| T O P I C R E V I E W |
| lady_mcse |
Posted - 03/26/2009 : 2:34:09 PM
I have a laptop that is plugged into a hub with another pc running wireshark. Wireshark is picking up about 20-30 packets per minute on TCP port 800.
An example "info" for one of the packets in red is mdbs_daemon > tripwire [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
An example "info" for what I presume is a reply packet in gray is: tripwire > mdbs_daemon [SYN] seq=0 Win=64512 Len=0 MSS=1260
Where in the examples above I list tripwire, there seems to be a wide variety of sites or servernames or whatever they are, might be sweetware-apps, groove-dpp, mpc-lifenet, slinkysearch, bvcontrol ... I could go on, hundreds of names I suppose.
Any idea what's going on here? I've been googling both TCP\800, mdbs_daemon, and some of these random names and haven't come up with anything too concrete yet. As an example, sweetware-apps turns out to be a software for air traffic controllers. ???
If I had wager money on it, I'd say there's a limewire\kazaa\etc. type of file software that keeps trying to go out to these other sites. So I have gone through add\remove programs, shut down all but essential services, gone through the running processes, shutting down just a few. Have run virusscan that came up clean (Symantec) and Spybot Search & Destroy which also came up clean.
|
| 3 L A T E S T R E P L I E S (Newest First) |
| lady_mcse |
Posted - 03/27/2009 : 6:44:47 PM
quote:
Have you tried using netstat or maybe tcpview to identify what process is listening to port 800?
Don't have that specific laptop anymore to work with, but I raised all this with my boss who manages the firewall and websense filtering. He's thinking maybe there's something preventing a heartbeat from flowing the way it should ... and also quite possible that all this conversation traffic is normal. So more investigation next week. |
| Doug G |
Posted - 03/26/2009 : 10:21:44 PM
Have you tried using netstat or maybe tcpview to identify what process is listening to port 800?
|
| lady_mcse |
Posted - 03/26/2009 : 4:29:16 PM
OK ... more info for me to investigate ...
Previously I was clueless about Websense Filtering Agent. I knew that we had Websense blocking for our internal clients. But apparently for laptops that are out and about with VPN, we isntall a remote filtering agent on the laptop which communicates by Port 800. (surprise!)
So I ran a port 800 capture on machine with no client, then installed the client, and sure 'nough watched the traffic go from 0 to 20-30 packets with all these website names in them, or whatever these references are.
Now wondering if maybe this is just normal chatter between Websense server & client, and maybe it's loading up the client with a database of some sort. (MDBs_daemon ...)
Sorry I'm mostly talking out loud here! |
|
|
