Click here to get back home

'system' is generating TCP Packets, who, what, where?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
'system' is generating TCP Packets, who, what, where? Scott Townsend 05-25-2006
Posted by Scott Townsend on May 25, 2006, 2:17 pm
Please log in for more thread options
 My PIX Firewall is picking up a few machine in my network that are sending
TCP Packets to a non-existant host across one of our WAN Links. They
packets are one way and are about 6-7 seconds apart. I've included a
decoded copy of the packet bing sent.

When I use the SysInternals TDIMON.exe to look to see who is generating the
traffic, It is the Process 'System:4'
System:4 89ECE8A0 TDI_CONNECT TCP:0.0.0.0:1025 10.12.0.10:4606 TIMEOUT

How can I find out what is really causing the TCP Packets.

One machine is a WinXP SP2, the other is a Win2003 SP2 running Terminal
Services.

Any help would be appreciated!

Thank you,
Scott<-





Packet Info

Flags: 0x00

Status: 0x00

Packet Length: 66

Timestamp: 11:12:00.655613 05/25/2006

Ethernet Header

Destination: 00:09:7C:F7:16:E0

Source: 00:11:25:6B:A9:F1

Protocol Type: 0x0800 IP

IP Header - Internet Protocol Datagram

Version: 4

Header Length: 5 (20 bytes)

Type of Service: %00000000

000. .... Precedence: Routine

...0 .... Normal Delay

.... 0... Normal Throughput

.... .0.. Normal Reliability

.... ..0. ECT bit - transport protocol will ignore
the CE bit

.... ...0 CE bit - no congestion



Total Length: 48

Identifier: 25485

Fragmentation Flags: %010

0.. Reserved

.1. Do Not Fragment

..0 Last Fragment



Fragment Offset: 0 (0 bytes)

Time To Live: 128

Protocol: 6 TCP - Transmission Control Protocol

Header Checksum: 0x829F

Source IP Address: 10.1.0.133

Dest. IP Address: 10.12.0.10

No IP Options

TCP - Transport Control Protocol

Source Port: 1025 blackjack

Destination Port: 4606

Sequence Number: 3670101211

Ack Number: 0

Offset: 7 (28 bytes)

Reserved: %000000

Flags: %000010

0. .... (No Urgent pointer)

.0 .... (No Ack)

.. 0... (No Push)

.. .0.. (No Reset)

.. ..1. SYN

.. ...0 (No FIN)



Window: 65535

Checksum: 0x30E8

Urgent Pointer: 0

TCP Options:

Option Type: 2 Maximum Segment Size

Length: 4

MSS: 1460

Option Type: 1 No Operation

Option Type: 1 No Operation

Option Type: 4

Length: 2



FCS - Frame Check Sequence

FCS (Calculated): 0xEA9D6ADA



Posted by Karl Levinson on May 25, 2006, 2:37 pm
Please log in for more thread options
 That is difficult and may not be feasible.

