[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

hitcnt question

Posted on 2011-04-24
4
Medium Priority
?
902 Views
Last Modified: 2012-05-11
I am monitoring the hitcnt on my inside_in access list from the LAN to WAN.  I only have one laptop connected on this network, so there is no other traffic from any other device going out.  I have established a connection only to the experts-exchange.com website to test the hitcnt and it shows the following:

ciscoasa# sh access-list inside_access_in
access-list inside_access_in; 4 elements
access-list inside_access_in line 1 extended permit udp any any eq domain (hitcnt=10) 0xcf394c76
access-list inside_access_in line 2 extended permit tcp any any eq www (hitcnt=334) 0x386bad81
access-list inside_access_in line 3 extended permit tcp any any eq https (hitcnt=0) 0x6908ba56
access-list inside_access_in line 4 extended deny ip any any (hitcnt=0) 0xbe9efe96

A few moments later, it shows:
ciscoasa# sh access-list inside_access_in
access-list inside_access_in; 4 elements
access-list inside_access_in line 1 extended permit udp any any eq domain (hitcnt=10) 0xcf394c76
access-list inside_access_in line 2 extended permit tcp any any eq www (hitcnt=340) 0x386bad81
access-list inside_access_in line 3 extended permit tcp any any eq https (hitcnt=0) 0x6908ba56
access-list inside_access_in line 4 extended deny ip any any (hitcnt=0) 0xbe9efe96


However, running netstat -an on my laptop that has the web session open, it shows no connection to port 80 or 443 on the web after a while, yet my hitcnt keeps increasing for the www acl (it initially shows in netstat but times out after a while and dissappears).  Why is the counter still increasing after the time out?  Is it communicating to the experts-exchange site without creating an established session?

C:\Documents and Settings\me>netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2869           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:8099           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1026         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:5152         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:5152         127.0.0.1:8404         CLOSE_WAIT
  TCP    127.0.0.1:7939         127.0.0.1:8099         ESTABLISHED
  TCP    127.0.0.1:8099         127.0.0.1:7939         ESTABLISHED
  TCP    172.16.100.100:139     0.0.0.0:0              LISTENING
  TCP    192.168.2.233:139      0.0.0.0:0              LISTENING
  UDP    0.0.0.0:69             *:*
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:4500           *:*
  UDP    127.0.0.1:123          *:*
  UDP    127.0.0.1:1900         *:*
  UDP    127.0.0.1:8402         *:*
  UDP    172.16.100.100:123     *:*
  UDP    172.16.100.100:137     *:*
  UDP    172.16.100.100:138     *:*
  UDP    172.16.100.100:1900    *:*
  UDP    192.168.2.233:123      *:*
  UDP    192.168.2.233:137      *:*
  UDP    192.168.2.233:138      *:*
  UDP    192.168.2.233:1900     *:*
0
Comment
Question by:B1izzard
  • 2
  • 2
4 Comments
 
LVL 28

Expert Comment

by:bgoering
ID: 35459365
I would try running wireshark (or a network monitor of your choice) on the laptop and see if some other (unknown) process might be opening up connections on port 80.
0
 

Author Comment

by:B1izzard
ID: 35460090
So it is possible the connection can be so brief that it doesn't even show in netstat?
0
 
LVL 28

Accepted Solution

by:
bgoering earned 2000 total points
ID: 35460239
Absolutely, netstat is a snapshot of a point of time when the command is run and will refresh (by default) every second. A connection could easily be initiated during that time period that you would never see in netstat. To be sure doing a wireshark capture of the traffic would be (in my opinion) easiest to see all the details about what the traffic is, where it is going etc.

Alternatively you could look into some ASA logging to syslog, but would need a syslog server to collect the information, and I am not sure what the level of detail would be as compared to wireshark. See http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml to get started on ASA Syslog.
0
 

Author Closing Comment

by:B1izzard
ID: 35722846
Thanks.
0

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month18 days, 18 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question