Solved

Packet to 1.0.0.1:1823 ??

Posted on 2001-09-10
4
261 Views
Last Modified: 2013-12-07
Hi, on my firewall logs I see this particular server is generating this packet every 3-4 minutes.  How can I find out what process is generating the packet and what it is?

C:\>NETSTAT

Active Connections

  Proto  Local Address  Foreign Address  State
  TCP    ntserver:3673  1.0.0.1:1823     SYN_SENT

Note that I have never used subnet 1.0.0.1 and can't find port 1823 referenced on any of the 'well known port' lists.
0
Comment
Question by:bnewton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6471850
Port 1823 is registered to Unisys License Manager.  It sounds like an unconfigured application on your server is sending the packet.
0
 
LVL 8

Accepted Solution

by:
scraig84 earned 100 total points
ID: 6471863
Pretty unusual it appears.  So you know, "Well Known" ports are from 0 to 1023.  Registered ports are from 1024 up to somewhere around 49 thousand and change.  1823 is registered as "Unisys Natural Language License Manager" although it is probably unlikely that your traffic is actually Unisys based.  If I were you, I would first try to capture some traffic from that server and see if anything inside the packets destined to this port tells you anything.  I would also go through the services running on that server with a fine-tooth comb and see if anything looks unusual.  During some off-production hours, you could also try shutting off the services one-by-one and seeing if the traffic stops.

Another thing to check that I have seen before a few times is funny ports coming up as a result of file-sharing applications such as Napster, Gnutella, etc.  A user of one of these applications generally has the ability to listen on any port they choose which could cause outbound traffic to strange numbers.  This is probably an unlikely scenario since it is coming from a server, but I thought I'd throw it out there.
0
 
LVL 5

Expert Comment

by:Droby10
ID: 6472767
try running fport on the suspect host...it will tell you what programs are bound to what ports...

http://www.foundstone.com/rdlabs/tools.php?category=Forensic

if the attempted connection is at (what appears to be) the upper port range, you may have to poll at periodic intervals to trap the application.

if it's static from the source port, then it should pull up on the first run.
0
 

Author Comment

by:bnewton
ID: 6474054
It appears to have been something to do with Backup Exec 8.6.  I found this by going through the services one by one stoping them.  Thanks for the pointer to fport Droby10.

Thanks.. Bill
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question