strange UDP packet bursts

SatcomSatcom Member Posts: 110
in Off-Topic
arrghh.. so i installed wireshark just so i could look at network traffic on my computer... i closed all my layer 7 programs and i keep seeing strange UDP packet from time to time in a burst... i did a tracert to find out where these packets are coming from maybe you guys have a better eye or can tell me wtf this is..
strangeudppackets.jpg?t=1246653403
· Share on FacebookShare on Twitter

Comments

  • tierstentiersten Member Posts: 4,505
    Some sort of P2P like BitTorrent?
    · Share on FacebookShare on Twitter
  • SatcomSatcom Member Posts: 110
    tiersten wrote: »
    Some sort of P2P like BitTorrent?
    i closed p2p bit torrent...i dont have any active downloads or uploads..i started up my torrent program.. and that traffic shows up as TCP rather than UDP

    im starting to think its bit torrent DNA i dont even know what this.. or my machine is a zombie alien.gif
    · Share on FacebookShare on Twitter
  • tierstentiersten Member Posts: 4,505
    You rebooted?
    · Share on FacebookShare on Twitter
  • SatcomSatcom Member Posts: 110
    tiersten wrote: »
    You rebooted?
    yes....
    im thinking it some kind of stupid update software from adobe or something...

    one of the destination ports showed up as "houston"
    · Share on FacebookShare on Twitter
  • tierstentiersten Member Posts: 4,505
    Looks like random ports to me.
    · Share on FacebookShare on Twitter
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    That looks like some form of p2p app. Doing reverse lookups on some of those IP's returns a hostname that indicates it comes from a dynamic pool, which means it's probably an ISP, so you're directly connecting to another user. The random nature of the ports looks like bittorrent

    It's possible it may be something updating in the background. Blizzard has been using Bittorrent to distribute patches for World of Warcraft for years.

    It's also possible that your machine is part of a botnet.

    Up to you to find out!
    · Share on FacebookShare on Twitter
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    If you have DSL, did you reboot that too and get a different IP address and get rid of any old connections based on outdated information about your p2p status?

    If you have a cable modem, you may be stuck with your old IP and a bunch of old connections for a while until the rest of the world learns you aren't running any p2p software anymore.
    :mike: Cisco Certifications -- Collect the Entire Set!
    · Share on FacebookShare on Twitter
  • SatcomSatcom Member Posts: 110
    tiersten wrote: »
    Looks like random ports to me.
    63800 seems like a popular port for whatever is sending these packets.
    · Share on FacebookShare on Twitter
  • tierstentiersten Member Posts: 4,505
    Satcom wrote: »
    63800 seems like a popular port for whatever is sending these packets.
    Yes but it isn't a well known port. It could be anything on there.
    · Share on FacebookShare on Twitter
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Is your machine behind a router/firewall or directly connected to the internet?

    Did you just [x] your normal programs or did you go into task manager and start close processes as well?

    Can you see what's in the payload of packets?
    · Share on FacebookShare on Twitter
  • tierstentiersten Member Posts: 4,505
    Still looks like some sort of P2P app. You've got connections to home nodes in Lithuania, Canada, Moldova, Brazil, France, Norway and Italy
    · Share on FacebookShare on Twitter
  • tierstentiersten Member Posts: 4,505
    Satcom wrote: »
    i closed p2p bit torrent...i dont have any active downloads or uploads..i started up my torrent program.. and that traffic shows up as TCP rather than UDP
    BitTorrent can be UDP as well as TCP.
    · Share on FacebookShare on Twitter
  • SatcomSatcom Member Posts: 110
    dynamik wrote: »
    Is your machine behind a router/firewall or directly connected to the internet?

    Did you just [x] your normal programs or did you go into task manager and start close processes as well?

    Can you see what's in the payload of packets?

    i am behind two routers until the big cloud a dlink gaming router --- then a fios router/modem

    my ubuntu machine doesnt shoot random UDP bursts and its on the same subnetwork as the XP machine with the questionable packets

    my ubuntu under scrutiny gives me the normal RIPV1 and occasional ARP protocols..the gaming router doesnt give off STP packets i guess to minimize congestion.. thats besides the point

    i did the CTRL-alt-delete and took out processes in XP..plus i took out the programs.. these UDP have to be coming from some kind of TSR program i just dont know if its rogue or not.. maybe im just being paranoid

    argh..im really not worried about it.. i am going to format my xp machine..it just kinda irks me i dont know wtf it is...

    ahhh... back to icnd1 book
    · Share on FacebookShare on Twitter
  • tierstentiersten Member Posts: 4,505
    Run "netstat -ab" and see if anything has a socket open that looks suspicious.
    · Share on FacebookShare on Twitter
  • SatcomSatcom Member Posts: 110
    tiersten wrote: »
    Still looks like some sort of P2P app. You've got connections to home nodes in Lithuania, Canada, Moldova, Brazil, France, Norway and Italy
    if thats the case then it has to be a TSR from bit torrent...my torrent program is closed and is not active

    the traffic just bursts.. maybe its updating trackers..not like a constant UL/DL stream

    i have the torrent program closed but it maybe this bit torrent DNA

    it doesnt constantly xmit... just once in a while a burst.. like its updating a tracker

    i think you may have pinpointed what it is... and based on the countries listed thats what it sounds like...BTW thanks for finding out what countries those ip's went to.. for some reason my tracert wont work..i think my router maybe blocking that. im too lazy to hook up to the next router n tracert....
    · Share on FacebookShare on Twitter
  • SatcomSatcom Member Posts: 110
    sorry to waste your guys brainpower you guys have more knowledge on this stuff than me.. i am learning a lot btw tho!
    looked at the itunes helper.. Mdnsresponder.. and applemobiledevices
    you guys have more of a trained eye than me i have no idea what im looking at.. but i am learning.. THX!
    im going to google mdsnresponder. have never heard of that.
    ha i gotta turn my firewall back on.. you guys are going to hax my machine :)
    this is the output for the netstat -ab command

