Yes, I will continue using my current protocol list that I built from /etc/services, it seems to catch most of the tcp/udp ports. I just get sick of updating it with the new filesharing protocol of the day. I just installed 3.1 recently, I'm also trying to get the host fingerprinting working, I have installed ettercap, is there something I need to do to turn it on? I can't find any flags for it.
Regards Michael Baird > Define protocols -- do you mean layer 2 or layer 3 or layer 4? <laugh > type=nasty /> > > The canonical list for tcp/ip (tcp and udp) - which is probably what you > mean - below port 1024 is maintained by IANA. > > Theoretically, ports from 1024-49151 are also registered through IANA. It > is a custom more honour'd in the breach than the observance. > > And 49152-65535 are free for all. > > The list is here: http://www.iana.org/assignments/port-numbers. But all of > that only covers protocols for which there are RFCs. Not the ad hoc > protocols we've all come to know and "love". > > So, just about every security organization / mailing list / wannabe > maintains their own list. Some of which are truly useless in a dangerous > way - they list EVERY port as "Common service(s): client". Well, Duh! > > Oh, and at the end of the day, monitoring EVERY port is useless. You are as > likely to be mis-tagging as correctly tagging. Remember, when setting up a > connection between two hosts, say http, the requestor picks a random port > > 1023 for the reply. If you have a list of every possible port that a > protocol ever might have used, you're likely to have hits and so > mis-classify traffic. > > Best bet is to build a list of the ports YOU need to monitor on YOUR > network. > > -----Burton > > [REF: Hamlet, Act 1, Scene 4 - > http://www-tech.mit.edu/Shakespeare/Tragedy/hamlet/hamlet.1.4.html] > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Michael Baird > Sent: Wednesday, March 02, 2005 9:38 AM > To: [email protected] > Subject: [Ntop] Protocol List > > Does anyone have a really extensive protocol list file, or know of a place > where I can go to keep my own list updated? > > Regards > Michael Baird > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
