PaulDotCom mailing list archives
Re: Strange Traffic
From: "Josh Little" <josh () zombietango com>
Date: Wed, 25 Aug 2010 15:50:35 -0400
mDNS is a broadcast/multicast protocol that is not routable normally. You can check those hosts to see if they have anything attached to UDP 5353, as that is the typical mDNS client port. I would be surprised, though, if what you are seeing is mDNS. ZT From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Craig Freyman Sent: Wednesday, August 25, 2010 3:33 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Strange Traffic I think it might be Bonjour? [mDNSResponder.exe] UDP [::]:500 *:* 1044 On Wed, Aug 25, 2010 at 1:27 PM, Craig Freyman <craigfreyman () gmail com> wrote: A lot. Is there a utility like process explorer that can tell me the subprocesses of svchost and the port they're using? On Wed, Aug 25, 2010 at 12:09 PM, Bugbear <gbugbear () gmail com> wrote: Also what is running under SVCHOST? On Wed, Aug 25, 2010 at 2:05 PM, Vincent Lape <vlape () me com> wrote:
Can you give a tcpdump of the traffic? On Aug 25, 2010, at 10:54 AM, Craig Freyman <craigfreyman () gmail com>
wrote:
I'm trying to understand why a number of client computers are sending UDP 500 traffic to strange places. For example, from one machine it is sending traffic to 209.85.225.166 which is owned by Google. Netstat tells me that the traffic is originating from SVCHOST. I thought UDP 500 was used for IKE but is it also used for some sort of
keep
alive? I'm confused! Thanks, C _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Strange Traffic Craig Freyman (Aug 25)
- Re: Strange Traffic Vincent Lape (Aug 25)
- Re: Strange Traffic Bugbear (Aug 25)
- Re: Strange Traffic Craig Freyman (Aug 25)
- Re: Strange Traffic Craig Freyman (Aug 25)
- Re: Strange Traffic Josh Little (Aug 25)
- Re: Strange Traffic Craig Freyman (Aug 25)
- Re: Strange Traffic Josh Little (Aug 25)
- Re: Strange Traffic Bugbear (Aug 25)
- Re: Strange Traffic Bugbear (Aug 25)
- Re: Strange Traffic Bacon Zombie (Aug 25)
- Re: Strange Traffic Craig Freyman (Aug 25)
- Re: Strange Traffic Michael Miller (Aug 25)
- Re: Strange Traffic Craig Freyman (Aug 26)
- Re: Strange Traffic Vincent Lape (Aug 25)