donamaro
asked on
Explanation on NAT diagnostics
We are using a Draytek Vigor2820 router.
The diagnostics of the NAT Active Sessions Table shows a strange information that we can not understand (see code).
Can anyone explain to us what is that we see here?
We can identify the normal port 80 and 53 sessions, but these other lines are all related to one private IP address (we renamed it to 99.9.9.99 on this list for security reasons). And also it seems this behavior moves to another private IP address within the system.
We are not network experts ... thus our knowledge on the area of ports is very basic.
We would appreciate any simple explanation and indication if we are dealing with some kind of threat or not.
Thanks in advance.
See code below
The diagnostics of the NAT Active Sessions Table shows a strange information that we can not understand (see code).
Can anyone explain to us what is that we see here?
We can identify the normal port 80 and 53 sessions, but these other lines are all related to one private IP address (we renamed it to 99.9.9.99 on this list for security reasons). And also it seems this behavior moves to another private IP address within the system.
We are not network experts ... thus our knowledge on the area of ports is very basic.
We would appreciate any simple explanation and indication if we are dealing with some kind of threat or not.
Thanks in advance.
See code below
-------------------------------------------------------------------------------
Private IP :Port #Pseudo Port Peer IP :Port Interface
-------------------------------------------------------------------------------
...
99.9.9.99 12894 48232 86.210.102.11 6282 WAN2
99.9.9.99 12894 48232 60.239.240.154 58038 WAN2
99.9.9.99 12894 48232 98.247.228.235 22638 WAN2
99.9.9.99 12894 48232 80.121.120.117 13674 WAN2
99.9.9.99 12894 48232 80.98.248.72 10831 WAN2
99.9.9.99 12894 48232 87.18.71.215 19681 WAN2
99.9.9.99 12894 48232 77.21.58.30 7136 WAN2
99.9.9.99 12894 48232 142.103.251.65 13351 WAN2
99.9.9.99 12894 48232 206.188.159.204 53619 WAN2
99.9.9.99 12894 48232 95.25.30.250 2763 WAN2
99.9.9.99 12894 48232 94.253.24.209 8842 WAN2
99.9.9.99 12894 48232 128.111.93.50 39955 WAN2
99.9.9.99 12894 48232 76.23.192.8 63892 WAN2
99.9.9.99 12894 48232 80.171.84.204 60401 WAN2
99.9.9.99 12894 48232 91.156.135.243 16388 WAN2
99.9.9.99 12894 48232 74.132.0.65 22887 WAN2
99.9.9.99 12894 48232 24.68.254.67 28138 WAN2
99.9.9.99 12894 48232 72.184.81.169 46908 WAN2
99.9.9.99 12894 48232 98.145.93.53 47542 WAN2
99.9.9.99 12894 48232 72.223.61.127 33086 WAN2
99.9.9.99 12894 48232 87.97.40.14 46648 WAN2
99.9.9.99 12894 48232 93.108.102.195 48338 WAN2
99.9.9.99 12894 48232 67.82.173.167 33213 WAN2
99.9.9.99 12894 48232 84.20.228.152 61193 WAN2
99.9.9.99 12894 48232 93.80.117.239 34597 WAN2
99.9.9.99 12894 48232 79.110.121.213 40419 WAN2
99.9.9.99 12894 48232 84.2.210.122 43723 WAN2
99.9.9.99 12894 48232 133.19.61.113 49107 WAN2
99.9.9.99 12894 48232 201.82.208.247 5408 WAN2
99.9.9.99 12894 48232 82.58.119.166 16575 WAN2
99.9.9.99 12894 48232 125.101.32.118 52838 WAN2
99.9.9.99 12894 48232 220.134.160.81 10399 WAN2
99.9.9.99 12894 48232 140.247.62.172 27118 WAN2
99.9.9.99 12894 48232 125.230.69.39 18084 WAN2
99.9.9.99 12894 48232 89.134.51.175 20849 WAN2
99.9.9.99 12894 48232 78.8.56.45 8563 WAN2
99.9.9.99 12894 48232 216.119.15.11 33277 WAN2
99.9.9.99 12894 48232 65.175.187.90 16835 WAN2
99.9.9.99 12894 48232 84.193.245.207 58630 WAN2
99.9.9.99 12894 48232 87.120.26.222 49102 WAN2
99.9.9.99 12894 48232 84.228.212.72 29617 WAN2
99.9.9.99 12894 48232 69.144.210.222 30043 WAN2
99.9.9.99 12894 48232 81.220.203.234 10626 WAN2
99.9.9.99 12894 48232 81.84.225.55 32909 WAN2
99.9.9.99 12894 48232 81.202.109.245 2097 WAN2
99.9.9.99 12894 48232 85.243.37.168 40036 WAN2
99.9.9.99 12894 48232 98.217.188.6 8065 WAN2
99.9.9.99 12894 48232 217.24.76.102 57008 WAN2
99.9.9.99 12894 48232 80.121.120.196 13674 WAN2
99.9.9.99 12894 48232 200.35.105.243 51825 WAN2
99.9.9.99 12894 48232 67.176.166.245 52888 WAN2
99.9.9.99 12894 48232 76.88.46.29 43874 WAN2
99.9.9.99 12894 48232 95.158.133.152 22719 WAN2
99.9.9.99 12894 48232 93.108.125.107 48338 WAN2
...
