Jump to content
MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. ×

Reading packets...


kingsc
 Share

Recommended Posts

So interesting thing..... I was wiresharking my network to try to capture some particular data when I noticed something very strange...

There's UDP broadcasts coming from only one laptop, I know this because of the 255.255.255.255 destination used, however I'm very new to the networking world and to Wireshark.

So.. the source is always the same, which is the IP address of the laptop (Which happens to be our COO's, lol), except the port changes, whatever's happening it seems to increment the port by 1 on each broadcast. In the "info" section of wireshark, the destination port is always the same, 34447. The source port however, changes to wierd things like "myblast", "minilock", "ibm-mgr", etc.

I remotely connected to his registry and checked some very basic general stuff, and checked his system32 folder for any newly modified or obviously bogus files. Came up with nada.

Is this traffic normal? His laptop is the only one doing it. How can I get to the root of this?

Link to comment
Share on other sites


Those Broadcasts will never leave your network, so your safe in that respect, however this is not normal behaviour. I would run a full virus scan, spyware scan and rootkit scan.

Starting with rootkit revealer since anything potentially malicious should have been picked up by your AV and shouldnt have made it as far as the NIC.

See what that comes up with and let us know

Cheers

Link to comment
Share on other sites

Those Broadcasts will never leave your network, so your safe in that respect, however this is not normal behaviour. I would run a full virus scan, spyware scan and rootkit scan.

Starting with rootkit revealer since anything potentially malicious should have been picked up by your AV and shouldnt have made it as far as the NIC.

See what that comes up with and let us know

Cheers

Hmmmm, I'll have to get with the Sr. Sys Admin and figure out the best way about getting that done politely lol. I'll update what we find.

Honestly, there's been several occasions where Trend Micro OfficeScan doesn't pick up something, I've gotten tired of sending them samples(aka doing their job for them).

---BUT----

It may not even be installed on this laptop; it's his personal(Don't blast me, I already know what a bad idea that is.. :) ).

Link to comment
Share on other sites

There's UDP broadcasts ... the destination port is always the same, 34447.

That's the most important info. What servers are listening on port 34447? The laptop is probably trying to find a printer or something. If the destination port was incrementing, it would likely be a scanner. 34447 is a non standard port so it's probably not malware trying to infect other pcs.

Link to comment
Share on other sites

There's UDP broadcasts ... the destination port is always the same, 34447.

That's the most important info. What servers are listening on port 34447? The laptop is probably trying to find a printer or something. If the destination port was incrementing, it would likely be a scanner. 34447 is a non standard port so it's probably not malware trying to infect other pcs.

Oh yeah I definitely know it's not trying to infect other PCs; I've seen what that looks like in action with the Mario Forever virus *sigh*.

So to recap...

The source port increments by 1... so this wouldn't be a port scanner right? Wouldn't it be a port scanner if the destination port was incrementing?

As for it trying to find a printer... maybe but.... this is what I don't get...

*UPDATE*

Just had a talk with my system admin and have a much better understanding.

So something is trying to contact anything that will speak with it on port 34447. THe wierd names are just related to the port table in wireshark, and since it's incrementing by 1, thats why the name changes; I can label the port numbers whatever I want. I didn't know this; I thought it was something that was being read in the packet.

I don't think it's looking for a printer as it's a non-standard port and maybe because it's using UDP broadcasts which is fire-and-forget, but then again I'm not sure what normal activity looks like. We have a print server and I think I would see the destination as the IP address of that print server instead of these broadcasts, but, as said earlier, I'm no networking expert. :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.


×
×
  • Create New...