Strange packets

I have a system which appears to be sending packets to 223.1.128, which sounds like a Sonicwall VPN address (per stuff found on the internet) - but there is no sonicwall software installed on the box.  It fires from TCP port 139 to a random destination port in the 1000-1500 range.

It happens very regularly - but not exact - at about 20 second intervals.

Netstat shows no reference to a 223 address (netstat -abnv | find "223")

Thoughts?  Any idea on how to track such an animal down?
gnurphAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sfossupportCommented:
Tot find out where its coming from. run tcpview from sysinternals to monitor your ports and process explorer to see whats running also from sysinternals

http://technet.microsoft.com/en-us/sysinternals/default

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fcarraiCommented:
Does IPCONFIG report on Virtual Adapters as for Sonicwall ?
fcarraiCommented:
Port 139 is used for Netbios session service but also from virus/trojan [1]. Did you scan your computer ?

[1] http://www.speedguide.net/port.php?port=139
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

gnurphAuthor Commented:
There are no Sonicwall virtual adapters on this machine; there is no virus on the machine, either.

I ran TCPView yesterday, and it *doesn't* show the target IP address at all.  I began to wonder if another machine might be spoofing the data; I installed Wireshark on the machine to capture network data.

All of a sudden, I saw a packet *INBOUND* that purported to be *FROM* 223.1.1.128; there was no TCP handshake taking place, which is why (I think) TCPView didn't show anything.

My next step is to track the MAC address, which is a Cisco address - I believe that the originator of the bogus 223.1.1.128 packet is on a different subnet/VLAN, and so the MAC in the packet captured is going to match the internal MAC of one of my switches.

I did notice yesterday on TCPView that just before the packet goes out to 223.1.1.128, that a packet comes in from a specific machine.  I'm wondering if that machine is generating packets purporting to be 223.1.1.128.  I'm checking it out.

Other suggestions?
fcarraiCommented:
I agree. Checking the destination MAC address of the inbound packet from 223.1.1.128, will allow you to understand which machine is going to receive the packet. That should be the one that is generating the outbound traffic as well, but in case of something anomalous, that's not mandatory.

Can you monitor the router outbound gtraffic ? Can you block the outbound traffic ? That would help to verify if the problem is generated internally to LAN/WAN.
sfossupportCommented:
Sounds like you are onto something. I would check the specific machine that is sending these packets. It
may have a virus or other software installed that is causing this.
 
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.