strange ntework traffic. Protocol UMD. MS-SQL-M[malformed packet] (using wireshark)

I am using Wireshark looking for odd traffic on our network.  I came across this message.

Destination Address: 255.255.255.255  Protocol: UMD    Source Port: 1851  Destination Port: ms-sql-m[malformed packet]

Is this some type of virus?  Thanks.
esphelpdeskAsked:
Who is Participating?
 
Adrien de CroyCommented:
255.255.255.255 is the global broadcast address for IP, so this is a broadcast packet.  You'll find the destination MAC address is most probably also FF-FF-FF-FF-FF-FF.

Also the source port (1851) is normally not significant, since when a computer makes a connection, normally the OS allocates a port number at that time from a pool (called ephemeral).

The destination port is usually the most significant one (unless of course it is a return packet).  But in this case port ms-sql-m indicates it's talking to your MS SQL server.  What are the flags on the packet?  More of the packet data can indicate if it's likely to be a problem, also if there are many instances.

Malformed packets can happen for many reasons.  sending signals over cables or wireless isn't 100% reliable.  Issues such as packet collisions, EMR, interference can cause packet corruption.  The higher protocols such as TCP are normally designed to deal with packet corruption in transit.  It's not normally a significant event.

0
 
danlock2Commented:
255.255.255.255 is probably your subnet mask.   Port 1851 is not on many of the large lists of common ports, nor commonly exploited ports.  You are probably fine.
0
 
justchat_1Commented:
ignore danlock2's comment AdriendeC had a pretty good explanation...just to elaborate on the is it a virus question:

A malformed packet can be from one of many sources but from many years working with wireshark I can say unless your are having serious network problems or large numbers of malformed packets you are probably ok-its most likely just a glitch with the capture driver.

As far as the destination port though...that would be an attempt to connect to an SQL server which could be perfectly normal or it could be an intrusion attempt depending on the source.  The fact that it is a broadcast packet shows it is local...is your local network secure or is there a possibility of an intrusiion from within?
0
 
justchat_1Commented:
As a side note:
As of today, intrusions on that port make up about 4% of total internet intrusions (http://dshield.cirt.vt.edu/port_report.php?port=1434)
0
 
esphelpdeskAuthor Commented:
Thanks for some great follow ups.  I am going to check the persons laptop shortly.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.