I have been noticing a behavior on my firewall logs which I have been unable to deduce the source of. For a while now I have been getting requests on port 80 which I was unable to figure out the source of. I allowed forwarding of port 80 and used netcat to grab samples of the data and descovered that it is in fact gnutella clients connecting. I have seen Limewire, Limewire (Aquisition) and Gtk-gnutella attempt to connect to that port, however, I was unable to find out the reason why.

It appears to be a standard file request. I was unable to find any reference in any of the developer files as to why this occures on port 80 as opposed to the regular gnutella port my servlet is running on (gtk-gnutella on the default port). Here is a sample header (in case I missed something):

theirhost.theirisp.net [xxx.xxx.xxx.xxx] 64834
GET /uri-res/N2R?urn:sha1:ARGZ6CDDJZBMMOIY4O7UJXGFRDOCB3NA HTTP/1.1
HOST: <my_ip>:80
User-Agent: LimeWire(Acquisition)/103.4
X-Queue: 0.1
X-Gnutella-Content-URN: urn:sha1:ARGZ6CDDJZBMMOIY4O7UJXGFRDOCB3NA
X-Alt: xxx.xxx.xxx.xxx:39731, xxx.xxx.xxx.xxx:26618, xxx.xxx.xxx.xxx
Range: bytes=260116666-260216675

(oh, and just to clarify, my firewall already forwards the port my gnutella server is running on)

Anyway, does anyone have any insight into why these requests are coming in on port 80? It is a very small percentage of requests, but it does make my log pattern matching go insane

Thanks for any help you can give

Kris