hitcnt question

I am monitoring the hitcnt on my inside_in access list from the LAN to WAN.  I only have one laptop connected on this network, so there is no other traffic from any other device going out.  I have established a connection only to the experts-exchange.com website to test the hitcnt and it shows the following:

ciscoasa# sh access-list inside_access_in
access-list inside_access_in; 4 elements
access-list inside_access_in line 1 extended permit udp any any eq domain (hitcnt=10) 0xcf394c76
access-list inside_access_in line 2 extended permit tcp any any eq www (hitcnt=334) 0x386bad81
access-list inside_access_in line 3 extended permit tcp any any eq https (hitcnt=0) 0x6908ba56
access-list inside_access_in line 4 extended deny ip any any (hitcnt=0) 0xbe9efe96

A few moments later, it shows:
ciscoasa# sh access-list inside_access_in
access-list inside_access_in; 4 elements
access-list inside_access_in line 1 extended permit udp any any eq domain (hitcnt=10) 0xcf394c76
access-list inside_access_in line 2 extended permit tcp any any eq www (hitcnt=340) 0x386bad81
access-list inside_access_in line 3 extended permit tcp any any eq https (hitcnt=0) 0x6908ba56
access-list inside_access_in line 4 extended deny ip any any (hitcnt=0) 0xbe9efe96


However, running netstat -an on my laptop that has the web session open, it shows no connection to port 80 or 443 on the web after a while, yet my hitcnt keeps increasing for the www acl (it initially shows in netstat but times out after a while and dissappears).  Why is the counter still increasing after the time out?  Is it communicating to the experts-exchange site without creating an established session?

C:\Documents and Settings\me>netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2869           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:8099           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1026         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:5152         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:5152         127.0.0.1:8404         CLOSE_WAIT
  TCP    127.0.0.1:7939         127.0.0.1:8099         ESTABLISHED
  TCP    127.0.0.1:8099         127.0.0.1:7939         ESTABLISHED
  TCP    172.16.100.100:139     0.0.0.0:0              LISTENING
  TCP    192.168.2.233:139      0.0.0.0:0              LISTENING
  UDP    0.0.0.0:69             *:*
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:4500           *:*
  UDP    127.0.0.1:123          *:*
  UDP    127.0.0.1:1900         *:*
  UDP    127.0.0.1:8402         *:*
  UDP    172.16.100.100:123     *:*
  UDP    172.16.100.100:137     *:*
  UDP    172.16.100.100:138     *:*
  UDP    172.16.100.100:1900    *:*
  UDP    192.168.2.233:123      *:*
  UDP    192.168.2.233:137      *:*
  UDP    192.168.2.233:138      *:*
  UDP    192.168.2.233:1900     *:*
B1izzardAsked:
Who is Participating?
 
bgoeringConnect With a Mentor Commented:
Absolutely, netstat is a snapshot of a point of time when the command is run and will refresh (by default) every second. A connection could easily be initiated during that time period that you would never see in netstat. To be sure doing a wireshark capture of the traffic would be (in my opinion) easiest to see all the details about what the traffic is, where it is going etc.

Alternatively you could look into some ASA logging to syslog, but would need a syslog server to collect the information, and I am not sure what the level of detail would be as compared to wireshark. See http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml to get started on ASA Syslog.
0
 
bgoeringCommented:
I would try running wireshark (or a network monitor of your choice) on the laptop and see if some other (unknown) process might be opening up connections on port 80.
0
 
B1izzardAuthor Commented:
So it is possible the connection can be so brief that it doesn't even show in netstat?
0
 
B1izzardAuthor Commented:
Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.