Intermittent problem with UDP remote addresses

Discussion in 'Port Explorer' started by timp, Apr 12, 2006.

Thread Status:
Not open for further replies.
  1. timp

    timp Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    3
    I've been using DiamondCS Port Explorer to log TCP and UDP activity on my machine, and in general it's been working great.
    However, some of the logs have unusual data in - specifically, the log that shows packets being sent & received very occasionally has the remote address for RECEIVE activity on UDP connections shown as "0.0.0.0:0".
    I appreciate that for listening UDP ports no remote IP can be shown, but this is for "RECEIVE" events. For example:

    The local address of the machine is 192.168.1.1, and the machine it's communicating with is 192.168.1.2. I have actual packet capture logs for this event as well, and can confirm that there is indeed UDP data moving between the machines, and there is nothing odd looking about the UDP packets.

    This doesn't happen the whole time, and I can't reproduce it on demand, but I have the hard logs produced by this particular occurrence.

    Does anyone have any ideas what might be causing this? A bug in Port Explorer? Or some odd network feature I'm not familiar with?

    Any comments are welcome,
    Thanks,

    Tim
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Tim, has to do with the UDP protocol.
    Is it in your logs showing for TCP protocol as well?
     
  3. timp

    timp Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    3
    Yes, it's only occurred for UDP, not TCP. I don't really understand why it's to do with it being UDP - the packets still have a remote address in them (note that it's a "RECEIVE" event, not an "OPEN" event).
     
  4. Czerno

    Czerno Registered Member

    Joined:
    May 16, 2005
    Posts:
    37
    The UDP being a connectionless protocol, only the destination address and port have a significance. Although a source address and port must be specified per datagram, they could be anything in real life - including 0.0.0.0:0 . Of course, specifying real source coordinates is useful especially IF source expects an answer... but nothing in the protocol compels a UDP sender to comply by this.

    All this being said - which probably you were aware of already - did you check twice that what you are reporting is a P.E. error rather than real UDP packets which, for some reason, came to you with a source of 0.0.0.0:0 ? Use another software or hardware "sniffer" to acertain it.

    HTH

    --
    Czerno
     
  5. timp

    timp Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    3
    Thanks for your reply. I do have packet logs (captured by ethereal) of the problematic data - the UDP packets have a real source address in the header (ie 192.168.1.2), not 0.0.0.0. This is what leads me to believe it's a PE problem; everything else displays valid data for those UDP packets apart from Port Explorer.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    In your HOSTS file you could add a name (non existing url!) to that localhost address like
    0.0.0.0 myphantasyname
    127.0.0.1 www.myphantasyname.com
    whatever ... and see if Port Explorer displays that in stead of the network IP.
    For the TCP i expect it to work perfect, UDP .... not sure.
    When you use netstat you have the same i think.


    EDIT:
    Just thinking, doing so in each networked PC in their own HOSTS files might give some impression about connections where the networked IP addresses seem not to be displayed.
     
    Last edited: Apr 26, 2006
Thread Status:
Not open for further replies.