Has anyone specified all well-known ports? 2

[jleamon]

We all hate the "others" column in Sniffer. Getting rid of it and instead showing which ports are actually being used can be a full time job.

I realize that you can sit and enter the "other" ports through Tools -> Options -> Protocols.

My co-workers and I are actually considering sitting down and putting in all the well-known ports and then exporting the registry key. Has anyone already done this? I've searched through the forum and can't find any, but I would think it would be quite useful. There's nothing more time-consuming that sitting with a capture and adding one protocol after another trying to accuratly display the protocol distribution.

Thanks
jon

 

[fortunat]

Hi jon,

Quite the ambitous little project there. If you decide to do this and want to share, I would be more than willing to donate my site (as I have done in the past) to hold the file for everyone to use.

Regards

'Making things work better; bit by bit.'

 

[wybnormal]

that makes two us that are willing to provide bandwidth for the key

MikeS


Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[DTMan]

Well Gentlemen,

Here is the key for exporting the information.

HKey_Local_Machine/Software/Network Associates, Inc./Snifferprob/4.1/1CommonSettings/Protocols.

Under this section you will find both TCP and UDP for where you can see all of your settings configured.

Hope this helps.

 

[AlfSutherland]

Hi,
For your reference I've been doing this duplication for many customers for quite a little while, and by exporting the key above and then importing it to another machine works well.

The only problem occurs when using different versions of software eg v4.0, v4.1 and/or v4.2. To over come this - export the regisrty, then edited it, then do a "find and replace" and change all v4.1 to v4.2 within the key.

I have a reg file available with over 200 TCP entries, if any one want to use this a starter?

Alf

 

[DTMan]

Alf,

Please contact me via my offline email address. I would be interested in this.

Thanks,
DTMan

 

[jleamon]

We had a visit from one of the Systems Engineers for Sniffer and he told me that there was a limitation of roughly 200 ports. Any more than that and Sniffer will not start. He did say that in the next version they may bump that up to over a 1000. I don't know what the exact limitation is, but it kind of made the entire project less interesting.

I also ran into problems trying to translate the ports from decimal to hex, using Excel. But after hearing that limitation, I was somewhat less enthused to get it going. I could switch approaches and use Perl, but I didn't really feel that it was worth it.

And just in response to DTMan's post - yes, we're all well aware of the registry key. What we want to do is find an easier way of entering hundreds of ports without losing hours and hours entering them through regedit.

Alf - I'll contact you for that key with 200 entry. I would like to try adding more and seeing what the exact number it will take before it dies.

 

[AlfSutherland]

Gents,

I'll forward it over shortly, after I've cleaned it up a bit, and also combined a few together.

One of the easiest ways I've found to get all the port numbers used on a particular customer's network, is to see one of their firewall chaps. They should be able to print you off a list of open port numbers, it should also have their application related name. This saves a great deal of time!

With regard to the limitation of port no.s - I think he's talking crap!

Alf

 

[laobancha]

I'm very curious that Sniffer can decode many standard and proprietary protocol correctly (expert and decode window) but why not it automatically displays those correct protocol names in the protocol distribution as well as other monitor applications.

bar

 

[wybnormal]

Alf- thanks for the effort! Dont forget to forward over to this side of the pond

The tip for the firewall export is a good one.

MikeS


Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[AZeemeri]

Alf,

Give me a call in regards to this. I have something that will interest you.

reg

Andre

 

[nmsguru]

Alf,

Can you please send out/post the reg file with the well known ports ?


Thanks

Yigal

 

[blundergod]

How about protocols outside of TCP or UDP? For instance something like protocol 50 (ESP -- Encapsulation Security Protocol). Is there any way to add these types of protocols to Sniff Pro?

Thanks.

 

[AlfSutherland]

Hi,

Unfortunately there is no way of adding these in automatically. "Protocol 50" is as you say a ESP, generally used in VPNs. As this therefore acts like a some application (in that it can use a wide range of port nos), the only way of adding it in (to sniffer) is manually, when you have identified the no.s.

With cetain VPN software you can limit the range of ports that it operates over - I believe.

With regard to some of the above posts - with the new version of Sniffer Distributed software (v4.3), you can add in ranges of ports, as opposed to having to define every one.

Alf

 

[blundergod]

Let me ask a clarifying question. When I go into Sniff Pro "Tools->Options" and select the protocol tab, I only see the possibility of adding TCP, UDP or IPX protocol ports. ESP is neither of the 3 as it rides on top of the IP stack (as does TCP and UDP).

TCP is protocol 6 within IP. UDP is protocol 17. Is there a way of defining protocol 50 for ESP? If so, how do you do it?

Thanks again.

 

[damianj]

I have added all well know TCP and UDP ports from 1-1023 and several registered gaming and P2P ports I wished to monitor/report on with no trouble. It is far simpler working with a flat file to merge into the registry then manually adding each port.
See

http://www.iana.org/assignments/port-numbers

and the below UDP sample

[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates, Inc.\Sniffer\4.7\1CommonSettings\Protocols\IP Protocols\UDP]
"1"=dword:00000001
"2"=dword:00000002
"3"=dword:00000003 etc. etc..

Blundergod, Until Sniffer update there software your better off using Ethereal for monitoring ESP.

Hope this helps.

 

[blundergod]

Thanks for the response Damianj. Agree with Ethereal. Excellent tip on using the Registry to merge flat files. I'll give that a shot as well.

 

[DanoC]

Hi,

Totally agree that "others" breakout is time-consuming. We did this breakout for one site and tried to export it out of registry and load it on another machine to save repetitive input & time. Unfortunately the exporting did not work. Used the instructions in Sniffer Pro Help...wish I could offer more details, but we are not sure why registry export failed.

 

[AlexTovar]

Hi Alf:

A little bit late, but could you send me the reg file and instructions on how to import in a DSS environment ?

Thanks in advance !

Alex.

 

[AlfSutherland]

Hi Alex,
Been a bit busy recently - will send the various file I've created for a few people to you shorlty. I'll post instructions for everyone shortly, but it basically involves editing the reg file;

For distributed users;
HKey_Local_Machine/Software/Network Associates, Inc./Snifferprob/4.1<version>/1CommonSettings/Protocols
For portable users;
HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates, Inc.\Sniffer\4.5<version>\1CommonSettings\Protocols

and changing the &quot;4.1&quot; to &quot;4.2&quot;, or now &quot;4.3&quot;, or for sniffer pro users the &quot;4.5&quot; to &quot;4.7&quot;.
P.S. NAI do not support reg changes!!! That's why we have this forum ;-)
Alf