> My PIX Firewall is picking up a few machine in my network that are sending
> TCP Packets to a non-existant host across one of our WAN Links. They
> packets are one way and are about 6-7 seconds apart. I've included a
> decoded copy of the packet bing sent.
>
> When I use the SysInternals TDIMON.exe to look to see who is generating
> the traffic, It is the Process 'System:4'
> System:4 89ECE8A0 TDI_CONNECT TCP:0.0.0.0:1025 10.12.0.10:4606 TIMEOUT
>
> How can I find out what is really causing the TCP Packets.
>
> One machine is a WinXP SP2, the other is a Win2003 SP2 running Terminal
> Services.
>
> Any help would be appreciated!
>
> Thank you,
> Scott<-
>
>
>
>
>
> Packet Info
>
> Flags: 0x00
>
> Status: 0x00
>
> Packet Length: 66
>
> Timestamp: 11:12:00.655613 05/25/2006
>
> Ethernet Header
>
> Destination: 00:09:7C:F7:16:E0
>
> Source: 00:11:25:6B:A9:F1
>
> Protocol Type: 0x0800 IP
>
> IP Header - Internet Protocol Datagram
>
> Version: 4
>
> Header Length: 5 (20 bytes)
>
> Type of Service: %00000000
>
> 000. .... Precedence: Routine
>
> ...0 .... Normal Delay
>
> .... 0... Normal Throughput
>
> .... .0.. Normal Reliability
>
> .... ..0. ECT bit - transport protocol will ignore
> the CE bit
>
> .... ...0 CE bit - no congestion
>
>
>
> Total Length: 48
>
> Identifier: 25485
>
> Fragmentation Flags: %010
>
> 0.. Reserved
>
> .1. Do Not Fragment
>
> ..0 Last Fragment
>
>
>
> Fragment Offset: 0 (0 bytes)
>
> Time To Live: 128
>
> Protocol: 6 TCP - Transmission Control Protocol
>
> Header Checksum: 0x829F
>
> Source IP Address: 10.1.0.133
>
> Dest. IP Address: 10.12.0.10
>
> No IP Options
>
> TCP - Transport Control Protocol
>
> Source Port: 1025 blackjack
>
> Destination Port: 4606
>
> Sequence Number: 3670101211
>
> Ack Number: 0
>
> Offset: 7 (28 bytes)
>
> Reserved: %000000
>
> Flags: %000010
>
> 0. .... (No Urgent pointer)
>
> .0 .... (No Ack)
>
> .. 0... (No Push)
>
> .. .0.. (No Reset)
>
> .. ..1. SYN
>
> .. ...0 (No FIN)
>
>
>
> Window: 65535
>
> Checksum: 0x30E8
>
> Urgent Pointer: 0
>
> TCP Options:
>
> Option Type: 2 Maximum Segment Size
>
> Length: 4
>
> MSS: 1460
>
> Option Type: 1 No Operation
>
> Option Type: 1 No Operation
>
> Option Type: 4
>
> Length: 2
>
>
>
> FCS - Frame Check Sequence
>
> FCS (Calculated): 0xEA9D6ADA
>
>



Posted by Scott Townsend on May 25, 2006, 2:43 pm
Please log in for more thread options
The Difficult part I understand, but not feasible? There has to be a way to
find out what is generating the Packets... Both are trying to communicate
with the same IP, Same source, Destination Ports and same interval.

