Results 1 to 4 of 4
Well, I setup iptraf the other night to audit my network connections as things were going a little slow. After running it for a few hours everything seemed fine, but ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 09-01-2007 #1Linux Newbie
- Join Date
- Aug 2007
- Location
- Yakima, WA
- Posts
- 162
Tons of traffic on port 29
Well, I setup iptraf the other night to audit my network connections as things were going a little slow. After running it for a few hours everything seemed fine, but then I started noticing a lot of packets being sent to TCP port 29. I don't have any services running on this port, and if it were a random hacker then my DMZ'd server would've been inundated with these packets. This leads me to the conclusion that there's some program on my computer sending these packets out to a remote connection.
I found the IP that the packets were being sent to, but I did not find much info on a whois, however it seems to just be a small user-ip for an ISP.
I did a portscan just to see what might be enabled, to see if it's a server or what, and the only port actually open on it was port 29 and 389. So, my computer is now just randomly sending out packets to some random server on the internet reading in from port 29. I'm not quite sure what the heck is going on here, but so far I've just put some rules in my firewalls to keep the packets from reaching their host, but the packets keep being generated by whatever program on my computer is linked to this.
Is there a way to figure out what program is connecting and sending these packets, or should I just not worry about it? It seems a little nefarious to me, so I'd like to be able to find the offending program and see if everything is okay.
This is an excerpt from my iptraf tcp services log
I should also note that even with my firewall rules, iptraf is continuing to log packets for this port. I suppose these could be SYN packets, but due to the disproportion between outoing and incoming, I think it is an application on my computer attempting to send this information.Code:Running time: 32400 seconds *** TCP/UDP traffic log, generated Sat Sep 1 01:47:47 2007 ... TCP/29: 653313 packets, 617539169 bytes total, 152.49 kbits/s; 243952 packets, 13614772 bytes incoming, 3.36 kbits/s; 409361 packets, 603924397 bytes outgoing, 149.13 kbits/s ...
- 09-02-2007 #2Linux Enthusiast
- Join Date
- Dec 2006
- Location
- MA
- Posts
- 649
So why stop at iptraf, sniff the actual traffic see what is going on.
- 09-02-2007 #3Linux Newbie
- Join Date
- Aug 2007
- Location
- Yakima, WA
- Posts
- 162
Originally Posted by likwid 
Well, it occurred to me that I should do that, but by the time I setup Ethereal and some filters, the traffic had stopped. No longer any traffic going on that port, so now I'm even more confused than before.
- 09-03-2007 #4Linux Guru
- Join Date
- Mar 2005
- Location
- Texas
- Posts
- 1,692
I don't think tcp port 29 is very frequently used. A quick google on 'tcp 29' leads to a page that describes it as MSG ICP. Never heard of it. (In fact, this thread is one of the top google hits.) Originally Posted by SagaciousKJB
I'm not sure I agree with your conclusion that it's your box sending requests to tcp 29, unless there are more details you haven't shared here. There are a couple ways to approach this:
- Start a tcpdump capture and when the issue occurs again you can take a closer look at the packets; or
- Set up iptables rules that log any inbound and outbound traffic to tcp 29; or
- Next time the issue occurs, view the output of # netstat -atnp to see the program associated with the connection; or
- all of the above.
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
