Identifying the origin of communications
Results 1 to 5 of 5

Thread: Identifying the origin of communications

  1. #1
    Junior Member
    Join Date
    Jul 2002
    Posts
    5

    Identifying the origin of communications

    I've gto an Exchange box sending UDP packets on random high ports that I cannot identify the origin (at an application level) of. I ran snort over night and found that these packets are being sent to almost every machine in the domain. The only thing that alerted me was the syslog entries from the firewall as one address that is being attempted is an unknown private address.

    What I'd like to know is if there are any tricks to identifying what process is sending these packets on a box, other than via known ports?

    Also, if anyone recognises this type of packet....

    09/25-17:41:29.980145 s.s.s.s:3929 -> d.d.d.d:1070
    UDP TTL:128 TOS:0x0 ID:12153 IpLen:20 DgmLen:36
    Len: 16
    D8 26 6C 01 00 00 00 00 .&l.....

    I'd love to know.

    Cheers
    viapek
    ....attempting constantly to find a place where learning is no longer necessary

  2. #2
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    It looks like this is somewhat normal behavior, the UDP transmissions are sent in order to notify Outlook clients of a change in the mailbox. As to why it might try to send a packet to what you call an unknown private address, without knowing how your addressing is set up, or what the unknown private address is, I cant help.

    Here is some info from microsoft about the udp stuff...

    http://support.microsoft.com/default...;en-us;Q159302

  3. #3
    Junior Member
    Join Date
    Jul 2002
    Posts
    5
    That could be something to do with it... it does seem strange though as this has been happening for over a week, after reboots.

    If it was the "gone" outlook client I think they would have timed out by then. Also the fact that the address is part of our private addressing structure but not, and has never been, in use.

    the ports that it uses are semi-random, e.g. a variety of src and dest ports, and no visible pattern.

    Back to the first question though, any tricks on identifying the processes that are initiating connections, or otherwise in UDP's case?
    viapek
    ....attempting constantly to find a place where learning is no longer necessary

  4. #4
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    If you really have no idea what service it is, then eliminate services piece by piece until you find the one sending out the packets. Its a vague, might/might not work solution, but its he only one I could come up with, sorry.

    MS products (especially ones that use WINS) that are on a domain, can be extremely noisy. They love to broadcast, and most of those broadcasts are udp. I'd look into Exchange being the source.

  5. #5
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    FPORT: found here
    Tie an application to the port it is listening on.

    This will at least tell you what the origin is.

    You can also netstat -an at the command prompt and see listening connections (no apps though).

    Maybe even a 'net view' from your command prompt...


    let us know the results (and sanitize them).

    nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •