hi, i sniff on my external router and found alot duplicate ack and Ignored Unknown Record in the secure socket layer. The Destination port is to : psprserver (2354). ? i have try google to find out that protocol but no info is found. asked 15 Apr '13, 04:26 splibytes |
One Answer:
It is probably just the ephemeral port your client uses, and which is only used temporarily. Don't get distracted by the protocol name "psprserver" since it is simply not relevant for ephemeral ports. answered 15 Apr '13, 06:10 Jasper ♦♦ |
you could try to identify the process on your PC that is doing the transmission and then google for that executable.
I usually do it like this: use a command line to call netstat -ano, which will list all TCP/UDP conversations your computer has at the moment. Find the one with the port you're investigating and write down the process ID (PID). Run taskmanager, select the "Processes" tab and add the PID column if it isn't already in there (Menu -> Options -> Select Columns -> checkmark at "PID"). Then find the process with the PID you wrote down.
Note: this only works while the connection is still active; you can't do that when it is already finished. And, if you know how to start an elevated command prompt you can use netstat -anb instead, which will list the process name right away.
Hi, after check the sniff data i found connect to akamai technologies(Destination: 23.59.165.186) and after Google around some report is a spyware and some say is normal. how can do i classify it as spyware or no base on the capturing? Also this capturing are found from the load balancer to the external router so it will need times to trace client which setting out the packet
on base of the capture you could try to identify what data was exchanged, but other than that it's pretty hard to do. In most cases I had, the communication to Akamai was harmless; mostly some update process, certificate revocation checks or other software update stuff.
you can't, as the communication is encrypted and you don't know what kind of information is sent/received. The only chance is to identify the client (use the connection table of your loadbalancer) and then investigate the issue on the client machine itself.