Making Unknown Ports Known

[nilremdrol]

I know that you can make unknown ports have names, but it's a little tedious. I have a registry file from NAI that defines more but it's not enough for my needs.
My superiors really dislike seeing "Unknown" next to a good portion of the traffic graphs. The "Someone is hacking my network!!!" look comes accross their face hehe.
I was going to build a new registy import from the well known TCP/UDP lists but that too is time consuming. Does anyone have links to other registry files or can I get an export of someone elses? Or does anyone have any other ideas? Thanks!

 

[portable]

Can you use Tools | Options | Protocol ...?

 

[barniclebill]

the best way to do this is to use the GUI tools in Sniffer. As stated in the last reply from portable you go to Tools | Options | Protocols - In there you can define port numbers and name them as different protocols. But you will never get rid of "OTHERS" completely. A large number of programs use random port numbers for different functions. Since they are random there is no way fo NAI or anyone else to define them.

Best thing to do is to do a for a few minutes. Stop and display the trace, then go to the matrix view. Go to IP view and unselect all the protocols except others. On the button bar you will see a display filter button. This will filter out all traffic except for the others. Look through them and watch for common ports. Go to one of the many web sites for well known port numbers on the internet and look it up. If it is there then you can define it. If it is not then it is a random port number and therefore cannot be defined.

As far as registry entries etc. I do not believe that NAI supports or supplies those. You should always try not to make changes to the registry, it should be a last resort.

 

[barniclebill]

the best way to do this is to use the GUI tools in Sniffer. As stated in the last reply from portable you go to Tools | Options | Protocols - In there you can define port numbers and name them as different protocols. But you will never get rid of "OTHERS" completely. A large number of programs use random port numbers for different functions. Since they are random there is no way fo NAI or anyone else to define them.

Best thing to do is capture some data for a few minutes. Stop and display the trace, then go to the matrix view. Go to IP view and unselect all the protocols except others. On the button bar you will see a display filter button. This will filter out all traffic except for the others. Look through them and watch for common ports. Go to one of the many web sites for well known port numbers on the internet and look it up. If it is there then you can define it. If it is not then it is a random port number and therefore cannot be defined.

As far as registry entries etc. I do not believe that NAI supports or supplies those. You should always try not to make changes to the registry, it should be a last resort.

 

[AlfSutherland]

Hi, As barniclebill mentioned making reg changes isn't supported. When you do add protocols into Sniffer they are stored in the following area;
1. For Sniffer Portables[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates, Inc.\Sniffer\4.7\1CommonSettings\Protocols\IP Protocols
2. For Sniffer Distributed in the agents reg in
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates, Inc.\Snifferprob\4.1\1CommonSettings\Protocols\IP Protocols
If your using Distributed I recommend adding all the protocols to one unit, then exporting the keys and importing to the other units.
sniffer@axial.co.uk
Alf