This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have some strange UDP traffics on one Win 7 machine on local port 60129 with a huge amount of connection to random computers. What I can't figure out from what process it's generated. Have used nestat -a -o -p UDP 1 >log.out for a long time but never seen port 60129 in the log file. I have also used ProcessMonitor and TCPView but have never seen any hits and at the same time captured traffic with Wireshark. I also used Port Explorer but it didn't either see this traffic as well. So it's only Wrireshark what has shown the traffic.

I always get port 60129 even after reboot.

I have tried to kill one process at the time to see if I could stop the traffic haven't been able to find the process in that way either before the computer rebooted. Would like to avoid using this solution if any other can be used.

Erland

asked 01 Jan '14, 18:40

Erland's gravatar image

Erland
11114
accept rate: 0%

edited 02 Jan '14, 01:03

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118


Apply a display filter of "frame.len > 300" and examine the displayed packets. You will see a lot more ASCII-readable information. It appears to be list of downloadable video files, with heavy emphasis on Asian names. Some of the listings seem to correspond almost exactly in format to listings found at http://g.e-hentai.org/ [NSFW], including channel numbers. For example, the listing at http://g.e-hentai.org/g/659825/a5b0490b1f/ [NSFW} corresponds to the data in packet 4274.

It appears that the titles get blasted to multiple addresses almost simultaneously. For example, with that display filter applied, packets 4274, 4275, 4276, 4278, 4279, 4281, 4282, 4284, 4288, 4289, 4291, 4293, 4299, 4300, 4303, 4305, 4307, 4308, and 4310 all seem to be sending the same information to 20 different destinations, all within less than half a second.

The destination IP addresses appear to resolve to dynamic addresses that are probably assigned to home users. For example, "179.ppp-dhcp.logic.bm (199.172.197.179)" in packet 4281, and "24-217-69-157.dhcp.stls.mo.charter.com (24.217.69.157)" in packet 4275.

Most of the listings seem to end with ".zip"

I don't know what's going on, but my first guess would be some sort of file sharing. You might try capturing with Microsoft Network Monitor and see if it will identify the process responsible for these packets. I'd also do a complete system scan with an up-to-date anti-malware scanner.

permanent link

answered 01 Jan '14, 20:58

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

edited 02 Jan '14, 05:41

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850

Thanks for that excellent answer. Hopefully I should be able to find and delete the process now as I have more of an idea what I'm searching for.

(02 Jan '14, 00:38) Erland

P.S.: If possible, please let us know what you find ....

(03 Jan '14, 06:53) Bill Meier ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×166
×103

question asked: 01 Jan '14, 18:40

question was seen: 5,165 times

last updated: 03 Jan '14, 06:53

p​o​w​e​r​e​d by O​S​Q​A