open
  I'm running OS X 10.9.4.
  Thanks!
  Fredrik

  You can run "netstat" in the Terminal or maybe Network Utility to see open ports. However, all you should really do is make sure you don't have any sharing services enabled. Otherwise that is all you can do. Macs are not meant to be used as servers or in secure environments. They are strictly consumer machines. Apple has engineered them to be highly secure, but not configurable by the user. It is highly unlikely that any modifications that an end-user can make would do anything other than reduce security.

• What TCP ports are used by Push notifications

  I believe my Firewall is blocking Push Notifications on my iPod touch. So, I wanted to discover what the TCP Ports are that are used by Push so I could open those ports to pass packets (info) to my iPod.

  See:
  http://support.apple.com/kb/HT3576
  "If you are still unable to receive notifications and you are using a Wi-Fi connection, verify that the network or firewall is not blocking access to port 5223."

• What incoming public TCP ports are blocked?

  I just setup my 890L to forward incoming public TCP ports to to a couple of my LAN devices.  Unfortunately, it looks like VZB is purposefully blocking common incoming TCP ports. 
  I tried searching on google.com for what ports are blocked; but, just found a bunch of posts like this one.  Some people actually tried contacting 1st and 2nd tied VZB tech support about this; but, it's clear they don't have this information available to them.
  Has anyone verified what incoming public TCP ports are not blocked?  There's no easy way for me to test this using my 890L.

  You can find out for yourself which ports are being blocked by using a Port Query utility.  Depending on the OS of your computer there should be multiple utilties available for free floating around.
  As we have seen numerous times before, devices on VZW's new SIM card/4G LTE network are blocked from many of the public facing services and features we have previously been dependant on.  Public IP Addresses, Public Ports, Webcams, VOIP phones, etc. all suffer under the same umbrella of limitations on the new network.  The list is too long to publish everything that is blocked or not working as it previously did.  Much easier for you to post the requirements of your application and have us confirm if its working or not.
  If you have not already experimented with VPN's I'd suggest checking them out.  VPN's are one of the easiest ways around these new limitations.  With a VPN enabled your device will tunnel all of its communications out an allowed port to a VPN server where your traffic is free to act normally before returning to you.

• How do i find out what tcp ports are open? and where do i look it up?

  how do i find out what tcp ports are open? and where would i go to see them? i have a program that is asking for it and i am unable to find where those are listed.

  If you are not too tech savvy, try using the Network Utility found in the Utilities folder. Just have the Mac scan itself.
  If tech savvy, there's always Fyodor's classic NMap, found at www.insecure.org.