[mythtv-users] Packet sniffing consumer electronic devices

Stephen P. Villano stephen.p.villano at gmail.com
Mon Nov 25 17:30:24 UTC 2013


On 11/25/13 11:15 AM, Jay Ashworth wrote:
> ----- Original Message -----
>> From: "Gary Buhrmaster" <gary.buhrmaster at gmail.com>
>> On Mon, Nov 25, 2013 at 3:53 PM, Jay Ashworth <jra at baylink.com> wrote:
>> .....
>>> The approach to this is generally to look at "flows"; sessions
>>> between the
>>> internal device and whatever it sees fit to talk to. If it starts
>>> talking
>>> to things you might not have expected, on ports you didn't expect
>>> (tcp/123
>>> for example is NTP, a relatively benign thing for a consumer
>>> electronic
>>> device to talk on), then it's time to investigate further.
>> Really? NTP implementations use UDP(*). If I ever saw a port 123
>> TCP connection I would think something interesting is happening
>> here (can you say a channel that is intended to be ignored by a
>> casual observer? Those are the most interesting flows!)
>>
>> Why yes, I *did* spend a *lot* of time examining abnormal flows.
>>
>> Gary
>>
>> (*) Yes, port tcp/123 is reserved for NTP. Given the need for
>> lack of "help" by the OS networking stack in order to achieve
>> accurate time, TCP was never a good option.
> D'oh.
>
> Sorry; the coffee hasn't kicked in.  Yes, udp/123, generally.
>
> Cheers,
> -- jra
>
Needless to say, if you see traffic on ports 20-25 coming from a DVD
player or television, be it TCP or UDP, it most certainly should attract
attention. I can think of no valid reason for such devices to be having
FTP, SSH, telnet or SMTP sessions going on.

Of course, a *really* paranoid type might set up a snort sensor, with
customized filters.
But, I'm just not that paranoid.


More information about the mythtv-users mailing list