Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Strange activity reported by sniffer

Posted on 2004-08-19
9
Medium Priority
?
376 Views
Last Modified: 2010-04-11
Hi experts. I have a question for you. I am using EtherDetect Packet Sniffer to monitor my LAN activities. According to the Traffic Report Window, there is the following activity going on:

Start Time 14:10:19.992
Client IP Port: 64.236.34.67:80
Server IP Port: 192.168.2.106:3671 (This is one of my LAN machines.
Protocol: TCP:http
Packets: 10459

This seems bizarre since the rest of the lines show very little activity (all of them are under 100).
And I wonder why one of my machines is acting as a server. Any idea of what this could be? Any solution to the apparent problem?
Thnks
0
Comment
Question by:Jewels1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 11845297
Is that client address on the outside or the inside? If outside addresses can get to inside addresses like that you really need to check on your internet security.

Well, have you checked if that machine is running web services? Kaazaa and some related file-sharing apps can use port 80. So do many worms. You should really check out the LAN machine in question.
0
 
LVL 4

Accepted Solution

by:
bfarmer earned 375 total points
ID: 11845301
The client and server should be switched.

Client IP Port - 192.168.2.106:3671

Server IP Port - 64.236.34.67:80   (80 is the default port for HTTP)

http://64.236.34.67

ICY 404 Resource Not Found
icy-notice1:SHOUTcast Distributed Network Audio Server/posix v1.8.1<BR>
icy-notice2:The resource requested was not found<BR>

Looks like they're getting streaming audio from the site...
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 11845335
Oh yeah, didn't notice the client port is 80... your software may be just reading the conversation backwards.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:Jewels1
ID: 11845441
Well, the client address is definitely outside (My machines go from 192.168.100 to 106). Do you suggest I block port 80 from my router? I am pretty sure my machine is malware-free but I'll doublecheck
0
 
LVL 2

Expert Comment

by:cyrusuncc
ID: 11845473
is 64.236.34.67 the ip address given by your isp?

go to http://www.whatismyip.com/

see if the traffic is internal or external....

try installing zonealarm on 192.168.2.106 computer and see whats going in or out


0
 
LVL 2

Expert Comment

by:cyrusuncc
ID: 11845508
try forwarding all port 80 requests to 192.168.0.200 (not a computer)

that way all port 80 requests will not be answered by that computer
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 11845511
If the outside machine is on port 80, which I didn't notice at first, then this is likely part of a session initiated by your inside machine. An outside machine can't just connect to some high-numbered port on your PC unless it has a service running there. If you block inbound traffic from port 80 you'll block all web access from your LAN- no traffic will be able to come back.
0
 

Author Comment

by:Jewels1
ID: 11845651
You are right Bfarmer. I just found out the user is receiving streaming audio from an online radio website. This matches the description of the problem. Thanks to all.
0
 
LVL 4

Expert Comment

by:bfarmer
ID: 11845662
Jewels1 -

This looks like legitimate traffic, just perhaps not desirable due to bandwidth usage.  If you have a policy against streaming audio, slap the user on the wrist.  If not, then don't worry about it.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question