?
Solved

strange ntework traffic.  Protocol UMD.  MS-SQL-M[malformed packet] (using wireshark)

Posted on 2007-07-24
5
Medium Priority
?
2,853 Views
Last Modified: 2008-01-09
I am using Wireshark looking for odd traffic on our network.  I came across this message.

Destination Address: 255.255.255.255  Protocol: UMD    Source Port: 1851  Destination Port: ms-sql-m[malformed packet]

Is this some type of virus?  Thanks.
0
Comment
Question by:esphelpdesk
5 Comments
 

Expert Comment

by:danlock2
ID: 19559889
255.255.255.255 is probably your subnet mask.   Port 1851 is not on many of the large lists of common ports, nor commonly exploited ports.  You are probably fine.
0
 
LVL 3

Accepted Solution

by:
Adrien de Croy earned 1000 total points
ID: 19561657
255.255.255.255 is the global broadcast address for IP, so this is a broadcast packet.  You'll find the destination MAC address is most probably also FF-FF-FF-FF-FF-FF.

Also the source port (1851) is normally not significant, since when a computer makes a connection, normally the OS allocates a port number at that time from a pool (called ephemeral).

The destination port is usually the most significant one (unless of course it is a return packet).  But in this case port ms-sql-m indicates it's talking to your MS SQL server.  What are the flags on the packet?  More of the packet data can indicate if it's likely to be a problem, also if there are many instances.

Malformed packets can happen for many reasons.  sending signals over cables or wireless isn't 100% reliable.  Issues such as packet collisions, EMR, interference can cause packet corruption.  The higher protocols such as TCP are normally designed to deal with packet corruption in transit.  It's not normally a significant event.

0
 
LVL 9

Assisted Solution

by:justchat_1
justchat_1 earned 1000 total points
ID: 19563621
ignore danlock2's comment AdriendeC had a pretty good explanation...just to elaborate on the is it a virus question:

A malformed packet can be from one of many sources but from many years working with wireshark I can say unless your are having serious network problems or large numbers of malformed packets you are probably ok-its most likely just a glitch with the capture driver.

As far as the destination port though...that would be an attempt to connect to an SQL server which could be perfectly normal or it could be an intrusion attempt depending on the source.  The fact that it is a broadcast packet shows it is local...is your local network secure or is there a possibility of an intrusiion from within?
0
 
LVL 9

Expert Comment

by:justchat_1
ID: 19563626
As a side note:
As of today, intrusions on that port make up about 4% of total internet intrusions (http://dshield.cirt.vt.edu/port_report.php?port=1434)
0
 

Author Comment

by:esphelpdesk
ID: 19568624
Thanks for some great follow ups.  I am going to check the persons laptop shortly.

0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question