Solved

URGENT Request  : how to create a wireshark filter to display udp packet received on non listening port

Posted on 2014-04-11
3
770 Views
Last Modified: 2014-04-29
we have a windows 2003 r2 64 bit  server and monitored by logic monitor ( snmp monitor)
logic monitor is reporting that the server is receiving many udp packet on non listening ports

i have install wireshark on the server
i have created a query "udp && ip.dst==192.168.49.67" which is showing me all the packets  which are udp and have destination ip as my server ips.

Please let me know if i am on right direction , if so how can i progress it further.
0
Comment
Question by:mohannitin
  • 2
3 Comments
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39994700
Well, I think that wireshark terminology is either:
"capture filter"
or
"display filter"
(and not "query").
This is important because the notation for the two are unfortunately different!!

What you have appears to be a valid display filter.
0
 

Author Comment

by:mohannitin
ID: 39994862
Yes i have a display filter setup? Is there any way i can find out where are udp packets
from and hitting on which port?
0
 
LVL 26

Accepted Solution

by:
Fred Marshall earned 500 total points
ID: 39995063
Sure.  Just look at the packet list.  The Source and Destination IP addresses are in the default listing I believe.  So that should take care of the IP address question.

Then, you should see in the expanded packet display at the bottom of the window, things like:

User Datagram Protocol, Src Port: snmp (161), Dst Port: 50864 (50864)

Then, after you look at a few of these, if you like you can set a display filter to show just the port or ports of interest.
&& (udp.port==xxxxxx || udp.port==yyyyyy) where xxxxxx is the port number and || is "or".
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Access shared drive during VPN session 9 111
2 LAN/WAN on One Server 2 61
URL question:  WWW versus WWW1 in address line 4 74
Claiming a Domain Name 7 52
Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
Resolve DNS query failed errors for Exchange
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question