blocked packet [Archive] - SpeedGuide.net Broadband Community
PDA

View Full Version : blocked packet

mike
02-16-08, 12:32 AM
could someone tell me what this packet is trying to do.
port 35268 is my utorrent port.
sorry for the bad format of the info. taken from pc tools firewall.


"Time" "Log Type" "Rule Name" "Action"
"Direction" "Rule Type" "Adapter Zone" "Data Length" "Ethernet Source"
"Ethernet Dest" "Ethernet Type" "IP Source" "IP Dest" "Protocol"
"Port Src" "Port Dest"
"2008/02/15 15:52:29" "eLogType_Packet" "All other packets" "0" "Inbound"
"0" "FWInternetZone" "161" "00:14:2A:A5:F1:CC" "01:00:5E:40:98:8F"
"IP" "192.168.2.5" "239.192.152.143" "UDP" "6771" "6771"

data

0000:42 54 2D 53 45 41 52 43 BT-SEARC
0008:48 20 2A 20 48 54 54 50 H * HTTP
0010:2F 31 2E 31 0D 0A 48 6F /1.1..Ho
0018:73 74 3A 20 32 33 39 2E st: 239.
0020:31 39 32 2E 31 35 32 2E 192.152.
0028:31 34 33 3A 36 37 37 31 143:6771
0030:0D 0A 50 6F 72 74 3A 20 ..Port:
0038:33 35 32 36 38 0D 0A 49 35268..I
0040:6E 66 6F 68 61 73 68 3A nfohash:
0048:20 46 45 32 30 33 45 36 FE203E6
0050:37 39 32 38 44 35 45 31 7928D5E1
0058:32 36 45 41 32 45 43 41 26EA2ECA
0060:45 37 41 38 32 39 41 41 E7A829AA
0068:42 33 37 37 45 45 31 41 B377EE1A
0070:37 0D 0A 0D 0A 0D 0A 7......
Moe Trin
02-16-08, 04:56 PM
On Fri, 15 Feb 2008, in the Usenet newsgroup comp.security.firewalls, in article
<13rctbq56eiu156@corp.supernews.com>, mike wrote:

>could someone tell me what this packet is trying to do.
>port 35268 is my utorrent port.
>sorry for the bad format of the info. taken from pc tools firewall.

Toy firewall produces toy results. What you show isn't all that
informative.

>"Time" "Log Type" "Rule Name" "Action"
>"Direction" "Rule Type" "Adapter Zone" "Data Length" "Ethernet Source"
>"Ethernet Dest" "Ethernet Type" "IP Source" "IP Dest" "Protocol"
>"Port Src" "Port Dest"
>"2008/02/15 15:52:29" "eLogType_Packet" "All other packets" "0" "Inbound"
>"0" "FWInternetZone" "161" "00:14:2A:A5:F1:CC" "01:00:5E:40:98:8F"

[compton ~]$ etherwhois 00:14:2A
00-14-2A (hex) Elitegroup Computer System Co., Ltd
00142A (base 16) Elitegroup Computer System Co., Ltd
No.22, Alley 38, Lane 91, Sec. 1,
Nei Hu Road
Taipei 114
TAIWAN, REPUBLIC OF CHINA
[compton ~]$

Some Taiwanese clone manufacturer, probably a RealTek 8139 chipset (a
common 10/100BaseT NIC) - the 01:00:5E is a Multicast destination,
relatively meaningless because of the lack of IP header information.

>"IP" "192.168.2.5" "239.192.152.143" "UDP" "6771" "6771"

192.168.2.5 is on your network somewhere - 239.192.152.143 is am
"Organization-Local Scope" multicast address - see RFC2365. It's UDP
with a source and destination port of 6771 - which is relatively
meaningless without knowing what software you've installed. The "data"
you show appears to be a BTrieve request, but you'll have to figure out
why your "192.168.2.5" host is attempting to send this as a UDP datagram
to a local multicast - as that doesn't exactly smell right.

So, what did you install on your windoze box?

Old guy