Re: Mysterious SNMP Packets
- From: "Paul Baker [MVP, Windows - SDK]" <paulrichardbaker@xxxxxxxxxxxxxxxx>
- Date: Tue, 6 Nov 2007 10:34:52 -0500
Roger,
I had already attempted to do this, but I did not do it correctly. Thanks to
your insight, I was able to do it correctly this time and discover that the
offending process was spoolsv.exe.
Another thing I had tried is randomly stopping services to see what
difference there was. At one point, I had the Print Spooler stopped and the
SNMP stopped. I restarted the Print Spooler and the SNMP did not return
until I opened my Printers folder in Windows Explorer. However, I was not
able to repeat this, so I didn't think much of it. I think that the problem
was that services would recover on their own without my knowledge,
invalidating my tests.
Luckily, I know more about the Print Spooler than I do about networks and so
I should be able to find the offending component. I will let you know what
it was. Thanks,
Paul
"Roger Hunen" <rhunen@xxxxxxxxx> wrote in message
news:472f5bb0$0$242$e4fe514c@xxxxxxxxxxxxxxxxx
"Paul Baker [MVP, Windows - SDK]" <paulrichardbaker@xxxxxxxxxxxxxxxx>
wrote:
I am seeing in Wireshark that my machine is sending get-request SNMP
packages to seemingly random IP addresses in one of our subnets. Sometimes
I get a get-respons SNMP package back and sometimes I don't because the IP
address is invalid.
I don't know which software is causing this and why, it is certainly not
intentional. Can someone please offer me advice on how to track down the
source? Can I trace the process that is sending the packets? Thanks,
Identifying the offending application may not prove too difficult. The
following
should work on a Windows XP machine (and probably all modern Windows
platforms).
What you certainly see:
- the IP protocol is UDP
- the source IP address is constant (the IP address or one of the IP
addresses
of your machine)
- the UDP destination port is constant (161, SNMP)
What you probably see:
- the UDP source port is constant ==> note this number
- the destination IP address varies ("seemingly random")
Note: if the UDP source port is not constant, the following won't help
you.
Now open a command window and type 'netstat -ano'. UDP sockets are at the
end of the list. Lookup the entry where the port in the Local Addresst
column
equals the observed UDP source port. Note the number at the end of the
line
(this is thePID of the process that owns the socket).
Now go into the Task Mananager, make sure the PID column is displayed
(View -> Select Columns) and find the process with the PID provided by
netstat. This process should be what you are looking for.
Good luck finding the culprit. Please let me know if the above worked for
you.
Regards,
-Roger
--
E-mail: rhunen@xxxxxxxxx
Home: http://www.xs4all.nl/~rhunen
ADSL: http://adsl.hunen.net
.
- Follow-Ups:
- Re: Mysterious SNMP Packets
- From: Roger Hunen
- Re: Mysterious SNMP Packets
- From: Paul Baker [MVP, Windows - SDK]
- Re: Mysterious SNMP Packets
- References:
- Mysterious SNMP Packets
- From: Paul Baker [MVP, Windows - SDK]
- Re: Mysterious SNMP Packets
- From: Roger Hunen
- Mysterious SNMP Packets
- Prev by Date: client connections disconnecting
- Next by Date: Re: Mysterious SNMP Packets
- Previous by thread: Re: Mysterious SNMP Packets
- Next by thread: Re: Mysterious SNMP Packets
- Index(es):
Relevant Pages
|