    Active Connections

    Proto Local Address Foreign Address State PID
    TCP w:epmap w:0 LISTENING 1172
    c:\windows\system32\WS2_32.dll
    C:\WINDOWS\system32\RPCRT4.dll
    c:\windows\system32\rpcss.dll
    C:\WINDOWS\system32\svchost.exe
    -- unknown component(s) --
    [svchost.exe]

    TCP w:microsoft-ds w:0 LISTENING 4
    [System]

    TCP w:1034 w:0 LISTENING 996
    [alg.exe]

    TCP w:5152 w:0 LISTENING 1228
    [jqs.exe]

    TCP w:5354 w:0 LISTENING 796
    [mDNSResponder.exe]

    TCP w:27015 w:0 LISTENING 784
    [AppleMobileDeviceService.exe]

    TCP w:netbios-ssn w:0 LISTENING 4
    [System]

    TCP w:1032 localhost:27015 ESTABLISHED 2856
    [iTunesHelper.exe]

    TCP w:27015 localhost:1032 ESTABLISHED 784
    [AppleMobileDeviceService.exe]

    TCP w:5152 localhost:1100 CLOSE_WAIT 1228
    [jqs.exe]

    TCP w:1592 208.48.254.89:http CLOSE_WAIT 1364
    [FrameworkService.exe]

    UDP w:isakmp *:* 948
    [lsass.exe]

    UDP w:microsoft-ds *:* 4
    [System]

    UDP w:4500 *:* 948
    [lsass.exe]

    UDP w:56792 *:* 796
    [mDNSResponder.exe]

    UDP w:1025 *:* 796
    [mDNSResponder.exe]

    UDP w:ntp *:* 1264
    c:\windows\system32\WS2_32.dll
    c:\windows\system32\w32time.dll
    ntdll.dll
    C:\WINDOWS\system32\kernel32.dll
    [svchost.exe]

    UDP w:1900 *:* 1456
    c:\windows\system32\WS2_32.dll
    c:\windows\system32\ssdpsrv.dll
    ntdll.dll
    C:\WINDOWS\system32\kernel32.dll
    [svchost.exe]

    UDP w:2032 *:* 1264
    c:\windows\system32\WS2_32.dll
    C:\WINDOWS\system32\WLDAP32.dll
    C:\WINDOWS\System32\winrnr.dll
    c:\windows\system32\WS2_32.dll
    c:\windows\system32\w32time.dll
    -- unknown component(s) --
    [svchost.exe]

    UDP w:netbios-dgm *:* 4
    [System]

    UDP w:1900 *:* 1456
    c:\windows\system32\WS2_32.dll
    c:\windows\system32\ssdpsrv.dll
    ntdll.dll
    C:\WINDOWS\system32\kernel32.dll
    [svchost.exe]

    UDP w:netbios-ns *:* 4
    [System]

    UDP w:5353 *:* 796
    [mDNSResponder.exe]

    UDP w:ntp *:* 1264
    c:\windows\system32\WS2_32.dll
    c:\windows\system32\w32time.dll
    ntdll.dll
    C:\WINDOWS\system32\kernel32.dll
    [svchost.exe]
    · Share on FacebookShare on Twitter
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    if i remember right, mdnsresponder is part of zeroconf, so no surprise to see that running
    · Share on FacebookShare on Twitter
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    You might want to run Hijack This and see if you notice anything out of the ordinary. You can paste the results into this form if you need help analyzing the results: HiJackThis! Log auto analyzer V2
    · Share on FacebookShare on Twitter
  • SatcomSatcom Member Posts: 110
    dynamik wrote: »
    You might want to run Hijack This and see if you notice anything out of the ordinary. You can paste the results into this form if you need help analyzing the results: HiJackThis! Log auto analyzer V2
    funny thing is i posted the results.. and whatever comes in red needs to be deleted immediately.. like the aim and aol software was the only thing that came up in red

    i deleted the bit torrent DNA and i havent seen a UDP packet since..i think that was the problem. i deleted a crap load of programs i wasnt using anymore...

    i guess case closed.
    · Share on FacebookShare on Twitter
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    netstat -aon will tell you the process number that is listening on any ports. The use tasklist | find "1234" where 1234 is the process in question to display its friendly name. Just for your personal KB. icon_wink.gif
    · Share on FacebookShare on Twitter
  • wd40wd40 Member Posts: 1,017 ■■■■□□□□□□
    Personally I use Comodo Internet Security (Fire Wall only - it is free) + a vista Gadget called wired network meter.

    These two things will tell you exactly what is going on on your network.
    If the graph on the network meter move when it shouldn't be moving just double click Comodo and you will have the details.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.