PDA

View Full Version : Help with understanding log entry



JClark
08-29-10, 04:50 AM
Hello Group,
I have a Linksys router and a Windows XP SP3 computer. My software
firewall is Deerfield Visnetic. Lately I notice log entries when I
boot up (and continuing) which seem to suggest that the router is
trying to send the computer a UDP packet.

Log:
Blocked incoming UDP packet from 192.168.1.1 to 192.168.xxx
source port varies anywhere from 9555 to 9599
destination port is 162

What does this mean?
Should I write a rule to permit it?

Many thanks for any clarification.

Jack

Bit Twister
08-29-10, 05:00 AM
On Sun, 29 Aug 2010 05:50:26 -0400, JClark wrote:

> Log:
> Blocked incoming UDP packet from 192.168.1.1 to 192.168.xxx
> source port varies anywhere from 9555 to 9599
> destination port is 162
>
> What does this mean?
> Should I write a rule to permit it?

If everything is working, why allow it. :(

Check bottom of page at https://secure.dshield.org/port.html?port=162

JClark
08-29-10, 05:06 AM
On Sun, 29 Aug 2010 10:00:36 +0000 (UTC), Bit Twister
<BitTwister@mouse-potato.com> wrote:

>On Sun, 29 Aug 2010 05:50:26 -0400, JClark wrote:
>
>> Log:
>> Blocked incoming UDP packet from 192.168.1.1 to 192.168.xxx
>> source port varies anywhere from 9555 to 9599
>> destination port is 162
>>
>> What does this mean?
>> Should I write a rule to permit it?
>
>If everything is working, why allow it. :(
>
>Check bottom of page at https://secure.dshield.org/port.html?port=162
Well, I guess you have a point. But I am trying to understand what is
happening and hoped I could learn something.

Jack

JClark
08-29-10, 05:09 AM
On Sun, 29 Aug 2010 10:00:36 +0000 (UTC), Bit Twister
<BitTwister@mouse-potato.com> wrote:

>On Sun, 29 Aug 2010 05:50:26 -0400, JClark wrote:
>
>> Log:
>> Blocked incoming UDP packet from 192.168.1.1 to 192.168.xxx
>> source port varies anywhere from 9555 to 9599
>> destination port is 162
>>
>> What does this mean?
>> Should I write a rule to permit it?
>
>If everything is working, why allow it. :(
>
>Check bottom of page at https://secure.dshield.org/port.html?port=162
Sorry, I didn't see the link at the end of your post. I'll check that
out. And thanks.

Jack

iggster
08-29-10, 11:48 AM
First off, how can you just "write a rule to permit it" if you do not
understand what it is?
Your router is sending SNMP traps. Go to its setup and disable it. If
you plan on using SNMP monitoring, then configure a specific IP address,
not the entire subnet.


On 8/29/2010 5:50 AM, JClark wrote:
> Hello Group,
> I have a Linksys router and a Windows XP SP3 computer. My software
> firewall is Deerfield Visnetic. Lately I notice log entries when I
> boot up (and continuing) which seem to suggest that the router is
> trying to send the computer a UDP packet.
>
> Log:
> Blocked incoming UDP packet from 192.168.1.1 to 192.168.xxx
> source port varies anywhere from 9555 to 9599
> destination port is 162
>
> What does this mean?
> Should I write a rule to permit it?
>
> Many thanks for any clarification.
>
> Jack


--- news://freenews.netfront.net/ - complaints: news@netfront.net ---

VanguardLH
08-29-10, 09:13 PM
iggster wrote:

> JClark wrote:
>
>> I have a Linksys router

Linksys has lots of models. Not a clue which one the OP happens to use.

>> Lately I notice [firewall] log entries when I boot up (and
>> continuing) which seem to suggest that the router is trying to send
>> the computer a UDP packet.
>>
>> Log:
>> Blocked incoming UDP packet from 192.168.1.1 to 192.168.xxx
>> source port varies anywhere from 9555 to 9599
>> destination port is 162
>>
>> What does this mean?