My guess is that it's P2P traffic. But I don't know for sure.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Looks like some software in your machine is trying to communicate with the internet and uploading or downloading files onto your pc. Scan your pc with a antivirus and spyware. and then check again. Also unplugg the pc from the router and check whether the abnormal behaviour still continues or not. If it continues then try different machines and check then.
ASKER
On the active host I have run TCPView form Sysinternals (see Code below) and it does give me any explanation of the mysterious sessions and strange ports that are being used from that IP address (see also code below).
Maybe someone else can see something .... I don't see it. Also I have checked any unknown P2P software but could not find any.
I have run Malwarebytes, and other anti-virus scans .... they found nothing.
The host is a notebook with Windows XP Professional SP3 that connects to a company network.
The I20XX you see on the list is a VOIP telephone application which is used by everyone in that company.
I still can not explain the sessions in the NAT listing with strange IP addresses and port numbers.
Does anyone have a clue?
Maybe someone else can see something .... I don't see it. Also I have checked any unknown P2P software but could not find any.
I have run Malwarebytes, and other anti-virus scans .... they found nothing.
The host is a notebook with Windows XP Professional SP3 that connects to a company network.
The I20XX you see on the list is a VOIP telephone application which is used by everyone in that company.
I still can not explain the sessions in the NAT listing with strange IP addresses and port numbers.
Does anyone have a clue?
Start listing TCPView:
ALG.EXE:3988 TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING
I20XX.EXE:4052 TCP 10.0.0.13:1188 10.0.0.254:3199 ESTABLISHED
LSASS.EXE:1036 UDP 0.0.0.0:500 *:*
LSASS.EXE:1036 UDP 0.0.0.0:4500 *:*
SPOOLSV.EXE:2032 UDP 0.0.0.0:1031 *:*
SVCHOST.EXE:1204 TCP 127.0.0.1:49100 0.0.0.0:0 LISTENING
SVCHOST.EXE:1308 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
SVCHOST.EXE:1452 UDP 127.0.0.1:123 *:*
SVCHOST.EXE:1452 UDP 10.0.0.13:123 *:*
SVCHOST.EXE:1784 UDP 10.0.0.13:1900 *:*
SVCHOST.EXE:1784 UDP 127.0.0.1:1900 *:*
System:4 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
System:4 TCP 10.0.0.13:139 0.0.0.0:0 LISTENING
System:4 UDP 10.0.0.13:137 *:*
System:4 UDP 10.0.0.13:138 *:*
System:4 UDP 0.0.0.0:445 *:*
WINLOGON.EXE:980 UDP 127.0.0.1:1460 *:*
End listing TCPView
Start NAT Sessions listing:
-------------------------------------------------------------------------------
Private IP :Port #Pseudo Port Peer IP :Port Interface
-------------------------------------------------------------------------------
10.0.0.13 19215 54556 219.105.206.105 17421 WAN1
10.0.0.13 19215 54556 59.146.36.226 18089 WAN1
10.0.0.13 19215 54556 83.86.2.158 7550 WAN1
10.0.0.13 19215 54556 81.84.214.52 17957 WAN1
10.0.0.13 19215 54556 85.138.46.66 1271 WAN1
10.0.0.13 19215 54556 84.91.123.37 21647 WAN1
10.0.0.13 19215 54556 213.91.227.16 61900 WAN1
10.0.0.13 19215 54556 84.75.120.24 5396 WAN1
10.0.0.13 19215 54556 58.8.35.5 43507 WAN1
10.0.0.13 19215 54556 93.156.51.198 9479 WAN1
10.0.0.13 19215 54556 75.97.57.154 55881 WAN1
10.0.0.13 19215 54556 190.140.159.237 31296 WAN1
10.0.0.13 19215 54556 122.107.86.52 35023 WAN1
10.0.0.13 19215 54556 132.199.124.85 54083 WAN1
10.0.0.13 19215 54556 68.229.251.31 16865 WAN1
10.0.0.13 19215 54556 158.110.144.197 43635 WAN1
10.0.0.13 19215 54556 82.81.14.205 33404 WAN1
10.0.0.13 19215 54556 67.163.86.70 63404 WAN1
10.0.0.13 19215 54556 83.99.253.97 2432 WAN1
10.0.0.13 19215 54556 99.248.27.228 61449 WAN1
10.0.0.13 19215 54556 85.181.37.81 29885 WAN1
10.0.0.13 19215 54556 124.144.3.239 47551 WAN1
10.0.0.13 19215 54556 24.71.235.42 12919 WAN1
10.0.0.13 19215 54556 129.89.154.72 19370 WAN1
10.0.0.13 19215 54556 61.227.168.76 43959 WAN1
10.0.0.13 19215 54556 146.155.201.31 14676 WAN1
10.0.0.13 19215 54556 87.198.32.92 47636 WAN1
10.0.0.13 19215 54556 60.56.154.215 20660 WAN1
10.0.0.13 19215 54556 87.7.62.122 42099 WAN1
10.0.0.13 19215 54556 58.181.51.23 29373 WAN1
10.0.0.13 19215 54556 82.154.156.90 49790 WAN1
10.0.0.13 19215 54556 88.65.211.90 43767 WAN1
10.0.0.13 19215 54556 82.154.157.230 2787 WAN1
End NAT Sessions listing
I am not aware of any software that uses port 12894 for communication.
