0

We have installed Untangle and we see many broadcasts from 1 IP (client Windows 7). Almost every minute it is broadcasting to 255.255.255.255 port 0.

I would like to know how to trace the source of causing this behaviour. I have tried with netstat but it is not totally clear to me how to use it to get the process or application causing this behaviour. Other suggestions are welcome. I know which PC it is and I do not see any, like malware, applications or processes. It's not about if this maybe dangerous traffic but I just want to find the source, dangerous or not.

Thank you all in advance for helping

B.M.
  • 33
  • 1
  • 4
  • 1
    Try capturing the broadcast with Wireshark, that may assist in understanding what it is trying to do. – Jason Martin Sep 05 '17 at 14:27
  • 0000 ff ff ff ff ff ff d4 85 64 9a bc 18 08 00 45 00 ........d.....E. 0010 00 68 68 e0 00 00 80 11 07 41 c0 0a 0a 5a ff ff .hh......A...Z.. 0020 ff ff ca 96 37 b6 00 54 e6 6b 00 00 00 4c 3a 00 ....7..T.k...L:. 0030 00 00 00 00 00 0c 44 53 41 4d 65 73 73 61 67 65 ......DSAMessage 0040 00 00 00 00 00 0c 00 00 00 10 4f 52 42 65 6c 69 ..........ORBeli 0050 6e 65 20 32 2e 30 00 00 00 00 00 00 00 06 55 9f ne 2.0........U. 0060 c7 09 3a 00 00 00 00 00 00 04 3a 3a 00 00 00 00 ..:.......::.... 0070 00 04 00 00 00 00 As I can see the text: DSAMessage OR Beline 2.0 – B.M. Sep 06 '17 at 14:36
  • I have absolutely no clue. – B.M. Sep 06 '17 at 14:36
  • Perhaps put up a screenshot of the entire Wireshark decode? I'm guessing it is some sort of service announcement. – Jason Martin Sep 06 '17 at 15:54
  • Jason, I do not exactly know to what kind of information you are referring as "Entire Wireshark Decode". https://ibb.co/db6Xwv – B.M. Sep 07 '17 at 07:16
  • 1
    Thats exactly what I wanted. It doesn't tell us the protocol but it looks like it might be a printer, and since this looks like some sort of service-registration beacon I suspect it is the printer trying to announce its presence to something. – Jason Martin Sep 08 '17 at 02:16
  • Hello Jason, We have found it. It is an old application that indeed is trying to discover services. When we shut down the application, the symptoms are gone. – B.M. Sep 13 '17 at 06:56

0 Answers0