Re: Mysterious SNMP Packets
- From: "Paul Baker [MVP, Windows - SDK]" <paulrichardbaker@xxxxxxxxxxxxxxxx>
- Date: Tue, 6 Nov 2007 11:08:19 -0500
It was caused by Standard TCP/IP Ports that had "SNMP Status Enabled"
checked in the port settings.
I had several such ports that I added a long time ago with obsolete IP
addresses.
Mystery solved! Thanks,
Paul
"Paul Baker [MVP, Windows - SDK]" <paulrichardbaker@xxxxxxxxxxxxxxxx> wrote
in message news:OKf2iqIIIHA.4584@xxxxxxxxxxxxxxxxxxxxxxx
Roger,
I had already attempted to do this, but I did not do it correctly. Thanks
to your insight, I was able to do it correctly this time and discover that
the offending process was spoolsv.exe.
Another thing I had tried is randomly stopping services to see what
difference there was. At one point, I had the Print Spooler stopped and
the SNMP stopped. I restarted the Print Spooler and the SNMP did not
return until I opened my Printers folder in Windows Explorer. However, I
was not able to repeat this, so I didn't think much of it. I think that
the problem was that services would recover on their own without my
knowledge, invalidating my tests.
Luckily, I know more about the Print Spooler than I do about networks and
so I should be able to find the offending component. I will let you know
what it was. Thanks,
Paul
"Roger Hunen" <rhunen@xxxxxxxxx> wrote in message
news:472f5bb0$0$242$e4fe514c@xxxxxxxxxxxxxxxxx
"Paul Baker [MVP, Windows - SDK]" <paulrichardbaker@xxxxxxxxxxxxxxxx>
wrote:
I am seeing in Wireshark that my machine is sending get-request SNMP
packages to seemingly random IP addresses in one of our subnets.
Sometimes I get a get-respons SNMP package back and sometimes I don't
because the IP address is invalid.
I don't know which software is causing this and why, it is certainly not
intentional. Can someone please offer me advice on how to track down the
source? Can I trace the process that is sending the packets? Thanks,
Identifying the offending application may not prove too difficult. The
following
should work on a Windows XP machine (and probably all modern Windows
platforms).
What you certainly see:
- the IP protocol is UDP
- the source IP address is constant (the IP address or one of the IP
addresses
of your machine)
- the UDP destination port is constant (161, SNMP)
What you probably see:
- the UDP source port is constant ==> note this number
- the destination IP address varies ("seemingly random")
Note: if the UDP source port is not constant, the following won't help
you.
Now open a command window and type 'netstat -ano'. UDP sockets are at the
end of the list. Lookup the entry where the port in the Local Addresst
column
equals the observed UDP source port. Note the number at the end of the
line
(this is thePID of the process that owns the socket).
Now go into the Task Mananager, make sure the PID column is displayed
(View -> Select Columns) and find the process with the PID provided by
netstat. This process should be what you are looking for.
Good luck finding the culprit. Please let me know if the above worked for
you.
Regards,
-Roger
--
E-mail: rhunen@xxxxxxxxx
Home: http://www.xs4all.nl/~rhunen
ADSL: http://adsl.hunen.net
.
- References:
- Mysterious SNMP Packets
- From: Paul Baker [MVP, Windows - SDK]
- Re: Mysterious SNMP Packets
- From: Roger Hunen
- Re: Mysterious SNMP Packets
- From: Paul Baker [MVP, Windows - SDK]
- Mysterious SNMP Packets
- Prev by Date: Re: Mysterious SNMP Packets
- Next by Date: Re: Mysterious SNMP Packets
- Previous by thread: Re: Mysterious SNMP Packets
- Next by thread: Re: Mysterious SNMP Packets
- Index(es):
Relevant Pages
|