Have you actually debugged any of the packets through Net Monitor or Wireshark?
Have you taken any captures?
Have you actually debugged any of the packets through Net Monitor or Wireshark?
Have you taken any captures?
ASKER
"... Have you actually debugged any of the packets through Net Monitor or Wireshark?
Have you taken any captures?"
I am not familiar with these. I administer the router of the business, but my network knowledge is basically.
Could it be a bug of the Draytek Vigor2820 router? Although it is strange that it only happens with one PC.
Have you taken any captures?"
I am not familiar with these. I administer the router of the business, but my network knowledge is basically.
Could it be a bug of the Draytek Vigor2820 router? Although it is strange that it only happens with one PC.
I doubt it. two immediate options.
1. remove the broadcasting device, rebuild it and then redeploy it.
2. Block the traffic on the router - see if the user shouts as an application has stopped working.
You have done the donkey work by identifying which box is broadcasting - the last part is working out what causes it. If your debug skills are limited then letting someone else identify what stops may be far easier and quicker.
Keith
1. remove the broadcasting device, rebuild it and then redeploy it.
2. Block the traffic on the router - see if the user shouts as an application has stopped working.
You have done the donkey work by identifying which box is broadcasting - the last part is working out what causes it. If your debug skills are limited then letting someone else identify what stops may be far easier and quicker.
Keith
ASKER
After investigating further I think I have identified the "culprit" that is producing all these 'unknown' sessions (> 50 even >100). It is the Skype software.
I also found the following discussion thread that indicates the same situation:
http://forum.skype.com/lofiversion/index.php/t94675.html
Unfortunately this topic was discussed about two years ago ... and my impression is that Skype is still producing a great number of NAT sessions.
I will try now to uninstall and reinstall Skype (latest version) and see if it still continues to do the same.
I also found the following discussion thread that indicates the same situation:
http://forum.skype.com/lofiversion/index.php/t94675.html
Unfortunately this topic was discussed about two years ago ... and my impression is that Skype is still producing a great number of NAT sessions.
I will try now to uninstall and reinstall Skype (latest version) and see if it still continues to do the same.
OK :)
ASKER
Unfortunately even after uninstalling and reinstalling the latest version of Skype .... the problem still persists. Even changing the port that Skype uses from 19215 to another port number ... it still produces lots of sessions at the same time.
Is there a reason why Skype does this? (is there a Skype zone here?)
Is it 'healthy' that an application opens all these sessions at the same time?
Is there a reason why Skype does this? (is there a Skype zone here?)
Is it 'healthy' that an application opens all these sessions at the same time?
My organisation will not touch Skype.
Hold on - I'll have a look for you
Hold on - I'll have a look for you
There you go - found it.
I don't think we are going to get much further Don. It may be that you want to open another question directly in the Skype area. Skype is, by definition, a very chatty protocol.
I don't think we are going to get much further Don. It may be that you want to open another question directly in the Skype area. Skype is, by definition, a very chatty protocol.
Skype is a p2p type app. So this sort of ip activty is to be expected. Is this causing problems for your network?
If it's a bandwidth issue, then you could use a free program called traffic shaper xp to limit the bandwidth skype is allowed to use.
www.bandwidthcontroller.com
www.bandwidthcontroller.com
ASKER
It offered the best answer in response to my question
Let that perform a scan and see if it finds and removes anything. If it does, check your logs again after. If it finds nothing, go to that PC and run fport, which will isolate port traffic and map it to its parenty process(s). Fport can be found here: http://www.foundstone.com/us/resources/termsofuse.asp?file=fport.zip