Who is sending the DHCP discover?

Discussion in 'LnS English Forum' started by hojtsy, Aug 19, 2004.

Thread Status:
Not open for further replies.
  1. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Hi,
    Computers configured to use DHCP ususally send an UDP broadcast message from source address 0.0.0.0:BOOTPC to 255.255.255.255:BOOTPS, during bootup. The message is called DHCP discover, and it is sent out in search for DHCP servers. Kerio identifies the sender app to be services.exe on Win2000, Outpost identifies the sender to be "System", which means it was unable to associate the packet with any application. My question is: Which application sends this message according to Look'n'stop?
    -hojtsy-
     
  2. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    I can't verify because I am not on DHCP, but what I can say is that Look'n'Stop never say that something is coming from "System", it always show the executable.
    May be Outpost can too, but that it is a "design" choice ?

    regards,

    gkweb.
     
  3. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    I don't know. I got various responses from various sources. I hope somebody with DHCP could check this in Look'n'stop to get one more point of view.
    -hojtsy-
     
  4. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    According to Look ‘n’ Stop SVCHOST.EXE-(Generic Host Process for Win32 Services) is yO man, as for SERVICES.EXE that is always seen launching but never connecting to Internet resources.

    However I know of other Software Firewalls that sees “System”-(ntoskrnl.exe), therefore I was curious also how SVCHOST.EXE is captured in Look ‘n’ Stop for sending those packets.
     

    Attached Files:

  5. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Hi Phant0m,
    The DHCP NT service is hosted by services.exe in Win2000, and svchost.exe in WinXP. You were testing on WinXP, right? Actually I am not 100% sure that Outpost would fail to identify the application on WinXP too.
    -hojtsy-
     
  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    What i've said applies to Windows XP...
     
  7. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    I guess that source address 0.0.0.0 bewilders some firewalls. Others can cope with it.
    -hojtsy-
     
Thread Status:
Not open for further replies.