-
September 26th, 2002, 12:25 AM
#1
Junior Member
Identifying the origin of communications
I've gto an Exchange box sending UDP packets on random high ports that I cannot identify the origin (at an application level) of. I ran snort over night and found that these packets are being sent to almost every machine in the domain. The only thing that alerted me was the syslog entries from the firewall as one address that is being attempted is an unknown private address.
What I'd like to know is if there are any tricks to identifying what process is sending these packets on a box, other than via known ports?
Also, if anyone recognises this type of packet....
09/25-17:41:29.980145 s.s.s.s:3929 -> d.d.d.d:1070
UDP TTL:128 TOS:0x0 ID:12153 IpLen:20 DgmLen:36
Len: 16
D8 26 6C 01 00 00 00 00 .&l.....
I'd love to know.
Cheers
viapek
....attempting constantly to find a place where learning is no longer necessary
-
September 26th, 2002, 06:15 AM
#2
It looks like this is somewhat normal behavior, the UDP transmissions are sent in order to notify Outlook clients of a change in the mailbox. As to why it might try to send a packet to what you call an unknown private address, without knowing how your addressing is set up, or what the unknown private address is, I cant help.
Here is some info from microsoft about the udp stuff...
http://support.microsoft.com/default...;en-us;Q159302
-
September 26th, 2002, 06:50 AM
#3
Junior Member
That could be something to do with it... it does seem strange though as this has been happening for over a week, after reboots.
If it was the "gone" outlook client I think they would have timed out by then. Also the fact that the address is part of our private addressing structure but not, and has never been, in use.
the ports that it uses are semi-random, e.g. a variety of src and dest ports, and no visible pattern.
Back to the first question though, any tricks on identifying the processes that are initiating connections, or otherwise in UDP's case?
viapek
....attempting constantly to find a place where learning is no longer necessary
-
September 26th, 2002, 03:38 PM
#4
Senior Member
If you really have no idea what service it is, then eliminate services piece by piece until you find the one sending out the packets. Its a vague, might/might not work solution, but its he only one I could come up with, sorry.
MS products (especially ones that use WINS) that are on a domain, can be extremely noisy. They love to broadcast, and most of those broadcasts are udp. I'd look into Exchange being the source.
-
September 26th, 2002, 03:46 PM
#5
FPORT: found here
Tie an application to the port it is listening on.
This will at least tell you what the origin is.
You can also netstat -an at the command prompt and see listening connections (no apps though).
Maybe even a 'net view' from your command prompt...
let us know the results (and sanitize them).
nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|