There has to be a way.....(-;

Thanks,
Scott<-
> That is difficult and may not be feasible.
>
>> My PIX Firewall is picking up a few machine in my network that are
>> sending TCP Packets to a non-existant host across one of our WAN Links.
>> They packets are one way and are about 6-7 seconds apart. I've included
>> a decoded copy of the packet bing sent.
>>
>> When I use the SysInternals TDIMON.exe to look to see who is generating
>> the traffic, It is the Process 'System:4'
>> System:4 89ECE8A0 TDI_CONNECT TCP:0.0.0.0:1025 10.12.0.10:4606 TIMEOUT
>>
>> How can I find out what is really causing the TCP Packets.
>>
>> One machine is a WinXP SP2, the other is a Win2003 SP2 running Terminal
>> Services.
>>
>> Any help would be appreciated!
>>
>> Thank you,
>> Scott<-
>>
>>
>>
>>
>>
>> Packet Info
>>
>> Flags: 0x00
>>
>> Status: 0x00
>>
>> Packet Length: 66
>>
>> Timestamp: 11:12:00.655613 05/25/2006
>>
>> Ethernet Header
>>
>> Destination: 00:09:7C:F7:16:E0
>>
>> Source: 00:11:25:6B:A9:F1
>>
>> Protocol Type: 0x0800 IP
>>
>> IP Header - Internet Protocol Datagram
>>
>> Version: 4
>>
>> Header Length: 5 (20 bytes)
>>
>> Type of Service: %00000000
>>
>> 000. .... Precedence: Routine
>>
>> ...0 .... Normal Delay
>>
>> .... 0... Normal Throughput
>>
>> .... .0.. Normal Reliability
>>
>> .... ..0. ECT bit - transport protocol will ignore
>> the CE bit
>>
>> .... ...0 CE bit - no congestion
>>
>>
>>
>> Total Length: 48
>>
>> Identifier: 25485
>>
>> Fragmentation Flags: %010
>>
>> 0.. Reserved
>>
>> .1. Do Not Fragment
>>
>> ..0 Last Fragment
>>
>>
>>
>> Fragment Offset: 0 (0 bytes)
>>
>> Time To Live: 128
>>
>> Protocol: 6 TCP - Transmission Control Protocol
>>
>> Header Checksum: 0x829F
>>
>> Source IP Address: 10.1.0.133
>>
>> Dest. IP Address: 10.12.0.10
>>
>> No IP Options
>>
>> TCP - Transport Control Protocol
>>
>> Source Port: 1025 blackjack
>>
>> Destination Port: 4606
>>
>> Sequence Number: 3670101211
>>
>> Ack Number: 0
>>
>> Offset: 7 (28 bytes)
>>
>> Reserved: %000000
>>
>> Flags: %000010
>>
>> 0. .... (No Urgent pointer)
>>
>> .0 .... (No Ack)
>>
>> .. 0... (No Push)
>>
>> .. .0.. (No Reset)
>>
>> .. ..1. SYN
>>
>> .. ...0 (No FIN)
>>
>>
>>
>> Window: 65535
>>
>> Checksum: 0x30E8
>>
>> Urgent Pointer: 0
>>
>> TCP Options:
>>
>> Option Type: 2 Maximum Segment Size
>>
>> Length: 4
>>
>> MSS: 1460
>>
>> Option Type: 1 No Operation
>>
>> Option Type: 1 No Operation
>>
>> Option Type: 4
>>
>> Length: 2
>>
>>
>>
>> FCS - Frame Check Sequence
>>
>> FCS (Calculated): 0xEA9D6ADA
>>
>>
>
>



