• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 298
  • Last Modified:

Packet to 1.0.0.1:1823 ??

Hi, on my firewall logs I see this particular server is generating this packet every 3-4 minutes.  How can I find out what process is generating the packet and what it is?

C:\>NETSTAT

Active Connections

  Proto  Local Address  Foreign Address  State
  TCP    ntserver:3673  1.0.0.1:1823     SYN_SENT

Note that I have never used subnet 1.0.0.1 and can't find port 1823 referenced on any of the 'well known port' lists.
0
bnewton
Asked:
bnewton
1 Solution
 
geoffrynCommented:
Port 1823 is registered to Unisys License Manager.  It sounds like an unconfigured application on your server is sending the packet.
0
 
scraig84Commented:
Pretty unusual it appears.  So you know, "Well Known" ports are from 0 to 1023.  Registered ports are from 1024 up to somewhere around 49 thousand and change.  1823 is registered as "Unisys Natural Language License Manager" although it is probably unlikely that your traffic is actually Unisys based.  If I were you, I would first try to capture some traffic from that server and see if anything inside the packets destined to this port tells you anything.  I would also go through the services running on that server with a fine-tooth comb and see if anything looks unusual.  During some off-production hours, you could also try shutting off the services one-by-one and seeing if the traffic stops.

Another thing to check that I have seen before a few times is funny ports coming up as a result of file-sharing applications such as Napster, Gnutella, etc.  A user of one of these applications generally has the ability to listen on any port they choose which could cause outbound traffic to strange numbers.  This is probably an unlikely scenario since it is coming from a server, but I thought I'd throw it out there.
0
 
Droby10Commented:
try running fport on the suspect host...it will tell you what programs are bound to what ports...

http://www.foundstone.com/rdlabs/tools.php?category=Forensic

if the attempted connection is at (what appears to be) the upper port range, you may have to poll at periodic intervals to trap the application.

if it's static from the source port, then it should pull up on the first run.
0
 
bnewtonAuthor Commented:
It appears to have been something to do with Backup Exec 8.6.  I found this by going through the services one by one stoping them.  Thanks for the pointer to fport Droby10.

Thanks.. Bill
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now