> Your router is sending SNMP traps. Go to its setup and disable it. If
> you plan on using SNMP monitoring, then configure a specific IP address,
> not the entire subnet.

You sure the traffic isn't due to UPnP discovery by the router? The OP
should see if the traffic stops if UPnP is disabled in the router's
configuration.

http://msdn.microsoft.com/en-us/library/ms885488.aspx
http://en.wikipedia.org/wiki/Upnp#Discovery

> --- news://freenews.netfront.net/ - complaints: news@netfront.net ---

Another user spamming in a non-signature on behalf of their NSP.

iggster
08-29-10, 11:36 PM
On 8/29/2010 10:13 PM, VanguardLH wrote:
> iggster wrote:
>
>> JClark wrote:
>
>>> I have a Linksys router
>
> Linksys has lots of models. Not a clue which one the OP happens to use.
>
>>> Lately I notice [firewall] log entries when I boot up (and
>>> continuing) which seem to suggest that the router is trying to send
>>> the computer a UDP packet.
>>>
>>> Log:
>>> Blocked incoming UDP packet from 192.168.1.1 to 192.168.xxx
>>> source port varies anywhere from 9555 to 9599
>>> destination port is 162
>>>
>>> What does this mean?
>
>> Your router is sending SNMP traps. Go to its setup and disable it. If
>> you plan on using SNMP monitoring, then configure a specific IP address,
>> not the entire subnet.
>
> You sure the traffic isn't due to UPnP discovery by the router? The OP
> should see if the traffic stops if UPnP is disabled in the router's
> configuration.
>
You are correct. I over-estimated the capabilities of Linksys. It most
likely IS the discovery bcast.

> http://msdn.microsoft.com/en-us/library/ms885488.aspx
> http://en.wikipedia.org/wiki/Upnp#Discovery
>
>> --- news://freenews.netfront.net/ - complaints: news@netfront.net ---
>
> Another user spamming in a non-signature on behalf of their NSP.
Huh? Spamming?

--- news://freenews.netfront.net/ - complaints: news@netfront.net ---

VanguardLH
08-31-10, 03:46 AM
iggster wrote:

VanguardLH wrote:
>
>> iggster wrote:
>>
>>> --- news://freenews.netfront.net/ - complaints: news@netfront.net ---
>>
>> Another user spamming in a non-signature on behalf of their NSP.
>
> Huh? Spamming?

They are appending their promotional (spam) text onto your posts. That
spam isn not in a signature (there is no sigdash line). That means all
of your posts through them are spam. You have elected to be their
spamming affiliate.

iggster
09-01-10, 04:37 PM
On 8/31/2010 4:46 AM, VanguardLH wrote:
> iggster wrote:
>
> VanguardLH wrote:
>>
>>> iggster wrote:femfensive, no
>>>
>>>> --- news://freenews.netfront.net/ - complaints: news@netfront.net ---
>>>
>>> Another user spamming in a non-signature on behalf of their NSP.
>>
>> Huh? Spamming?
>
> They are appending their promotional (spam) text onto your posts. That
> spam isn not in a signature (there is no sigdash line). That means all
> of your posts through them are spam. You have elected to be their
> spamming affiliate.
This is the news server I use. _One_ line at the end of my posting is
not really offensive, now is it really? I "have elected" to use one of
not so many free news servers. Why this is such a big deal to you that
you "have elected" to waste my time and yours on this discussion that
has nothing to do with the OP? Casual flaming is very easy but most
times it is just a meaningless, well, flaming.
Regards,


--- news://freenews.netfront.net/ - complaints: news@netfront.net ---

Ansgar -59cobalt- Wiechers
09-01-10, 05:33 PM
iggster <fryphil@nomailatall.com> wrote:
> On 8/31/2010 4:46 AM, VanguardLH wrote:
>> iggster wrote:
>>> VanguardLH wrote:
>>>> Another user spamming in a non-signature on behalf of their NSP.
>>>
>>> Huh? Spamming?
>>
>> They are appending their promotional (spam) text onto your posts.
>> That spam isn not in a signature (there is no sigdash line). That
>> means all of your posts through them are spam. You have elected to
>> be their spamming affiliate.
>
> This is the news server I use. _One_ line at the end of my posting is
> not really offensive, now is it really? I "have elected" to use one of
> not so many free news servers. Why this is such a big deal to you that
> you "have elected" to waste my time and yours on this discussion that
> has nothing to do with the OP?

