Re: [FW1] Scary traffic - long

[dreamwvr <dreamwvr () dreamwvr com>]

hi all,
last time i 'snoop'ed this was the exchange being made for javastations.
But that was a while ago it looks to be a simular scenario.
                                                        Regards,
                                                                dreamwvr () dreamwvr com
At 06:56 PM 12/21/98 +0200, Hendrik Visage wrote:
> roger nebel wrote:
>
> > RFC 1350 (ftp://ftp.isi.edu/in-notes/rfc1350.txt) mentions nothing about
> > broadcast, perhaps that's a local implementation deviation by
> > someone...i'd be interested in how / where you've seen that use.
>
> AFAIK: Sun machines make use of a broadcast to get the boot image:
> Procedure:
> 1) get IP address with RARP
> 2) send out broadcast tftp get image
> 3) bootparamd for root, install server and other info
> 4) mount root and continue
>
> I'm speaking under correction, but I think I've seen the Xyplex terminal
servers also
> having asked for the image and parameters via broadcast (At that stage not
much info
> except IP address, old BOOTP)
>
> Now the test (Solaris 2.6):
>
> # tftp
> tftp> get 255.255.255.255:abcdef.prm
> Received 4703 bytes in 0.1 seconds
>
> Now the interesting part:
> ===================
> # snoop myne|egrep -v "RLOGIN|RSTAT|TCP|RPC|NIS|NFS|NTP"
> Using device /dev/hme (promiscuous mode)
>        myne -> BROADCAST    TFTP Read "abcdef.prm" (netascii)
>     mainman -> myne         TFTP Data block 1 (512 bytes)
>        myne -> BROADCAST    TFTP Ack  block 1
>     mainman -> myne         TFTP Data block 2 (512 bytes)
>        myne -> BROADCAST    TFTP Ack  block 2
>     mainman -> myne         TFTP Data block 3 (512 bytes)
>        myne -> BROADCAST    TFTP Ack  block 3
>     mainman -> myne         TFTP Data block 4 (512 bytes)
>        myne -> BROADCAST    TFTP Ack  block 4
>     mainman -> myne         TFTP Data block 5 (512 bytes)
>        myne -> BROADCAST    TFTP Ack  block 5
>     mainman -> myne         TFTP Data block 6 (512 bytes)
>        myne -> BROADCAST    TFTP Ack  block 6
>     mainman -> myne         TFTP Data block 7 (512 bytes)
>        myne -> BROADCAST    TFTP Ack  block 7
>     mainman -> myne         TFTP Data block 8 (512 bytes)
>        myne -> BROADCAST    TFTP Ack  block 8
>     mainman -> myne         TFTP Data block 9 (512 bytes)
>        myne -> BROADCAST    TFTP Ack  block 9
>     mainman -> myne         TFTP Data block 10 (95 bytes) (last block)
>        myne -> BROADCAST    TFTP Ack  block 10
>
>
> > Hendrik Visage wrote:
> > > AFAIK: Unfortunately, tftp DO have a broadcast "option", but it should
be only in LAN
> > > context, it sends out the broadcast, and then all the tftpservers will
check if they
> > > have the requested file, and then reply if they DO have the file.
> > >
> > > tftp is also "dangerous" in the sense that it's UDP, send out to a
port, and the
> > > server sends out via another port. Not all that easy to have a
stateful inspection
> > > code for tftp, and FW-1 doesn't handle it as "nicely" as "standard"
ftp:((
> > >
Reuters, London, February 29, 1998: 
Scientists have announced discovering a meteorite which will strike the 
earth in March, 2028.  Millions of UNIX coders expressed relief for being 
spared the UNIX epoch "crisis" of 2038.
_______________________________________________________________________

DREAMWVR.COM - TOTAL WEB INTEGRATION, DEVELOPMENT, DESIGN SERVICES. 
Featuring Website Development and Web Strategies of a TOP Developer 
<http://www.dreamwvr.com/dynamicduo.html> <mailto:dreamwvr () dreamwvr com>
"As Unique as the Company You Keep."        "===0 PGP Key Available  
________________________________________________________________________