Heavy traffic between PC and Router 1

[bacoms]

Please can anyone throw some light on why my router (Speedtouch 516) and my PC (Windows XP Pro at SP3) spend so much time chatting to each other?

I've attached a screenshot from Wireshark showing this traffic which is all gobble-di-gook to me. This is the first time I've done an attachment so here is some lines from the log:

No. Time Source Destination Protocol Info
990 60.949948 192.168.0.200 192.168.0.254 TCP icon-discover > http [RST, ACK] Seq=272 Ack=93 Win=0 Len=0

Frame 990 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c), Dst: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f)
Internet Protocol, Src: 192.168.0.200 (192.168.0.200), Dst: 192.168.0.254 (192.168.0.254)
Transmission Control Protocol, Src Port: icon-discover (2799), Dst Port: http (80), Seq: 272, Ack: 93, Len: 0

No. Time Source Destination Protocol Info
991 60.950275 192.168.0.254 192.168.0.200 TCP http > icon-discover [FIN, ACK] Seq=93 Ack=272 Win=4096 Len=0

Frame 991 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f), Dst: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c)
Internet Protocol, Src: 192.168.0.254 (192.168.0.254), Dst: 192.168.0.200 (192.168.0.200)
Transmission Control Protocol, Src Port: http (80), Dst Port: icon-discover (2799), Seq: 93, Ack: 272, Len: 0

No. Time Source Destination Protocol Info
992 60.950297 192.168.0.200 192.168.0.254 TCP icon-discover > http [RST] Seq=272 Win=0 Len=0

Frame 992 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c), Dst: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f)
Internet Protocol, Src: 192.168.0.200 (192.168.0.200), Dst: 192.168.0.254 (192.168.0.254)
Transmission Control Protocol, Src Port: icon-discover (2799), Dst Port: http (80), Seq: 272, Len: 0

No. Time Source Destination Protocol Info
993 60.951505 192.168.0.200 192.168.0.254 TCP acc-raid > http [SYN] Seq=0 Win=16384 Len=0 MSS=1460

Frame 993 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c), Dst: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f)
Internet Protocol, Src: 192.168.0.200 (192.168.0.200), Dst: 192.168.0.254 (192.168.0.254)
Transmission Control Protocol, Src Port: acc-raid (2800), Dst Port: http (80), Seq: 0, Len: 0

No. Time Source Destination Protocol Info
994 60.952841 192.168.0.254 192.168.0.200 TCP http > acc-raid [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1460

Frame 994 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f), Dst: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c)
Internet Protocol, Src: 192.168.0.254 (192.168.0.254), Dst: 192.168.0.200 (192.168.0.200)
Transmission Control Protocol, Src Port: http (80), Dst Port: acc-raid (2800), Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol Info
995 60.952874 192.168.0.200 192.168.0.254 TCP acc-raid > http [ACK] Seq=1 Ack=1 Win=17520 Len=0

Frame 995 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c), Dst: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f)
Internet Protocol, Src: 192.168.0.200 (192.168.0.200), Dst: 192.168.0.254 (192.168.0.254)
Transmission Control Protocol, Src Port: acc-raid (2800), Dst Port: http (80), Seq: 1, Ack: 1, Len: 0

No. Time Source Destination Protocol Info
996 60.953052 192.168.0.200 192.168.0.254 HTTP SUBSCRIBE /upnp/event/igd/wanpppcInternet HTTP/1.1

Frame 996 (377 bytes on wire, 377 bytes captured)
Ethernet II, Src: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c), Dst: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f)
Internet Protocol, Src: 192.168.0.200 (192.168.0.200), Dst: 192.168.0.254 (192.168.0.254)
Transmission Control Protocol, Src Port: acc-raid (2800), Dst Port: http (80), Seq: 1, Ack: 1, Len: 323
Hypertext Transfer Protocol

No. Time Source Destination Protocol Info
997 60.955810 192.168.0.254 192.168.0.200 HTTP HTTP/1.0 200 OK

