Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Guest]

hi,
i run amule /debian-sarge-testing and noticed this:
my machine had lost connection to whatever the server was and no downloading was going on as per the transfer page. no other internet related programs where up at the time.
yet my traffic monitor reported 0.5 to 3.5 KBit/s network load.
an ethereal scan showed that my box was receiving SYN packets and sending RST/ACK packets on the 4662 port which is my amule port. remote partner ports where extremely high numbers such as 63588.
whois gave a most unlikely list of sources (they start!!), amongst them swiss banks and the german internet police.

i got scared and pulled the plug....

a while later i received hints that i might have been wormed (adore...), however a virus scan revieled no such infection, and the reported symptoms are not there.

this same behavior also occurs when amule was active but is currently down. it is however apparently sporadic (i dont sit and watch my ip traffic all night...). it definitely does not occur when amule has never been started since reboot.

i believe these symptoms indicate some misdemeanor on amule's part.

i do not know what this is, but the behavior profiles too close to rootkit infection for me to be comfortable.

[GonoszTopi]

Traffic when not online:

This is a special drawback of almost all P2P networks. As you start aMule, it connects to a server, and then aMule sends it's IP and files list to the server. Then the server can give your IP to clients as reply for searches. Clients connect to you, and they might even save your IP+port as a source for a file. When you close aMule, they will not know about it (as queue is connectionless), and keep sending file requests until they mark your IP as dead source and remove from their list. These tries cause you a falling traffic from ed2k clients just after you closed your aMule.

This traffic lowers by time, say it's reduced to half after an hour, to 1/4 fter two hours, and so on, until it gets to almost nothing.

You will find it the same with every P2P network, that doesn't need constant connections to everyone who knows about you - ed2k, gnutella, G2, FreeNet, just to mention some.

[Guest]

ok i understand that bit about my ip being passed around and tried by those other guys. fair enough.
however i don't quite follow this port numbe thing yet: AFAIK 65588 is not even a legal port number at all. how does that get into the traffic? isn't everybody using the 4662 or whatever it is?

still feeling shaky around the knees
mats

[Jacobo221]

noone should use that port. not even the kernel should allow it. if some app is reporting you that that port is being used, I guess it is broken.
anyway, it's not aMule using it, for sure ;P

[lfroen]

 funny ip traffic on port 65535 and higher
...
high numbers such as 63588.

AFAIK 63588 < 65535. Max 16 bit is 0xffff == 65535. So what is so special about 63588 ?! And of course it can't be higher - those in doubt go to learn about "binary numbers - what is it and how to convert it to decimal"

amongst them swiss banks and the german internet police

Are you sure your're not dreaming ?!

noone should use that port. not even the kernel should allow it. if so

What is so special about 63588 ?!

[Jacobo221]

lfroen: "AFAIK 65588" <- he meant 65588

[lfroen]

lfroen: "AFAIK 65588" <- he meant 65588

Should I repeat an explanation about "16 bit numbers  physically can't be greater then 65535" ?

If someone sees different possibilities include, but not limited to:
1. Optical illusion
2. Alcohol / drugs in effect
3. Using videogame instead of network analyzer

  sorry for sarkasm, but this is really strange topic

[Jacobo221]

ye, so that's exactly what I told him

[skolnick]

There is no way a port can be bigger than a 16-bit number (65535 is the biggest) so the application reporting such a port number should have a serious bug in it. Even worst if the app is a network analyzer.

The other possibility is...I'm not sure about how IPv6 works...maybe that's where our 17-bit port came from?

Regards.

[ken]

Originally posted by mats
an ethereal scan showed that my box was receiving SYN packets and sending RST/ACK packets on the 4662 port which is my amule port. remote partner ports where extremely high numbers such as 63588.

SYN is a remote machine trying to open a connection to yours.  RST/ACK is your machine refusing the connection because aMule is not running.

You shouldn't care about what port the remote machine is using.  When a program tries to open a connection, it specifies the IP address of the other machine and the port to connect to (in this case, aMule's TCP port), but typically lets the OS pick "at random" which port on the local machine to connect from.  So, 63588 is a perfectly normal port for the remote machine to use for its outgoing connection attempt.

[Jacobo221]

ken "So, 63588 is a perfectly normal port" <- he meant port 65588

[lfroen]

skolnik: the term "port" has nothing to do with underlying network layer. It doesn't matter if this is ipv4, ipv6, ipx or whatever. Read about OSI network model if unsure

[Guest]

my apologies for the upset i caused you good people.

no i was not dreaming: i whois'd the partner ip addrs and received the info quoted in the original post
yes i do occasionally drink alloahole
no i do not play video games
yes i know about binary numbers
yes i did use ethereal
yes sarcasm is perfectly ok with me, i frequently deserve it and, as replies go, i like it better than, say,  a fist in my teeth
yes i do frequently creaty typos in places where they matter
no i cannot go back and check what the port number was because i deleted that scan file

to conclude: i probably mistyped the port number and there is no further problem.
thanks for your help.

[Jacobo221]

heh, short, efficient, summed-up, direct-to-the-point, funny, serious post.
you can go for journalism :=)

ok, problem solved (or not). lfroen can have a break then

[skolnick]

Originally posted by lfroen
skolnik: the term "port" has nothing to do with underlying network layer. It doesn't matter if this is ipv4, ipv6, ipx or whatever. Read about OSI network model if unsure

You are totally right, I wast just soooo sleepy when I wrote that. As my networking teacher said in the classroom: "There are _no_ IP ports!"

hahaha, sorry for the stupid post.

Regards.