[mythtv-users] Packet sniffing consumer electronic devices

Jay Ashworth jra at baylink.com
Mon Nov 25 16:15:24 UTC 2013


----- Original Message -----
> From: "Gary Buhrmaster" <gary.buhrmaster at gmail.com>

> On Mon, Nov 25, 2013 at 3:53 PM, Jay Ashworth <jra at baylink.com> wrote:
> .....
> > The approach to this is generally to look at "flows"; sessions
> > between the
> > internal device and whatever it sees fit to talk to. If it starts
> > talking
> > to things you might not have expected, on ports you didn't expect
> > (tcp/123
> > for example is NTP, a relatively benign thing for a consumer
> > electronic
> > device to talk on), then it's time to investigate further.
> 
> Really? NTP implementations use UDP(*). If I ever saw a port 123
> TCP connection I would think something interesting is happening
> here (can you say a channel that is intended to be ignored by a
> casual observer? Those are the most interesting flows!)
> 
> Why yes, I *did* spend a *lot* of time examining abnormal flows.
> 
> Gary
> 
> (*) Yes, port tcp/123 is reserved for NTP. Given the need for
> lack of "help" by the OS networking stack in order to achieve
> accurate time, TCP was never a good option.

D'oh.

Sorry; the coffee hasn't kicked in.  Yes, udp/123, generally.

Cheers,
-- jra

-- 
Make Election Day a federal holiday: http://wh.gov/lBm94  100k sigs by 12/14

Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274


More information about the mythtv-users mailing list