Frame 997 (216 bytes on wire, 216 bytes captured)
Ethernet II, Src: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f), Dst: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c)
Internet Protocol, Src: 192.168.0.254 (192.168.0.254), Dst: 192.168.0.200 (192.168.0.200)
Transmission Control Protocol, Src Port: http (80), Dst Port: acc-raid (2800), Seq: 1, Ack: 324, Len: 162
Hypertext Transfer Protocol

No. Time Source Destination Protocol Info
998 60.955959 192.168.0.200 192.168.0.254 TCP acc-raid > http [RST, ACK] Seq=324 Ack=163 Win=0 Len=0

Frame 998 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c), Dst: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f)
Internet Protocol, Src: 192.168.0.200 (192.168.0.200), Dst: 192.168.0.254 (192.168.0.254)
Transmission Control Protocol, Src Port: acc-raid (2800), Dst Port: http (80), Seq: 324, Ack: 163, Len: 0

No. Time Source Destination Protocol Info
999 60.956183 192.168.0.254 192.168.0.200 TCP http > acc-raid [FIN, ACK] Seq=163 Ack=324 Win=4096 Len=0

Frame 999 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f), Dst: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c)
Internet Protocol, Src: 192.168.0.254 (192.168.0.254), Dst: 192.168.0.200 (192.168.0.200)
Transmission Control Protocol, Src Port: http (80), Dst Port: acc-raid (2800), Seq: 163, Ack: 324, Len: 0

No. Time Source Destination Protocol Info
1000 60.956203 192.168.0.200 192.168.0.254 TCP acc-raid > http [RST] Seq=324 Win=0 Len=0

Frame 1000 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c), Dst: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f)
Internet Protocol, Src: 192.168.0.200 (192.168.0.200), Dst: 192.168.0.254 (192.168.0.254)
Transmission Control Protocol, Src Port: acc-raid (2800), Dst Port: http (80), Seq: 324, Len: 0

No. Time Source Destination Protocol Info
1001 61.087786 192.168.0.200 192.168.0.254 TCP igcp > http [SYN] Seq=0 Win=16384 Len=0 MSS=1460

Frame 1001 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c), Dst: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f)
Internet Protocol, Src: 192.168.0.200 (192.168.0.200), Dst: 192.168.0.254 (192.168.0.254)
Transmission Control Protocol, Src Port: igcp (2801), Dst Port: http (80), Seq: 0, Len: 0

No. Time Source Destination Protocol Info
1002 61.089248 192.168.0.254 192.168.0.200 TCP http > igcp [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1460

Frame 1002 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f), Dst: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c)
Internet Protocol, Src: 192.168.0.254 (192.168.0.254), Dst: 192.168.0.200 (192.168.0.200)
Transmission Control Protocol, Src Port: http (80), Dst Port: igcp (2801), Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol Info
1003 61.089317 192.168.0.200 192.168.0.254 TCP igcp > http [ACK] Seq=1 Ack=1 Win=17520 Len=0

Frame 1003 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c), Dst: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f)
Internet Protocol, Src: 192.168.0.200 (192.168.0.200), Dst: 192.168.0.254 (192.168.0.254)
Transmission Control Protocol, Src Port: igcp (2801), Dst Port: http (80), Seq: 1, Ack: 1, Len: 0

No. Time Source Destination Protocol Info
1004 61.090919 192.168.0.200 192.168.0.254 HTTP/XML POST /upnp/control/igd/wancic HTTP/1.1

Frame 1004 (706 bytes on wire, 706 bytes captured)
Ethernet II, Src: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c), Dst: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f)
Internet Protocol, Src: 192.168.0.200 (192.168.0.200), Dst: 192.168.0.254 (192.168.0.254)
Transmission Control Protocol, Src Port: igcp (2801), Dst Port: http (80), Seq: 1, Ack: 1, Len: 652
Hypertext Transfer Protocol
eXtensible Markup Language

No. Time Source Destination Protocol Info
1005 61.094707 192.168.0.254 192.168.0.200 TCP [TCP segment of a reassembled PDU]

