What are these in my log file?

Discussion in 'other firewalls' started by delerious, Sep 25, 2006.

Thread Status:
Not open for further replies.
  1. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    Can you experts explain some of the things showing up in my CHX log file?

    - One of the PCs on my LAN (it is running Win98 ) sometimes sends UDP packets from source port 1025 to destination port 192 (dest. mac = ff ff ff ff ff ff, dest ip = 255.255.255.255). There are always 3 of those packets at a time. Any idea what these packets are?

    - My router sometimes sends unsolicited ARP replies to my PC. The packets always occur in pairs (both at the exact same time). I am currently blocking those. Why is the router doing that, and should I allow those packets?

    - Occasionally I see an ICMP type 3 code 3 (destination unreachable: port unreachable) packet try to go out to the DNS server. Those are currently blocked. Does this mean the DNS server is trying to connect to one of my ports? Why would it be doing that?

    - I can see the Win98 computer send DHCP requests from ip 0.0.0.0 port 68 to ip 255.255.255.255 port 67. It's just one UDP packet. The same thing happens for a WinXP computer on the LAN, except that frequently it will send 2 or 3 additional UDP packets from ip 192.168.1.34 port 68 to ip 255.255.255.255 port 67. So right after it gets its IP from the DHCP server, it sends a few more packets to the server. But the Win98 computer never does that. Just curious as to why the WinXP computer sends additional packets?

    Thanks for any insight you can give me!
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi delerious,
    I was never really a big user of Win98, but will try to hekp.
    I think this may depend on your hardware, as the port 192 is normally used for probing (port 192- alias osu-nms (OSU Network Monitoring System)) and I have only seen this for probes searching for compatible hardware.

    The router is simply keeping up to date with the hardware on the network. If you are having no connection problems, you can leave the rules as you have them.

    I see this from time to time with other firewalls, due to late replies from the DNS server. If you see many of these, you may need to extend the timeout of the UDP

    I am unable to setup win98 to check on this, I no longer have hardware that will run with this OS,.. so I am unable to comment.

    Sorry I could not help more.
     
  3. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    Thanks for the reply, Stem.

    I found out that they are being sent by the Orinoco Client Manager (wireless program).

    I need to investigate this more, but I think those additional packets may be DHCPINFORM packets.
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    This program came with hardware?


    If the UDP packets are DHCPINFORM then they would include the external IP of that PC, as this DHCP packet is for further info only (The PC already as an IP address)

    Some DHCP info:-
     
  5. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    Yes, it came with the wireless adapter.

    I ended up installing Sygate on the PC that is sending the extra packets, and Sygate says that some of the extra ones are DHCP Requests, and it doesn't say what the other extra ones are. Strange... why would the PC send more DHCP requests after it has already gotten an IP address?
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    That will explain the broadcasts to port 192 (looking for compatible hardware)
    I dont normally use DHCP,.. but started this on W2k,.. only 2 broadcasts where sent from the PC (from 0.0.0.0(hardware mac) to 255.255.255.255(broadcast)) with replies as broadcasts.
    On my next setup of XP, I will enable DHCP and capture/log to see what packets are sent for this.

    Update
    I have just checked on the DHCP sent from XP. and only the DHCP request was sent, and a reply made (this is on a LAN).
     
    Last edited: Oct 9, 2006
Loading...
Thread Status:
Not open for further replies.