Find the answer to your Linux question:
Results 1 to 4 of 4
Well, I setup iptraf the other night to audit my network connections as things were going a little slow. After running it for a few hours everything seemed fine, but ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie SagaciousKJB's Avatar
    Join Date
    Aug 2007
    Location
    Yakima, WA
    Posts
    162

    Tons of traffic on port 29


    Well, I setup iptraf the other night to audit my network connections as things were going a little slow. After running it for a few hours everything seemed fine, but then I started noticing a lot of packets being sent to TCP port 29. I don't have any services running on this port, and if it were a random hacker then my DMZ'd server would've been inundated with these packets. This leads me to the conclusion that there's some program on my computer sending these packets out to a remote connection.

    I found the IP that the packets were being sent to, but I did not find much info on a whois, however it seems to just be a small user-ip for an ISP.

    I did a portscan just to see what might be enabled, to see if it's a server or what, and the only port actually open on it was port 29 and 389. So, my computer is now just randomly sending out packets to some random server on the internet reading in from port 29. I'm not quite sure what the heck is going on here, but so far I've just put some rules in my firewalls to keep the packets from reaching their host, but the packets keep being generated by whatever program on my computer is linked to this.

    Is there a way to figure out what program is connecting and sending these packets, or should I just not worry about it? It seems a little nefarious to me, so I'd like to be able to find the offending program and see if everything is okay.

    This is an excerpt from my iptraf tcp services log

    Code:
    Running time: 32400 seconds
    
    *** TCP/UDP traffic log, generated Sat Sep  1 01:47:47 2007
    ...
    TCP/29: 653313 packets, 617539169 bytes total, 152.49 kbits/s; 243952 packets, 13614772 bytes incoming, 3.36 kbits/s; 409361 packets, 603924397 bytes outgoing, 149.13 kbits/s
    ...
    I should also note that even with my firewall rules, iptraf is continuing to log packets for this port. I suppose these could be SYN packets, but due to the disproportion between outoing and incoming, I think it is an application on my computer attempting to send this information.

  2. #2
    Linux Enthusiast likwid's Avatar
    Join Date
    Dec 2006
    Location
    MA
    Posts
    649
    So why stop at iptraf, sniff the actual traffic see what is going on.

  3. #3
    Linux Newbie SagaciousKJB's Avatar
    Join Date
    Aug 2007
    Location
    Yakima, WA
    Posts
    162
    Quote Originally Posted by likwid View Post
    So why stop at iptraf, sniff the actual traffic see what is going on.

    Well, it occurred to me that I should do that, but by the time I setup Ethereal and some filters, the traffic had stopped. No longer any traffic going on that port, so now I'm even more confused than before.

  4. #4
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Quote Originally Posted by SagaciousKJB
    This leads me to the conclusion that there's some program on my computer sending these packets out to a remote connection.
    ...
    Is there a way to figure out what program is connecting and sending these packets, or should I just not worry about it?
    I don't think tcp port 29 is very frequently used. A quick google on 'tcp 29' leads to a page that describes it as MSG ICP. Never heard of it. (In fact, this thread is one of the top google hits.)

    I'm not sure I agree with your conclusion that it's your box sending requests to tcp 29, unless there are more details you haven't shared here. There are a couple ways to approach this:
    • Start a tcpdump capture and when the issue occurs again you can take a closer look at the packets; or
    • Set up iptables rules that log any inbound and outbound traffic to tcp 29; or
    • Next time the issue occurs, view the output of # netstat -atnp to see the program associated with the connection; or
    • all of the above.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •