Solved: ASP-DROP Packet Capture

Mike Keenan · ‎11-25-2014

I ran the following asp-drop packet capture on my ASA 5520 Firewall:

capture asp type asp-drop acl-drop headers-only circular-buffer

I then performed the following show command. I replaced the real IP addresses with different ones so as not to reveal my internal IP addressing scheme:

show capture asp | i 172.18.2

I then got the following returns. I replaced the real IP addresses with different ones so as not to reveal my internal IP addressing scheme:

4: 21:40:47.504459 172.18.5.5.52152 > 172.18.2.65.161: udp 79
9: 21:40:58.174459 172.18.5.5.52152 > 172.18.2.65.161: udp 79
14: 21:41:08.314879 172.18.5.17.52152 > 172.18.2.65.161: udp 79

Why does the destination IP address that ends with .161 (assuming that it is a destination port) also show :udp 79 (also assuming that it is a destination port?

What is the port that it is communicating to? Is it 161 or udp 79?