Because unsolicited advertisements, like those your news provider
appends to each of your postings, are commonly known as "spam". Which is
frowned upon in most any part of Internet and Usenet I had to do with.

Of course the decision whether you want to support spam is entirely up
to you.

Score adjusted. F'up2p.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

VanguardLH
09-01-10, 08:50 PM
iggster wrote:

> VanguardLH wrote:
>
>> iggster wrote:
>>
>> VanguardLH wrote:
>>>
>>>> iggster wrote:femfensive, no
>>>>
>>>>> --- news://freenews.netfront.net/ - complaints: news@netfront.net ---
>>>>
>>>> Another user spamming in a non-signature on behalf of their NSP.
>>>
>>> Huh? Spamming?
>>
>> They are appending their promotional (spam) text onto your posts. That
>> spam isn not in a signature (there is no sigdash line). That means all
>> of your posts through them are spam. You have elected to be their
>> spamming affiliate.
>
> This is the news server I use. _One_ line at the end of my posting is
> not really offensive, now is it really? I "have elected" to use one of
> not so many free news servers. Why this is such a big deal to you that
> you "have elected" to waste my time and yours on this discussion that
> has nothing to do with the OP? Casual flaming is very easy but most
> times it is just a meaningless, well, flaming.
> Regards,
>
> --- news://freenews.netfront.net/ - complaints: news@netfront.net ---

Now you are trying to qualify your, er, their spam as not spam. "No,
officer, I only stuck him once with the dagger". I /elected/ to use
free Teranews but immediately dropped them the next day after noticing
they spamified all my posts (I believe they stopped that practice but
that was long after I dropped their service for spamifying my posts).

Being a free NSP doesn't give them a free pass to spam. They're
spamming their service. If you continue using them, you choose to
continue being their spam affiliate. There are plenty of other "not so
many free news servers" that do NOT spamify their users' posts.

So you think it's okay for a free NSP to put a one-liner spam (and NOT
after a sigdash line) in every post submitted through them. So, if they
switched to promoting Viagra or other crap than that is okay, too. That
they are advertising their service doesn't change that it is spam. That
they deliberately NOT place it after a sigdash is their attempt to
ensure that others see their spam (because many newsreaders will strip
out signatures and they certainly don't want their spam to be hidden).

JClark
09-03-10, 06:52 AM
On Sun, 29 Aug 2010 12:48:10 -0400, iggster <fryphil@nomailatall.com>
wrote:

>Your router is sending SNMP traps. Go to its setup and disable it
Thank you. That does help to explain it. I must now research the
details of the subject you have introduced me to.

Jack

JClark
09-03-10, 06:54 AM
On Sun, 29 Aug 2010 21:13:08 -0500, VanguardLH <V@nguard.LH> wrote:

>Linksys has lots of models. Not a clue which one the OP happens to use
Sorry. It's a BSFX41.

Jack

VanguardLH
09-03-10, 09:28 PM
JClark wrote:

> VanguardLH wrote:
>
>> Linksys has lots of models. Not a clue which one the OP happens to
>> use
>
> Sorry. It's a BSFX41.

You sure?

I went to http://homesupport.cisco.com/en-us/wireless/linksys/ (to see
if they have an online copy of the manual) and a search on "BSFX41"
found no matches.

The manual should describe how to configure the router's behaviors.
They list even my ancient BEFSR41 router there. Of course, if you have
the manual you could read it to see if the UPnP option is described.
You could just connect to the router's web server (perhaps at
http://192.168.1.1) to go look through its configuration screens to see
if there is a UPnP option. If you find one, disable it to see if the
mysterious traffic ceases.