topic Packet Capture - explaination? in Network Security

Packet Capture - explaination?

Anthony.Herman — Tue, 12 Mar 2019 03:26:08 GMT

1: 07:48:59.867249 0026.51d7.65c1 0025.4538.6b73 0x0800 95: 10.235.5.31.38001 > 64.x.x.x.1194: [udp sum ok] udp 53 (DF) (ttl 62, id 0)

I'm troubleshooting an issue with a device that once installed is per their support supposed to create a tunnel over port 1194 to their cloud. I see traffic passing to and from this device to their address space including this port but it is all udp 53? Can someone explain this?

Needless to say at this point the tunnel is not forming.

Packet Capture - explaination?

Collin Clark — Tue, 07 Jan 2014 18:43:45 GMT

UDP53 is DNS lookups. Perhaps the vendors device is trying to perform name resolution to the cloud hostname.

Packet Capture - explaination?

Jouni Forss — Tue, 07 Jan 2014 20:24:16 GMT

Hi,

Isnt the source/destination port mentioned right after the IP address?

10.235.5.31.38001 > 64.x.x.x.1194

I guess that would mean that the 53 is the packet size?

Where is this output from? I am too used to looking captures through Wireshark even though I take captures on the ASA itself most of the time.

Can't say I know what the problem might be but if we are talking about UDP then naturally there is no actual connection forming/sync. Is there traffic both ways or is the UDP traffic one way?

- Jouni

Packet Capture - explaination?

Collin Clark — Tue, 07 Jan 2014 20:32:33 GMT

I believe you are correct about the ports Jouni. I too have been spoiled by Wireshark.

Anthony- Can you do a packet tracer so we can see if/where it could be blocked on the ASA?

Re: Packet Capture - explaination?

Anthony.Herman — Tue, 07 Jan 2014 21:26:49 GMT

Thanks for the replies guys. You are correct those are packet sizes and those are the ports. It turns out the device firmware was the cause of the issue.

That capture was from a packet capture on 8.2 ASA. I didn't understand what the '53' was showing me until Jouni mentioned it.

I appreciate the feedback.