strange ntework traffic.  Protocol UMD.  MS-SQL-M[malformed packet] (using wireshark)

Posted on 2007-07-24
Last Modified: 2008-01-09
I am using Wireshark looking for odd traffic on our network.  I came across this message.

Destination Address:  Protocol: UMD    Source Port: 1851  Destination Port: ms-sql-m[malformed packet]

Is this some type of virus?  Thanks.
Question by:esphelpdesk

    Expert Comment

    by:danlock2 is probably your subnet mask.   Port 1851 is not on many of the large lists of common ports, nor commonly exploited ports.  You are probably fine.
    LVL 3

    Accepted Solution

    by: is the global broadcast address for IP, so this is a broadcast packet.  You'll find the destination MAC address is most probably also FF-FF-FF-FF-FF-FF.

    Also the source port (1851) is normally not significant, since when a computer makes a connection, normally the OS allocates a port number at that time from a pool (called ephemeral).

    The destination port is usually the most significant one (unless of course it is a return packet).  But in this case port ms-sql-m indicates it's talking to your MS SQL server.  What are the flags on the packet?  More of the packet data can indicate if it's likely to be a problem, also if there are many instances.

    Malformed packets can happen for many reasons.  sending signals over cables or wireless isn't 100% reliable.  Issues such as packet collisions, EMR, interference can cause packet corruption.  The higher protocols such as TCP are normally designed to deal with packet corruption in transit.  It's not normally a significant event.

    LVL 9

    Assisted Solution

    ignore danlock2's comment AdriendeC had a pretty good explanation...just to elaborate on the is it a virus question:

    A malformed packet can be from one of many sources but from many years working with wireshark I can say unless your are having serious network problems or large numbers of malformed packets you are probably ok-its most likely just a glitch with the capture driver.

    As far as the destination port though...that would be an attempt to connect to an SQL server which could be perfectly normal or it could be an intrusion attempt depending on the source.  The fact that it is a broadcast packet shows it is your local network secure or is there a possibility of an intrusiion from within?
    LVL 9

    Expert Comment

    As a side note:
    As of today, intrusions on that port make up about 4% of total internet intrusions (

    Author Comment

    Thanks for some great follow ups.  I am going to check the persons laptop shortly.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now