This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

UDP Port 52217

0

When looking at my firewall logs, I see attempts to get to my public IP address with UDP packets and destination port 52217. My firewall drops them as it should. But I ran a trace on that segment, and then noticed that a private IP address was hitting my public IP address with that same destination port of 52217 at 1205 second intervals. The MAC address associated with that IP address was a Cisco device and it was very probably the default gateway of my ISP. I say this because I saw a lot of ARP requests coming from that MAC address.

I called my ISP and asked if they had a security specialist I could speak to regarding this. Naturally, I was told that if I was not running the security package they provide, that there was nobody for me to speak with. I escalated it to a supervisor who was nice enough to take the information I could give him, and was told that he would take it up with a problem resolution team. I haven't heard anything since.

So, why do udp packets with destination port 52217 seem to be so prevalent, and why would a Cisco router/firewall be sending them? I could see it if these were workstations that had been compromised in some way. Is it possible that this Cisco device has been compromised? BTW, I no longer see those packets from that device.

asked 19 Oct '10, 10:49

robert%20obrinsky's gravatar image

robert obrinsky
31113
accept rate: 0%


4 Answers:

0

This is really open ended. Every 20 minutes you're getting hit with a UDP packet to your external interface. The layer 2 address will likely always be the carrier's upstream MAC address - depending on how you're connected there are only going to be 2 devices on the link, you and them. Given THAT, it's not likely that the UDP traffic is truly originating from the MAC address you're seeing. What kind of device are you getting the log data from? If you can grab the whole packet you may be able to dive into it a bit more. I would lean toward it being P2P related...

answered 19 Oct '10, 11:10

GeonJay's gravatar image

GeonJay
4705922
accept rate: 5%

Thanks for the response John. So the packets in question are coming from 10.189.21.119. Yes, I suppose the IP address could be spoofed, but then I believe it should not have been forwarded by the Cisco router to a public IP address. BTW, you are absolutely correct about the MAC address - all packets are coming from that device with the exception of a very few ARP requests from other cable modems. Thanks for pointing that out - I should have realized that fact.

The firewall I am using is an Astaro Security Gateway v7.507 and I was viewing the live log when I noticed the private IP address hitting my firewall.

(19 Oct '10, 11:27) robert obrinsky

The plot has thickened. What is the source port for those packets? I'm still stuck on the 20 minute (and 5 seconds) regularity - it may be a clue or a red herring. Astaro is a good choice, I've never used the hardware devices, but the software is solid. Your carrier could be using the 10.x address space internally - perhaps this is some kind of tftp probe coming from the carrier to update old device firmware or something. My carrier, unfortunately, doesn't block private address space ranges within its own cloud.

Can you get a packet capture from the gateway device?

(19 Oct '10, 12:53) GeonJay

0

Are there several public IP addresses communicating to that port to an internal address? If so, locate the internal system and check the Skype preferences. You will probably find your mysterious port number there.

(at least that's where I found the answer to similar traffic on my laptop :-))

answered 19 Oct '10, 13:56

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

0

If you do not have a static IP address but get a new one every now and then this can easily happen, for example if somebody else had that IP address before you and was running a Torrent program to download files. Those often use random high ports for their communication. When he goes offline (and the IP wanders over to you) the other torrent users out there will still try to reach him and fail, and might even do that on a regular basis (probably thinking "well, maybe the torrent guy is back... now?... or... now?... or... now?..." :-))

Maybe there even is someone trying to run a torrent program on your network and wonders why it doesn't work (since your firewall keeps blocking the incoming packets). As far as I know torrent programs register themselves on a tracker that tells all other participants "hey, there is this new guy on IP x.x.x.x using port 52217 and he wants to download the torrent content", and they start sending (or trying to).

And like the others said - the MAC address will most certainly be the one from the router of the ISP forwarding the frame to you, but the packet will most certainly not originate from the ISP but merely be forwarded.

answered 19 Oct '10, 15:52

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 19 Oct '10, 15:56

True, I don't have a static IP address. But Bittorrent, as far as I know, is a TCP protocol, not UDP. This is a small internal network with only 5 systems, 6 if you count the VM firewall. I can understand public IP addresses attempting to connect with my firewall, and yes, there logs show that there are other public addresses trying to connect with my firewall on port 52217. But a private IP address coming from the ISP's router trying to connect with my firewall is troubling. 10.189.21.119 (network mask unknown) should not be able to contact 76.aaa.bbb.ccc/21 from outside my firewall. My internal network is 192.168.aaa.bbb/24.

I did a search for UDP and port 52217, and found that the Internet Storm Center is tracking sources and destinations, but that was all I found.

(19 Oct '10, 22:27) robert obrinsky

Some Bittorrent clients like µTorrent can use UDP as transport protocol. Still you're correct, a 10.x.x.x should not try to contact you out of the blue, unless there was someone at the same provider communicating with whoever had your IP earlier. I guess you won't find much info about that port since it most likely is just a random port some application chose for its communication.

(20 Oct '10, 02:50) Jasper ♦♦

0

I know this is old - but I found a reference to that port on Fujitsu's site:

http://www.fujitsu.com/global/support/computing/peripheral/scanners/ssfaq/ix500_mobile4.html

52217 is apparently the default UDP port that their "scansnap" software looks for mobile devices on.

answered 10 Apr '15, 09:11

Crocket's gravatar image

Crocket
1
accept rate: 0%