Intermittent problem with UDP remote addresses

I've been using DiamondCS Port Explorer to log TCP and UDP activity on my machine, and in general it's been working great.
However, some of the logs have unusual data in - specifically, the log that shows packets being sent & received very occasionally has the remote address for RECEIVE activity on UDP connections shown as "0.0.0.0:0".
I appreciate that for listening UDP ports no remote IP can be shown, but this is for "RECEIVE" events. For example:

The local address of the machine is 192.168.1.1, and the machine it's communicating with is 192.168.1.2. I have actual packet capture logs for this event as well, and can confirm that there is indeed UDP data moving between the machines, and there is nothing odd looking about the UDP packets.

This doesn't happen the whole time, and I can't reproduce it on demand, but I have the hard logs produced by this particular occurrence.

Does anyone have any ideas what might be causing this? A bug in Port Explorer? Or some odd network feature I'm not familiar with?

Any comments are welcome,
Thanks,

Tim

 

Hi Tim, has to do with the UDP protocol.
Is it in your logs showing for TCP protocol as well?

 

Yes, it's only occurred for UDP, not TCP. I don't really understand why it's to do with it being UDP - the packets still have a remote address in them (note that it's a "RECEIVE" event, not an "OPEN" event).

 

The UDP being a connectionless protocol, only the destination address and port have a significance. Although a source address and port must be specified per datagram, they could be anything in real life - including 0.0.0.0:0 . Of course, specifying real source coordinates is useful especially IF source expects an answer... but nothing in the protocol compels a UDP sender to comply by this.

All this being said - which probably you were aware of already - did you check twice that what you are reporting is a P.E. error rather than real UDP packets which, for some reason, came to you with a source of 0.0.0.0:0 ? Use another software or hardware "sniffer" to acertain it.

HTH

--
Czerno

 

Thanks for your reply. I do have packet logs (captured by ethereal) of the problematic data - the UDP packets have a real source address in the header (ie 192.168.1.2), not 0.0.0.0. This is what leads me to believe it's a PE problem; everything else displays valid data for those UDP packets apart from Port Explorer.

 

In your HOSTS file you could add a name (non existing url!) to that localhost address like
0.0.0.0 myphantasyname
127.0.0.1 www.myphantasyname.com
whatever ... and see if Port Explorer displays that in stead of the network IP.
For the TCP i expect it to work perfect, UDP .... not sure.
When you use netstat you have the same i think.


EDIT:
Just thinking, doing so in each networked PC in their own HOSTS files might give some impression about connections where the networked IP addresses seem not to be displayed.