Results 1 to 4 of 4
Well, I setup iptraf the other night to audit my network connections as things were going a little slow. After running it for a few hours everything seemed fine, but ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 09-01-2007 #1
Tons of traffic on port 29
Well, I setup iptraf the other night to audit my network connections as things were going a little slow. After running it for a few hours everything seemed fine, but then I started noticing a lot of packets being sent to TCP port 29. I don't have any services running on this port, and if it were a random hacker then my DMZ'd server would've been inundated with these packets. This leads me to the conclusion that there's some program on my computer sending these packets out to a remote connection.
I found the IP that the packets were being sent to, but I did not find much info on a whois, however it seems to just be a small user-ip for an ISP.
I did a portscan just to see what might be enabled, to see if it's a server or what, and the only port actually open on it was port 29 and 389. So, my computer is now just randomly sending out packets to some random server on the internet reading in from port 29. I'm not quite sure what the heck is going on here, but so far I've just put some rules in my firewalls to keep the packets from reaching their host, but the packets keep being generated by whatever program on my computer is linked to this.
Is there a way to figure out what program is connecting and sending these packets, or should I just not worry about it? It seems a little nefarious to me, so I'd like to be able to find the offending program and see if everything is okay.
This is an excerpt from my iptraf tcp services log
Running time: 32400 seconds *** TCP/UDP traffic log, generated Sat Sep 1 01:47:47 2007 ... TCP/29: 653313 packets, 617539169 bytes total, 152.49 kbits/s; 243952 packets, 13614772 bytes incoming, 3.36 kbits/s; 409361 packets, 603924397 bytes outgoing, 149.13 kbits/s ...
- 09-02-2007 #2
So why stop at iptraf, sniff the actual traffic see what is going on.
- 09-02-2007 #3
- 09-03-2007 #4Originally Posted by SagaciousKJB
I'm not sure I agree with your conclusion that it's your box sending requests to tcp 29, unless there are more details you haven't shared here. There are a couple ways to approach this:
- Start a tcpdump capture and when the issue occurs again you can take a closer look at the packets; or
- Set up iptables rules that log any inbound and outbound traffic to tcp 29; or
- Next time the issue occurs, view the output of # netstat -atnp to see the program associated with the connection; or
- all of the above.