Over the weekend an internet-facing DI-624 router of mine was e-mailing me logs like crazy for some reason. Normally it's a few a day, but it was about one every few minutes instead. Analyzing the messages, I found that only 340 had the same src and dst port number, whereas the majority of "default deny" dropped packets (28,000+) had the two ports different. What does this mean?
Asked
Active
Viewed 236 times
1 Answers
3
Source ports and destination ports are normally going to be different. This is normal. When you connect to web site as a client to destination port 80, the OS will likely give the packet a high number source port that is maybe random. Go read about Ephemeral Ports. This aids in the OS keeping track of which session is which.
Kyle Brandt
- 83,619
- 74
- 305
- 448
-
Thanks! So I guess it's only worth looking at the destination ports, then, if anything. – Kev Mar 15 '10 at 17:16