topic PIX packet capture explanation in Network Security

PIX packet capture explanation

hxhsu — Mon, 11 Mar 2019 17:36:09 GMT

Hi Expert,

Could someone help to explan the following packets about udp 45 and udp 47 captured from PIX, thanks.

dtochilovsky — Thu, 22 Apr 2010 15:26:38 GMT

Those look like DNS packets since the port is UDP 53. DNS request probably. What is the server with IP 10.68.68.201?

hxhsu — Fri, 23 Apr 2010 08:28:20 GMT

The 10.68.68.201 is a terminal server, my problem is the ip 61.20.223.89 to query DNS server 10.64.176.106, what does udp 45 mean ?

If I permit port 53 rule only, the DNS query was not work. it's need permit a range udp ports as 1 - 100 for this ip 61.20.223.89.

Jennifer Halim — Fri, 23 Apr 2010 11:09:00 GMT

45 is just the length of the UDP packet. It is still a DNS packet (on UDP/53)

From your example:

5: 13:54:07.974116 61.20.223.89.3835 > 10.64.176.106.53: udp 45

Highlighted in red is the port number (53) - which is DNS.

dtochilovsky — Fri, 23 Apr 2010 14:00:23 GMT

How are you creating rules?

UDP is stateless so you may need to allow both directions (outbound DNS requests and inbound DNS replies) if you are filtering on either direction.

Would help to see the access lists you are having problems with.

Kureli Sankar — Fri, 23 Apr 2010 16:25:04 GMT

5: 13:54:07.974116 61.20.223.89.3835 > 10.64.176.106.53: udp 45

3835 is the udp source port used by the client 61.20.223.89

53 is the dns port that the DNS server 10.64.176.106 listens and responds to.

45 is the udp packet size.

-KS