[mythtv-users] Packet sniffing consumer electronic devices

Gary Buhrmaster gary.buhrmaster at gmail.com
Mon Nov 25 16:11:56 UTC 2013


On Mon, Nov 25, 2013 at 3:53 PM, Jay Ashworth <jra at baylink.com> wrote:
.....
> The approach to this is generally to look at "flows"; sessions between the
> internal device and whatever it sees fit to talk to.  If it starts talking
> to things you might not have expected, on ports you didn't expect (tcp/123
> for example is NTP, a relatively benign thing for a consumer electronic
> device to talk on), then it's time to investigate further.

Really?  NTP implementations use UDP(*).  If I ever saw a port 123
TCP connection I would think something interesting is happening
here (can you say a channel that is intended to be ignored by a
casual observer?  Those are the most interesting flows!)

Why yes, I *did* spend a *lot* of time examining abnormal flows.

Gary

(*) Yes, port tcp/123 is reserved for NTP.  Given the need for
lack of "help" by the OS networking stack in order to achieve
accurate time, TCP was never a good option.


More information about the mythtv-users mailing list