PDA

View Full Version : Port 4662



Chris
25-Jul-2012, 15:17
Hi all: I have been seeing a lot of traffic on port 4662 across our WANs via using Cisco's nbar discovery. Cisco labels it a eDonkey, which is a file sharing system, but I have my doubts that is the culprit. Do you know of any other applications typically found in a mixed OES/Windows (eDir/AD) environment that might be making use of this port?

Also, I am not sure how to go about sniffing for this port traffic using Wireshark? Can someone help me out with this?

Thanks, Chris.

unsigned
25-Jul-2012, 16:03
We run a mixed environment and near as I can tell have no traffic
running around on ports 4662.

"tcp.port==4662 || udp.port==4662" is an option for a wireshark display
filter, but also wireshark has built in filters for edonkey traffic.

If you are a switching environment, make sure to configure your switch
to span or mirror to your capture port.

Interesting reading:
http://www.speedguide.net/port.php?port=4662
http://isc.sans.edu/port.html?port=4662

With only this info, I wouldn't rule out that you may indeed have some
emule/edonky traffic running around.



On 7/25/2012 9:17 AM, Chris wrote:
> Hi all: I have been seeing a lot of traffic on port 4662 across our
> WANs via using Cisco's nbar discovery. Cisco labels it a eDonkey, which
> is a file sharing system, but I have my doubts that is the culprit. Do
> you know of any other applications typically found in a mixed
> OES/Windows (eDir/AD) environment that might be making use of this port?
> Also, I am not sure how to go about sniffing for this port traffic using
> Wireshark? Can someone help me out with this?
> Thanks, Chris.

Bob Crandell
25-Jul-2012, 16:23
On Wed, 25 Jul 2012 15:03:37 +0000, unsigned wrote:

> We run a mixed environment and near as I can tell have no traffic
> running around on ports 4662.
>
Close the port and see who complains.

Lance Haig
25-Jul-2012, 16:50
On 25/07/2012 16:23, Bob Crandell wrote:
> On Wed, 25 Jul 2012 15:03:37 +0000, unsigned wrote:
>
>> We run a mixed environment and near as I can tell have no traffic
>> running around on ports 4662.
>>
> Close the port and see who complains.
>

That was going to be my response

:-)

Lance

Dave Taylor
01-Aug-2012, 09:24
Lance Haig <lhaig@haigmail.com> wrote in news:QAUPr.1902$If2.644
@kovat.provo.novell.com:

> On 25/07/2012 16:23, Bob Crandell wrote:
>> On Wed, 25 Jul 2012 15:03:37 +0000, unsigned wrote:
>>
>>> We run a mixed environment and near as I can tell have no traffic
>>> running around on ports 4662.
>>>
>> Close the port and see who complains.
>>
>
> That was going to be my response
>
>:-)
>
> Lance

Doing that possibly drives something into a harder to detect mode.
Probably not a good thing for the situation when you are playing detective.

Besides, I thought IT was the enabler; the customer wants the thing now
and they want that bandwidth now and just make it happen with no notice :)

--
Ciao, Dave

Bob Crandell
01-Aug-2012, 16:10
On Wed, 01 Aug 2012 08:24:07 +0000, Dave Taylor wrote:

> Lance Haig <lhaig@haigmail.com> wrote in news:QAUPr.1902$If2.644
> @kovat.provo.novell.com:
>
>> On 25/07/2012 16:23, Bob Crandell wrote:
>>> On Wed, 25 Jul 2012 15:03:37 +0000, unsigned wrote:
>>>
>>>> We run a mixed environment and near as I can tell have no traffic
>>>> running around on ports 4662.
>>>>
>
> Besides, I thought IT was the enabler; the customer wants the thing now
> and they want that bandwidth now and just make it happen with no notice
> :)

Being the enabler is so yesterday.

unsigned
01-Aug-2012, 17:48
w00t, being the disabler is 'in'



On 8/1/2012 10:10 AM, Bob Crandell wrote:
> Being the enabler is so yesterday.
>