Solved

Packet to 1.0.0.1:1823 ??

Posted on 2001-09-10
4
273 Views
Last Modified: 2013-12-07
Hi, on my firewall logs I see this particular server is generating this packet every 3-4 minutes.  How can I find out what process is generating the packet and what it is?

C:\>NETSTAT

Active Connections

  Proto  Local Address  Foreign Address  State
  TCP    ntserver:3673  1.0.0.1:1823     SYN_SENT

Note that I have never used subnet 1.0.0.1 and can't find port 1823 referenced on any of the 'well known port' lists.
0
Comment
Question by:bnewton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6471850
Port 1823 is registered to Unisys License Manager.  It sounds like an unconfigured application on your server is sending the packet.
0
 
LVL 8

Accepted Solution

by:
scraig84 earned 100 total points
ID: 6471863
Pretty unusual it appears.  So you know, "Well Known" ports are from 0 to 1023.  Registered ports are from 1024 up to somewhere around 49 thousand and change.  1823 is registered as "Unisys Natural Language License Manager" although it is probably unlikely that your traffic is actually Unisys based.  If I were you, I would first try to capture some traffic from that server and see if anything inside the packets destined to this port tells you anything.  I would also go through the services running on that server with a fine-tooth comb and see if anything looks unusual.  During some off-production hours, you could also try shutting off the services one-by-one and seeing if the traffic stops.

Another thing to check that I have seen before a few times is funny ports coming up as a result of file-sharing applications such as Napster, Gnutella, etc.  A user of one of these applications generally has the ability to listen on any port they choose which could cause outbound traffic to strange numbers.  This is probably an unlikely scenario since it is coming from a server, but I thought I'd throw it out there.
0
 
LVL 5

Expert Comment

by:Droby10
ID: 6472767
try running fport on the suspect host...it will tell you what programs are bound to what ports...

http://www.foundstone.com/rdlabs/tools.php?category=Forensic

if the attempted connection is at (what appears to be) the upper port range, you may have to poll at periodic intervals to trap the application.

if it's static from the source port, then it should pull up on the first run.
0
 

Author Comment

by:bnewton
ID: 6474054
It appears to have been something to do with Backup Exec 8.6.  I found this by going through the services one by one stoping them.  Thanks for the pointer to fport Droby10.

Thanks.. Bill
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question