Improve company productivity with a Business Account.Sign Up

x
?
Solved

Packet to 1.0.0.1:1823 ??

Posted on 2001-09-10
4
Medium Priority
?
300 Views
Last Modified: 2013-12-07
Hi, on my firewall logs I see this particular server is generating this packet every 3-4 minutes.  How can I find out what process is generating the packet and what it is?

C:\>NETSTAT

Active Connections

  Proto  Local Address  Foreign Address  State
  TCP    ntserver:3673  1.0.0.1:1823     SYN_SENT

Note that I have never used subnet 1.0.0.1 and can't find port 1823 referenced on any of the 'well known port' lists.
0
Comment
Question by:bnewton
4 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6471850
Port 1823 is registered to Unisys License Manager.  It sounds like an unconfigured application on your server is sending the packet.
0
 
LVL 8

Accepted Solution

by:
scraig84 earned 400 total points
ID: 6471863
Pretty unusual it appears.  So you know, "Well Known" ports are from 0 to 1023.  Registered ports are from 1024 up to somewhere around 49 thousand and change.  1823 is registered as "Unisys Natural Language License Manager" although it is probably unlikely that your traffic is actually Unisys based.  If I were you, I would first try to capture some traffic from that server and see if anything inside the packets destined to this port tells you anything.  I would also go through the services running on that server with a fine-tooth comb and see if anything looks unusual.  During some off-production hours, you could also try shutting off the services one-by-one and seeing if the traffic stops.

Another thing to check that I have seen before a few times is funny ports coming up as a result of file-sharing applications such as Napster, Gnutella, etc.  A user of one of these applications generally has the ability to listen on any port they choose which could cause outbound traffic to strange numbers.  This is probably an unlikely scenario since it is coming from a server, but I thought I'd throw it out there.
0
 
LVL 5

Expert Comment

by:Droby10
ID: 6472767
try running fport on the suspect host...it will tell you what programs are bound to what ports...

http://www.foundstone.com/rdlabs/tools.php?category=Forensic

if the attempted connection is at (what appears to be) the upper port range, you may have to poll at periodic intervals to trap the application.

if it's static from the source port, then it should pull up on the first run.
0
 

Author Comment

by:bnewton
ID: 6474054
It appears to have been something to do with Backup Exec 8.6.  I found this by going through the services one by one stoping them.  Thanks for the pointer to fport Droby10.

Thanks.. Bill
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
In short, I will be giving a guide on how to install UNMS on a virtual machine in hyper-v and change the default port for security (you don’t need to have a server, since Windows 10 supports hyper-v)
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question