Posted by Scott Townsend on May 25, 2006, 2:57 pm
Please log in for more thread options
Found ProcExp from SysInternals, then looked at the System Process
Properties, there is a TCP/IP tab
then every 6-7 seconds the TCp Connection would show up. I did a stack trace
on it and came up with:

ntoskrnl.exe+0xa3d9
ntoskrnl.exe+0x95063
ntoskrnl.exe+0x982a8
ntoskrnl.exe+0xa62d3
ntoskrnl.exe+0xa63a2
ntoskrnl.exe+0xa63e5
ntoskrnl.exe+0x699f
ntoskrnl.exe+0xc577
RpshSi.sys+0x59822
ntoskrnl.exe+0x9603c
ntoskrnl.exe+0xb3b5
ntoskrnl.exe+0x9d128
ntoskrnl.exe+0x18c81


RpshSi.sys is part of COMTROL, a Serial to TCP/IP Device. The RpshSi.sys
Device Driver was installed on both machines trying to communicate to the
Serial to TCP/IP Device.

thanks!

> That is difficult and may not be feasible.
>
>> My PIX Firewall is picking up a few machine in my network that are
>> sending TCP Packets to a non-existant host across one of our WAN Links.
>> They packets are one way and are about 6-7 seconds apart. I've included
>> a decoded copy of the packet bing sent.
>>
>> When I use the SysInternals TDIMON.exe to look to see who is generating
>> the traffic, It is the Process 'System:4'
>> System:4 89ECE8A0 TDI_CONNECT TCP:0.0.0.0:1025 10.12.0.10:4606 TIMEOUT
>>
>> How can I find out what is really causing the TCP Packets.
>>
>> One machine is a WinXP SP2, the other is a Win2003 SP2 running Terminal
>> Services.
>>
>> Any help would be appreciated!
>>
>> Thank you,
>> Scott<-
>>
>>
>>
>>
>>
>> Packet Info
>>
>> Flags: 0x00
>>
>> Status: 0x00
>>
>> Packet Length: 66
>>
>> Timestamp: 11:12:00.655613 05/25/2006
>>
>> Ethernet Header
>>
>> Destination: 00:09:7C:F7:16:E0
>>
>> Source: 00:11:25:6B:A9:F1
>>
>> Protocol Type: 0x0800 IP
>>
>> IP Header - Internet Protocol Datagram
>>
>> Version: 4
>>
>> Header Length: 5 (20 bytes)
>>
>> Type of Service: %00000000
>>
>> 000. .... Precedence: Routine
>>
>> ...0 .... Normal Delay
>>
>> .... 0... Normal Throughput
>>
>> .... .0.. Normal Reliability
>>
>> .... ..0. ECT bit - transport protocol will ignore
>> the CE bit
>>
>> .... ...0 CE bit - no congestion
>>
>>
>>
>> Total Length: 48
>>
>> Identifier: 25485
>>
>> Fragmentation Flags: %010
>>
>> 0.. Reserved
>>
>> .1. Do Not Fragment
>>
>> ..0 Last Fragment
>>
>>
>>
>> Fragment Offset: 0 (0 bytes)
>>
>> Time To Live: 128
>>
>> Protocol: 6 TCP - Transmission Control Protocol
>>
>> Header Checksum: 0x829F
>>
>> Source IP Address: 10.1.0.133
>>
>> Dest. IP Address: 10.12.0.10
>>
>> No IP Options
>>
>> TCP - Transport Control Protocol
>>
>> Source Port: 1025 blackjack
>>
>> Destination Port: 4606
>>
>> Sequence Number: 3670101211
>>
>> Ack Number: 0
>>
>> Offset: 7 (28 bytes)
>>
>> Reserved: %000000
>>
>> Flags: %000010
>>
>> 0. .... (No Urgent pointer)
>>
>> .0 .... (No Ack)
>>
>> .. 0... (No Push)
>>
>> .. .0.. (No Reset)
>>
>> .. ..1. SYN
>>
>> .. ...0 (No FIN)
>>
>>
>>
>> Window: 65535
>>
>> Checksum: 0x30E8
>>
>> Urgent Pointer: 0
>>
>> TCP Options:
>>
>> Option Type: 2 Maximum Segment Size
>>
>> Length: 4
>>
>> MSS: 1460
>>
>> Option Type: 1 No Operation
>>
>> Option Type: 1 No Operation
>>
>> Option Type: 4
>>
>> Length: 2
>>
>>
>>
>> FCS - Frame Check Sequence
>>
>> FCS (Calculated): 0xEA9D6ADA
>>
>>
>
>



Posted by Karl Levinson on May 25, 2006, 6:35 pm
Please log in for more thread options
Thanks for posting this, that's something I did not know.

> Found ProcExp from SysInternals, then looked at the System Process
> Properties, there is a TCP/IP tab
> then every 6-7 seconds the TCp Connection would show up. I did a stack
> trace on it and came up with:
>
> ntoskrnl.exe+0xa3d9
> ntoskrnl.exe+0x95063
> ntoskrnl.exe+0x982a8
> ntoskrnl.exe+0xa62d3
> ntoskrnl.exe+0xa63a2
> ntoskrnl.exe+0xa63e5
> ntoskrnl.exe+0x699f
> ntoskrnl.exe+0xc577
> RpshSi.sys+0x59822
> ntoskrnl.exe+0x9603c
> ntoskrnl.exe+0xb3b5
> ntoskrnl.exe+0x9d128
> ntoskrnl.exe+0x18c81
>
>
> RpshSi.sys is part of COMTROL, a Serial to TCP/IP Device. The RpshSi.sys
> Device Driver was installed on both machines trying to communicate to the
> Serial to TCP/IP Device.
>
> thanks!



Similar ThreadsPosted
Account locked packets? March 15, 2008, 7:49 am
OpenRowset : DSN : file-system permissions : Local System March 14, 2008, 10:23 am
Antivirus System July 30, 2005, 7:09 pm
system log user March 7, 2006, 2:45 am
EFS locks up system January 5, 2007, 12:23 pm
Removing System SID from ACLs August 8, 2006, 2:40 pm
How did my system get infected with a Trojan? November 26, 2006, 1:01 pm
"Force shutdown from a remote system" October 13, 2006, 3:26 pm
lost password with sbs2003 r2. Cannot log into system January 14, 2007, 11:41 pm
File System / Directory Security August 17, 2007, 1:38 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap