Jewels1
asked on
Strange activity reported by sniffer
Hi experts. I have a question for you. I am using EtherDetect Packet Sniffer to monitor my LAN activities. According to the Traffic Report Window, there is the following activity going on:
Start Time 14:10:19.992
Client IP Port: 64.236.34.67:80
Server IP Port: 192.168.2.106:3671 (This is one of my LAN machines.
Protocol: TCP:http
Packets: 10459
This seems bizarre since the rest of the lines show very little activity (all of them are under 100).
And I wonder why one of my machines is acting as a server. Any idea of what this could be? Any solution to the apparent problem?
Thnks
Start Time 14:10:19.992
Client IP Port: 64.236.34.67:80
Server IP Port: 192.168.2.106:3671 (This is one of my LAN machines.
Protocol: TCP:http
Packets: 10459
This seems bizarre since the rest of the lines show very little activity (all of them are under 100).
And I wonder why one of my machines is acting as a server. Any idea of what this could be? Any solution to the apparent problem?
Thnks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh yeah, didn't notice the client port is 80... your software may be just reading the conversation backwards.
ASKER
Well, the client address is definitely outside (My machines go from 192.168.100 to 106). Do you suggest I block port 80 from my router? I am pretty sure my machine is malware-free but I'll doublecheck
is 64.236.34.67 the ip address given by your isp?
go to http://www.whatismyip.com/
see if the traffic is internal or external....
try installing zonealarm on 192.168.2.106 computer and see whats going in or out
go to http://www.whatismyip.com/
see if the traffic is internal or external....
try installing zonealarm on 192.168.2.106 computer and see whats going in or out
try forwarding all port 80 requests to 192.168.0.200 (not a computer)
that way all port 80 requests will not be answered by that computer
that way all port 80 requests will not be answered by that computer
If the outside machine is on port 80, which I didn't notice at first, then this is likely part of a session initiated by your inside machine. An outside machine can't just connect to some high-numbered port on your PC unless it has a service running there. If you block inbound traffic from port 80 you'll block all web access from your LAN- no traffic will be able to come back.
ASKER
You are right Bfarmer. I just found out the user is receiving streaming audio from an online radio website. This matches the description of the problem. Thanks to all.
Jewels1 -
This looks like legitimate traffic, just perhaps not desirable due to bandwidth usage. If you have a policy against streaming audio, slap the user on the wrist. If not, then don't worry about it.
This looks like legitimate traffic, just perhaps not desirable due to bandwidth usage. If you have a policy against streaming audio, slap the user on the wrist. If not, then don't worry about it.
Well, have you checked if that machine is running web services? Kaazaa and some related file-sharing apps can use port 80. So do many worms. You should really check out the LAN machine in question.