Netflow Question

the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
Quick netflow question. In what cases would you get a flow where the source and destination IP's are different, but the source and destination ports are the same? I have a theory, but was hoping someone could throw up a few alternatives as well.
WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    What is the port?
    An expert is a man who has made all the mistakes which can be made.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    3389 is the port...not positive the traffic is definitely RDP.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • SteveO86SteveO86 Member Posts: 1,423
    Could it be a custom application?
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    99.9% sure it is not
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • ande0255ande0255 Banned Posts: 1,178
    Out of curiousity, what leads you to believe it's not RDP traffic? Is the source IP completely unknown or originating from the LAN? I've had a few customers that got periodically probed for RDP vulnerabilities, then some other MSP poked a bunch of holes in there ASA for port 3389, and there DC started firing off alerts every 2-3 seconds from what seemed to be brute force attacks.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Can't go into a ton of detail, but there are somethings that make me believe it might not be RDP. It very well could be, but I have some doubts.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • wastedtimewastedtime Member Posts: 586 ■■■■□□□□□□
    There is a ton of stuff it could be. I've seen where people have done a SSH tunnel like that and even home brewed protocols for peer to peer communications. There isn't many protocols that I can think of that use the same source and destination ports.

    Edit:
    I would love to know what this is even if you can't go into details.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Haha, we're working on it and hopefully at some point a picture will be painted. Thanks guys! Confirmed my theories.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
Sign In or Register to comment.