Well, win=xxxx is easy to explain. That's simply the TCP windowing used for
flow control. In a TCP session, each side advertises in every packet the
current size of its receive window. So that's all normal.
I can't explain the encapsulation failure though. Could it be due to an
access list? You may have an access list that is restricting incoming TCP
requests to port 21 (FTP). That would be a good thing, especially if you
are concerned about this really being a hacker.
I noticed that you don't have any timestamps on your debug messages, just
day stamps, i.e. 5 weeks 1 day since reboot. That makes it hard to tell if
this really is a port scan and a problem. Are the packets coming in every
millisecond or every hour? To add better timestamps, you can use the
command "service timestamps debug datetime msec."
One more comment, get a Sniffer or protocol analyzer! &;-) It would tell
you a lot more info, such as what win=xxxx means. It's not really a good
idea to turn your router into a Sniffer, as I'm sure you know.
Please keep us posted on what else you learn about this. It's an
interesting question.
Priscilla
At 09:30 PM 10/5/00, Marc Quibell wrote:
>I was debugging with a friend at a client site to check out some unrelated
>traffic, and I noticed these strange traffic patterns coming up:
>
>5w1d: IP: s=207.x.x.x (local), d=255.255.255.255 (Serial0/1), len 512, sen
>ding broad/multicast
>5w1d: UDP src=520, dst=520
>5w1d: IP: s=62.155.241.76 (Serial0/0), d=205.x.x.1 (FastEthernet0/0),
>g=205.2
>21.15.7, len 48, forward
>5w1d: TCP src=1247, dst=21, seq=2401504737, ack=0, win=8760 SYN
>5w1d: IP: s=62.155.241.76 (Serial0/0), d=205.x.x.2(FastEthernet0/0), len 48,
> encapsulation failed
>5w1d: TCP src=1247, dst=21, seq=2401504737, ack=0, win=8760 SYN
>5w1d: IP: s=62.155.241.76 (Serial0/0), d=205.x.x.3 (FastEthernet0/0),
>g=205.2
>21.15.8, len 48, forward
>5w1d: TCP src=1248, dst=21, seq=2401547696, ack=0, win=8760 SYN
>5w1d: IP: s=62.155.241.76 (Serial0/0), d=205.x.x.4 (FastEthernet0/0), len
>48,
> encapsulation failed
>5w1d: TCP src=1248, dst=21, seq=2401547696, ack=0, win=8760 SYN
>5w1d: IP: s=62.155.241.76 (Serial0/0), d=205.x.x.5 (FastEthernet0/0),
>g=205.2
>21.15.9, len 48, forward
>5w1d: TCP src=1249, dst=21, seq=2401594277, ack=0, win=8760 SYN
>5w1d: IP: s=62.155.241.76 (Serial0/0), d=205.x.x.6 (FastEthernet0/0), len
>48,
> encapsulation failed
>5w1d: TCP src=1249, dst=21, seq=2401594277, ack=0, win=8760 SYN
>5w1d: IP: s=62.155.241.76 (Serial0/0), d=205.x.x.7 (FastEthernet0/0), g=205.
>221.15.13, len 48, forward
>5w1d: TCP src=1253, dst=21, seq=2401782294, ack=0, win=8760 SYN
>5w1d: IP: s=62.155.241.76 (Serial0/0), d=205.x.x.8 (FastEthernet0/0), len 48
>, encapsulation failed
>5w1d: TCP src=1253, dst=21, seq=2401782294, ack=0, win=8760 SYN
>
>Now, what I think I'm seeing here is a TCP syn session request destined for
>port 21 (ftp), from a workstation on the internet (incoming on s0/0). It
>appears that this is a sort of port scan and someone's trying to crack their
>way in? The first entry is a local (normal) entry, then comes in the
>intruder at 62.155.241.76, from the internet, trying to establish an FTP
>session. The destination IPs it's trying to attach to are actually router
>ASYNC peer subinterfaces.
>
>What exactly is the win=8760? I looked where I could on this port and it's
>listed as a proxy port number. And what's with the 'encapsulation failed'
>errors? Can anyone shed anymore light on this? Thanks..
>
>Marc
>
>
>**NOTE: New CCNA/CCDA List has been formed. For more information go to
>http://www.groupstudy.com/list/Associates.html
>_________________________________
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
________________________
Priscilla Oppenheimer
http://www.priscilla.com
**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
