Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Packet to 1.0.0.1:1823 ??

Posted on 2001-09-10
4
Medium Priority
?
294 Views
Last Modified: 2013-12-07
Hi, on my firewall logs I see this particular server is generating this packet every 3-4 minutes.  How can I find out what process is generating the packet and what it is?

C:\>NETSTAT

Active Connections

  Proto  Local Address  Foreign Address  State
  TCP    ntserver:3673  1.0.0.1:1823     SYN_SENT

Note that I have never used subnet 1.0.0.1 and can't find port 1823 referenced on any of the 'well known port' lists.
0
Comment
Question by:bnewton
4 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6471850
Port 1823 is registered to Unisys License Manager.  It sounds like an unconfigured application on your server is sending the packet.
0
 
LVL 8

Accepted Solution

by:
scraig84 earned 400 total points
ID: 6471863
Pretty unusual it appears.  So you know, "Well Known" ports are from 0 to 1023.  Registered ports are from 1024 up to somewhere around 49 thousand and change.  1823 is registered as "Unisys Natural Language License Manager" although it is probably unlikely that your traffic is actually Unisys based.  If I were you, I would first try to capture some traffic from that server and see if anything inside the packets destined to this port tells you anything.  I would also go through the services running on that server with a fine-tooth comb and see if anything looks unusual.  During some off-production hours, you could also try shutting off the services one-by-one and seeing if the traffic stops.

Another thing to check that I have seen before a few times is funny ports coming up as a result of file-sharing applications such as Napster, Gnutella, etc.  A user of one of these applications generally has the ability to listen on any port they choose which could cause outbound traffic to strange numbers.  This is probably an unlikely scenario since it is coming from a server, but I thought I'd throw it out there.
0
 
LVL 5

Expert Comment

by:Droby10
ID: 6472767
try running fport on the suspect host...it will tell you what programs are bound to what ports...

http://www.foundstone.com/rdlabs/tools.php?category=Forensic

if the attempted connection is at (what appears to be) the upper port range, you may have to poll at periodic intervals to trap the application.

if it's static from the source port, then it should pull up on the first run.
0
 

Author Comment

by:bnewton
ID: 6474054
It appears to have been something to do with Backup Exec 8.6.  I found this by going through the services one by one stoping them.  Thanks for the pointer to fport Droby10.

Thanks.. Bill
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question