Sniffed packets --- Help on network analysis

[rcasta]

Hello :

Recently at my school, I've found the following traffic increasing each day, Sniffer caught it and has the following characteristics:

-- Host (not server) using 1 tcp port and has multiple connections open towards it (port varies from source host)
-- Some packets reads "Gnutella Network", though, guntella is banned in my site.
-- The following can be read from the packets :
"...urn:sha1:6LYHGFQSU...
Sting - I'll be Watching You. u
rn:.... "

Obviously it seems to be some sort of media engine, though I can't seem to figure it out...

any ideas?

cheers,

 

[rcasta]

This is a sample output from my router :

Last 3 columns : src_port(hex)/ dst_port(hex) / Pkts

Eth0/0 192.168.20..78 Se1/0 209.98.153.201 27E5 7A2A 136
Eth0/0 192.168.20..78 Se1/0 68.103.113.73 27E5 07AF 497
Eth0/0 192.168.20..78 Se1/0 65.82.119.58 27E5 1268 228
Eth0/0 192.168.20..78 Se1/0 141.154.140.72 27E5 111B 35
Eth0/0 192.168.20..78 Se1/0 24.162.12.130 27E5 1189 457
Eth0/0 192.168.20..78 Se1/0 65.100.207.42 27E5 F4F1 199
Eth0/0 192.168.20..78 Se1/0 204.116.181.141 27E5 113E 61
Eth0/0 192.168.20..78 Se1/0 198.248.144.179 27E5 0EFC 572
Eth0/0 192.168.20..78 Se1/0 24.100.71.40 27E5 131A 18

.... and continues like that...

cheers,

 

[ttech]

RCasta,

Many file sharing programs connect to the Gnutells network including MyNapster

http://www.mynapster.com

Don