1
1
Recently, I noticed traffic from the office network to TCP port 445 on the Internet [a]. Below are the Linux firewall log entries to Facebook's network [b] and Google's network [c]. I would like to identify the source of this traffic. My first guess is that Facebook and Google might be using multiple TCP ports for SSL load balancing. However, I could not confirm this based on the web proxy logs. What else might it be?
[a] http://support.microsoft.com/kb/204279
[b]
Sep 4 08:30:03 firewall01 kernel: IN=eth0 OUT=eth2 SRC=10.0.0.131 DST=69.171.237.34 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=14287 DF PROTO=TCP SPT=51711 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0
[c]
Aug 28 06:02:41 firewall01 kernel: IN=eth0 OUT=eth2 SRC=10.0.0.115 DST=173.194.33.47 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=4558 DF PROTO=TCP SPT=49294 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0
Ben Collver
Posted 2012-09-04T17:38:36.663
Reputation: 11
Some program or some user, though most I've seen replace the backslash (
\\) with a forward slash (/), not the other way around. – afrazier – 2012-09-04T20:25:10.227@afrazier: I have seen a few users typing
http:\\www.example.com\path\path\path... – user1686 – 2012-09-04T21:16:40.393I have seen poorly coded Flash and HTML documents that refer to UNC paths, but have never yet caught them on Facebook or Google. Every browser I tested accepts http:\example.com\path and //example.com/path. When I try \example.com\path in Internet Explorer, Windows attempts to connect to TCP port 445. However, it generates more log entries than the "mystery traffic" observed earlier. – Ben Collver – 2012-09-04T21:50:52.183