Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Has anyone specified all well-known ports? 2

Status
Not open for further replies.
jleamon

jleamon

Technical User
Apr 16, 2003
3
0
0
CA
We all hate the "others" column in Sniffer. Getting rid of it and instead showing which ports are actually being used can be a full time job.

I realize that you can sit and enter the "other" ports through Tools -> Options -> Protocols.

My co-workers and I are actually considering sitting down and putting in all the well-known ports and then exporting the registry key. Has anyone already done this? I've searched through the forum and can't find any, but I would think it would be quite useful. There's nothing more time-consuming that sitting with a capture and adding one protocol after another trying to accuratly display the protocol distribution.

Thanks
jon
 
Sort by date Sort by votes
Hi jon,

Quite the ambitous little project there. If you decide to do this and want to share, I would be more than willing to donate my site (as I have done in the past) to hold the file for everyone to use.

Regards

'Making things work better; bit by bit.'
 
Upvote 0 Downvote
that makes two us that are willing to provide bandwidth for the key :)

MikeS


Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
 
Upvote 0 Downvote
Well Gentlemen,

Here is the key for exporting the information.

HKey_Local_Machine/Software/Network Associates, Inc./Snifferprob/4.1/1CommonSettings/Protocols.

Under this section you will find both TCP and UDP for where you can see all of your settings configured.

Hope this helps.

 
Upvote 0 Downvote
Hi,
For your reference I've been doing this duplication for many customers for quite a little while, and by exporting the key above and then importing it to another machine works well.

The only problem occurs when using different versions of software eg v4.0, v4.1 and/or v4.2. To over come this - export the regisrty, then edited it, then do a "find and replace" and change all v4.1 to v4.2 within the key.

I have a reg file available with over 200 TCP entries, if any one want to use this a starter?

Alf
 
Upvote 0 Downvote
Alf,

Please contact me via my offline email address. I would be interested in this.

Thanks,
DTMan
 
Upvote 0 Downvote
We had a visit from one of the Systems Engineers for Sniffer and he told me that there was a limitation of roughly 200 ports. Any more than that and Sniffer will not start. He did say that in the next version they may bump that up to over a 1000. I don't know what the exact limitation is, but it kind of made the entire project less interesting.

I also ran into problems trying to translate the ports from decimal to hex, using Excel. But after hearing that limitation, I was somewhat less enthused to get it going. I could switch approaches and use Perl, but I didn't really feel that it was worth it.

And just in response to DTMan's post - yes, we're all well aware of the registry key. What we want to do is find an easier way of entering hundreds of ports without losing hours and hours entering them through regedit.

Alf - I'll contact you for that key with 200 entry. I would like to try adding more and seeing what the exact number it will take before it dies.
 
Upvote 0 Downvote
Gents,

I'll forward it over shortly, after I've cleaned it up a bit, and also combined a few together.

One of the easiest ways I've found to get all the port numbers used on a particular customer's network, is to see one of their firewall chaps. They should be able to print you off a list of open port numbers, it should also have their application related name. This saves a great deal of time!

With regard to the limitation of port no.s - I think he's talking crap!

Alf
 
Upvote 0 Downvote
I'm very curious that Sniffer can decode many standard and proprietary protocol correctly (expert and decode window) but why not it automatically displays those correct protocol names in the protocol distribution as well as other monitor applications.

bar
 
Upvote 0 Downvote
Alf- thanks for the effort! Dont forget to forward over to this side of the pond :)

The tip for the firewall export is a good one.

MikeS


Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
 
Upvote 0 Downvote
Alf,

Give me a call in regards to this. I have something that will interest you.

reg

Andre
 
Upvote 0 Downvote
Alf,

Can you please send out/post the reg file with the well known ports ?


Thanks

Yigal

 
Upvote 0 Downvote
How about protocols outside of TCP or UDP? For instance something like protocol 50 (ESP -- Encapsulation Security Protocol). Is there any way to add these types of protocols to Sniff Pro?

Thanks.
 
Upvote 0 Downvote
Hi,

Unfortunately there is no way of adding these in automatically. "Protocol 50" is as you say a ESP, generally used in VPNs. As this therefore acts like a some application (in that it can use a wide range of port nos), the only way of adding it in (to sniffer) is manually, when you have identified the no.s.

With cetain VPN software you can limit the range of ports that it operates over - I believe.

With regard to some of the above posts - with the new version of Sniffer Distributed software (v4.3), you can add in ranges of ports, as opposed to having to define every one.

Alf
 
Upvote 0 Downvote
Let me ask a clarifying question. When I go into Sniff Pro "Tools->Options" and select the protocol tab, I only see the possibility of adding TCP, UDP or IPX protocol ports. ESP is neither of the 3 as it rides on top of the IP stack (as does TCP and UDP).

TCP is protocol 6 within IP. UDP is protocol 17. Is there a way of defining protocol 50 for ESP? If so, how do you do it?

Thanks again.
 
Upvote 0 Downvote
I have added all well know TCP and UDP ports from 1-1023 and several registered gaming and P2P ports I wished to monitor/report on with no trouble. It is far simpler working with a flat file to merge into the registry then manually adding each port.
See and the below UDP sample

[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates, Inc.\Sniffer\4.7\1CommonSettings\Protocols\IP Protocols\UDP]
"1"=dword:00000001
"2"=dword:00000002
"3"=dword:00000003 etc. etc..

Blundergod, Until Sniffer update there software your better off using Ethereal for monitoring ESP.

Hope this helps.
 
Upvote 0 Downvote
Thanks for the response Damianj. Agree with Ethereal. Excellent tip on using the Registry to merge flat files. I'll give that a shot as well.
 
Upvote 0 Downvote
Hi,

Totally agree that "others" breakout is time-consuming. We did this breakout for one site and tried to export it out of registry and load it on another machine to save repetitive input & time. Unfortunately the exporting did not work. Used the instructions in Sniffer Pro Help...wish I could offer more details, but we are not sure why registry export failed.
 
Upvote 0 Downvote
Hi Alf:

A little bit late, but could you send me the reg file and instructions on how to import in a DSS environment ?

Thanks in advance !

Alex.
 
Upvote 0 Downvote
Hi Alex,
Been a bit busy recently - will send the various file I've created for a few people to you shorlty. I'll post instructions for everyone shortly, but it basically involves editing the reg file;

For distributed users;
HKey_Local_Machine/Software/Network Associates, Inc./Snifferprob/4.1<version>/1CommonSettings/Protocols
For portable users;
HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates, Inc.\Sniffer\4.5<version>\1CommonSettings\Protocols

and changing the &quot;4.1&quot; to &quot;4.2&quot;, or now &quot;4.3&quot;, or for sniffer pro users the &quot;4.5&quot; to &quot;4.7&quot;.
P.S. NAI do not support reg changes!!! That's why we have this forum ;-)
Alf
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jromlop
  • Locked
  • Question
ports SniffView
Replies
0
Views
30
jromlop
jromlop
arvindai
  • Locked
  • Question
ports question
Replies
2
Views
47
NFI
NFI
4412
  • Locked
  • Question
how to filter all retransmission
Replies
1
Views
45
GuRuGuRu
GuRuGuRu
dane775
  • Locked
  • Question
Anyone decoding SSL with Sniffer or Wireshark??
Replies
0
Views
30
dane775
dane775
ir1shm1ike
  • Locked
  • Question
Mirror 2 Ports for Traffic??
Replies
1
Views
33
jdeisenm
jdeisenm

Part and Inventory Search

Sponsor

Back
Top