Who is sending the DHCP discover?

Hi,
Computers configured to use DHCP ususally send an UDP broadcast message from source address 0.0.0.0:BOOTPC to 255.255.255.255:BOOTPS, during bootup. The message is called DHCP discover, and it is sent out in search for DHCP servers. Kerio identifies the sender app to be services.exe on Win2000, Outpost identifies the sender to be "System", which means it was unable to associate the packet with any application. My question is: Which application sends this message according to Look'n'stop?
-hojtsy-

 

Hi,

I can't verify because I am not on DHCP, but what I can say is that Look'n'Stop never say that something is coming from "System", it always show the executable.
May be Outpost can too, but that it is a "design" choice ?

regards,

gkweb.

 

I don't know. I got various responses from various sources. I hope somebody with DHCP could check this in Look'n'stop to get one more point of view.
-hojtsy-

 

According to Look ‘n’ Stop SVCHOST.EXE-(Generic Host Process for Win32 Services) is yO man, as for SERVICES.EXE that is always seen launching but never connecting to Internet resources.

However I know of other Software Firewalls that sees “System”-(ntoskrnl.exe), therefore I was curious also how SVCHOST.EXE is captured in Look ‘n’ Stop for sending those packets.

 

Hi Phant0m,
The DHCP NT service is hosted by services.exe in Win2000, and svchost.exe in WinXP. You were testing on WinXP, right? Actually I am not 100% sure that Outpost would fail to identify the application on WinXP too.
-hojtsy-

 

What i've said applies to Windows XP...

 

I guess that source address 0.0.0.0 bewilders some firewalls. Others can cope with it.
-hojtsy-