[mythtv-users] Packet sniffing consumer electronic devices
Gary Buhrmaster
gary.buhrmaster at gmail.com
Mon Nov 25 16:11:56 UTC 2013
On Mon, Nov 25, 2013 at 3:53 PM, Jay Ashworth <jra at baylink.com> wrote:
.....
> The approach to this is generally to look at "flows"; sessions between the
> internal device and whatever it sees fit to talk to. If it starts talking
> to things you might not have expected, on ports you didn't expect (tcp/123
> for example is NTP, a relatively benign thing for a consumer electronic
> device to talk on), then it's time to investigate further.
Really? NTP implementations use UDP(*). If I ever saw a port 123
TCP connection I would think something interesting is happening
here (can you say a channel that is intended to be ignored by a
casual observer? Those are the most interesting flows!)
Why yes, I *did* spend a *lot* of time examining abnormal flows.
Gary
(*) Yes, port tcp/123 is reserved for NTP. Given the need for
lack of "help" by the OS networking stack in order to achieve
accurate time, TCP was never a good option.
More information about the mythtv-users
mailing list