bnewton
asked on
Packet to 1.0.0.1:1823 ??
Hi, on my firewall logs I see this particular server is generating this packet every 3-4 minutes. How can I find out what process is generating the packet and what it is?
C:\>NETSTAT
Active Connections
Proto Local Address Foreign Address State
TCP ntserver:3673 1.0.0.1:1823 SYN_SENT
Note that I have never used subnet 1.0.0.1 and can't find port 1823 referenced on any of the 'well known port' lists.
C:\>NETSTAT
Active Connections
Proto Local Address Foreign Address State
TCP ntserver:3673 1.0.0.1:1823 SYN_SENT
Note that I have never used subnet 1.0.0.1 and can't find port 1823 referenced on any of the 'well known port' lists.
Port 1823 is registered to Unisys License Manager. It sounds like an unconfigured application on your server is sending the packet.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
try running fport on the suspect host...it will tell you what programs are bound to what ports...
http://www.foundstone.com/rdlabs/tools.php?category=Forensic
if the attempted connection is at (what appears to be) the upper port range, you may have to poll at periodic intervals to trap the application.
if it's static from the source port, then it should pull up on the first run.
http://www.foundstone.com/rdlabs/tools.php?category=Forensic
if the attempted connection is at (what appears to be) the upper port range, you may have to poll at periodic intervals to trap the application.
if it's static from the source port, then it should pull up on the first run.
ASKER
It appears to have been something to do with Backup Exec 8.6. I found this by going through the services one by one stoping them. Thanks for the pointer to fport Droby10.
Thanks.. Bill
Thanks.. Bill