[email protected] wrote on 10/26/2011 07:56:14 PM: > srcIP dstIP prot srcPort dstPort octets packets > I.I.P.P 192.168.2.196 6 3389 3799 55 1 > I.I.P.P 192.168.2.196 6 3389 4465 40 1 > I.I.P.P 192.168.2.196 6 3389 1940 74 1 > I.I.P.P 192.168.2.196 6 3389 2611 51 1 > I.I.P.P 192.168.2.196 6 3389 2356 141 1 > I.I.P.P 192.168.2.196 6 3389 2111 92 1 > I.I.P.P 192.168.2.196 6 3389 1151 339 1 > I.I.P.P 192.168.2.196 6 3389 2609 55 1 > I.I.P.P 192.168.2.196 6 3389 1386 1500 1 > I.I.P.P 192.168.2.196 6 3389 3133 1480 1 > I.I.P.P 192.168.2.196 6 3389 2684 3000 2 > > > "I.I.P.P" is a random public IP address. 192.168.2.196 is a Windows > Server 2003. As you can see, almost every connection is to ephemeral > port on 192.168.2.196 using the source port 3389. In addition, > download traffic for customer is 5x higher than upload traffic.
Doesn't it appear that the 192.168.2.196 host is a WTS client in this case? That it has established remote desktop connections as a client out to public servers?
_______________________________________________ Flow-tools mailing list [email protected] http://mailman.splintered.net/mailman/listinfo/flow-tools
