I've gto an Exchange box sending UDP packets on random high ports that I cannot identify the origin (at an application level) of. I ran snort over night and found that these packets are being sent to almost every machine in the domain. The only thing that alerted me was the syslog entries from the firewall as one address that is being attempted is an unknown private address.

What I'd like to know is if there are any tricks to identifying what process is sending these packets on a box, other than via known ports?

Also, if anyone recognises this type of packet....

09/25-17:41:29.980145 s.s.s.s:3929 -> d.d.d.d:1070
UDP TTL:128 TOS:0x0 ID:12153 IpLen:20 DgmLen:36
Len: 16
D8 26 6C 01 00 00 00 00 .&l.....

I'd love to know.

Cheers