Hi,

Got a question. While i was trying to track down another problem i was having with the connections between me and my ISP (IP constently renewing itself then dropping off when i idle for about a minute), i took the connection from my computer to my DLink router off and plugged the computer directly into the cable modem (yep, kept Sygate still on though) so i could make sure it wasn't my router that was causing any problems with the connection. i am pretty sure it isn't my router or my cable modem, and that it is probably something on the route between my ISP and me, or even their DCHP servers. But that is another story. i just wanted to tell you why i was just using my Sygate firewall, and since i usually use the router, i do not see any unsolicited hits to Sygate.

But once i took the router off and just had the software firewall to go by for logging activity, i noticed this blocked UDP incoming to Port 513 (both remote and local ports are 513). It is continuous and i do not recognize the IP it is coming from, or going to. So i went to StormCentre to see what that port was used for...and i am still confused. Then i did a google search for rwhod (see pic) and i am afraid it is a bit over my head to understand what that is all about.

i do not see this port when i have the router on, but right now i am not getting very good router logs to determine if that port even has the chance to show up in them.

i have done a full scan with NOD and everything looks good. TrojanHunter, TDS, and Port Explorer do not detect anything either...so i know i am fairly sure i am not infected with anything.

Can anyone give me an idea of why i might be seeing that port...is it something most would see in their software firewall logs? :-\

Oh...XP-home..and Roger's Hi-speed cable. (i don't care about the hi-speed anymore..i just want connection!) lol

Thank you,

snap
(trying to put the puzzle together again) ;D

i thought i might as well put the link to the question i asked in the D-Link forum at dslreports. Hoped the experts on the D-Link might be able to help me when i first thought it might be a router problem, and inTulsa was great in helping me figure it out. So i will be calling the Roger's Tech support soon...but since they do not support routers or firewalls (frown) i wanted to cover all bases so i could say it wasn't my router and it is something out of my control. That is why i had the cable modem connected directly to the computer.

http://www.dslreports.com/forum/remark,8296271~root=dlink~mode=flat

But one question led to another, and now i have to figure out what i am seeing in Sygate's logs before i call them. That port 513 just struck me as strange.

Mod assistance requested - i can't get that link to work
- there you go. :D

Hi snap

-{ Quote: "But once i took the router off and just had the software firewall to go by for logging activity, i noticed this blocked UDP incoming to Port 513 (both remote and local ports are 513). It is continuous and i do not recognize the IP it is coming from, or going to." }-

In regards to the IP, did you check to see if it is part of ISP's network? Was it from a 10.xx.xx.xx address and part of their private network?

A little more on UDP 513:
UDP, who, maintains data bases showing who's logged in to machines on a local net and the load average of the machine.

Will do a little more digging to see what else it may be associated with.

Regards,

CrazyM

Hi CrazyM :)

i took a snap of it, and they are both within my netblock, but that is not my WAN IP. At the time i took that snap, i was sure of my IP#, as it also showed in the log file. The log would fill up with 0.0.0.0.'s so fast that it would time out, but my IP# was consistant for a few hour's then. My IP has since changed again. (it is getting confusing to keep up with it when it does that)

i should mention that my other computer (win98se) was not on or plugged into the modem. This was just using my XP.

Thank you for looking into it for me CrazyM....and thank you LWM for fixing the link...guess it means a trip to the test forum to learn how to do that. ~grin~
(and another trip back to school to remember how to spell...text=test) Well...i "passed" all the scans i did at least. LOL

Hi Snap

A little more on what you are likely seeing: rwho protocol (http://www.iss.net/security_center/advice/Reference/Networking/Directory/rwho/default.htm)

As long as your firewall is blocking it, you should have nothing to worry about.

Regards,

CrazyM

"smaug and frodo" ?? lol makes me wonder how new this protocol is.

Thanks CrazyM...that link has helped. i first wondered when i read your earlier post, if Roger's was maintaining some kind of monitoring, and that may still be, i don't know. But in that link there at the bottom it says: "Broadcasts are sent roughly ever 3 minutes. If a machine has been silent for more than 11 minutes, then listening machines drop the machine from their table." So this might tie into what is happening with my IP, since i seem to be dropping the connection if i idle for a min, then re-establish it again once i refresh the page (and sometimes get a new IP in the process).

All the instances of port 513 did show as blocked in Sygate when i was connected directly to the cable modem, but i am not sure if it is while i am connected through the router. i am hoping so. i have hooked back up to the router and checked it's logs, but with all the "discover, request, release, etc." happening in them, it is hard to tell if i am just missing an instance of the port 513 being blocked or not.

Is this an XP process/server...?? or is this something outside? i don't know of any way to tell if it is being blocked by the router too...and PortExplorer isn't showing a port 513. Would it maybe be shown as another port in PE?

Hope i haven't confused you...i know i have me. LOL

Thank you for your help, it really did put a few more pieces to the puzzle back for me.

snap