Frame 1005 (214 bytes on wire, 214 bytes captured)
Ethernet II, Src: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f), Dst: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c)
Internet Protocol, Src: 192.168.0.254 (192.168.0.254), Dst: 192.168.0.200 (192.168.0.200)
Transmission Control Protocol, Src Port: http (80), Dst Port: igcp (2801), Seq: 1, Ack: 653, Len: 160

No. Time Source Destination Protocol Info
1006 61.095747 192.168.0.254 192.168.0.200 HTTP/XML HTTP/1.0 200 OK

Frame 1006 (649 bytes on wire, 649 bytes captured)
Ethernet II, Src: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f), Dst: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c)
Internet Protocol, Src: 192.168.0.254 (192.168.0.254), Dst: 192.168.0.200 (192.168.0.200)
Transmission Control Protocol, Src Port: http (80), Dst Port: igcp (2801), Seq: 161, Ack: 653, Len: 595
[Reassembled TCP Segments (755 bytes): #1005(160), #1006(595)]
Hypertext Transfer Protocol
eXtensible Markup Language

No. Time Source Destination Protocol Info
1007 61.095813 192.168.0.200 192.168.0.254 TCP igcp > http [ACK] Seq=653 Ack=757 Win=16765 Len=0

Frame 1007 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c), Dst: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f)
Internet Protocol, Src: 192.168.0.200 (192.168.0.200), Dst: 192.168.0.254 (192.168.0.254)
Transmission Control Protocol, Src Port: igcp (2801), Dst Port: http (80), Seq: 653, Ack: 757, Len: 0

No. Time Source Destination Protocol Info
1008 61.095983 192.168.0.200 192.168.0.254 TCP igcp > http [RST, ACK] Seq=653 Ack=757 Win=0 Len=0

Frame 1008 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: SoyoComp_02:8a:5c (00:50:2c:02:8a:5c), Dst: ThomsonT_78:8f:3f (00:0e:50:78:8f:3f)
Internet Protocol, Src: 192.168.0.200 (192.168.0.200), Dst: 192.168.0.254 (192.168.0.254)
Transmission Control Protocol, Src Port: igcp (2801), Dst Port: http (80), Seq: 653, Ack: 757, Len: 0


Many thanks,

Bryan

 

[burtsbees]

Run a virus scan---2799 and 2800 seem okay, but 2801 may not be igcp. There is a trojan called Phineas Phucker that uses 2801...

Burt

 

[bacoms]

Thanks for getting back.

I ran ExterminateIt which is suppose to detect and remove Phineas Phucker. It didn't find it.

A snapshot of the Wireshark log is now viewable via the attachment. Curiously all the traffic is between 192.168.0.200 (my PC) and 192.168.0.254 (my router). Why would the author of a trojan want to do this?

 

[burtsbees]

You're right. I guess you would see info going back to the attacker, unless the attacker hides a log or anything else in a different file (Java script, Active X, etc).
I myself could not really find too much---I know those ports, UDP and TCP 2799, 2800, 2801, etc., are for warnings and info and crap---I don't have that sort of traffic generated on mine. I ran wireshark not too long ago, saw a bunch of unwanted traffic protocols and broadcasts, and went into the registry and tweaked a bunch. Tweaking the wrong things and I couldn't get out anymore...lol
What kind of router? Is there some sort of firewall on it that requires all those broadcasts? If it's dsl, then just hook the modem up to it, and see if it's the routere that's generating all the traffic (or initiating all of it...).

Burt

 

[lhuegele]

Is your router set-up as a proxy? Why is your router on the .254 address? Isn't that address reserved for something? I don't remember...

Do you have any other PC's in the network or just the one at .200?

Good luck,

 

[bacoms]

Thanks for replying.

No, my router is not set up as a proxy.

.254 was the address assigned by the router. It has been that way since I first installed it nearly 3 years ago. This heavy traffic has only happened recently.

I have a NSLU2 box also on the network as 192.168.0.250. It barely gets a mention in the traffic.

 

[bacoms]

Some observations on the content of this traffic;

- it seems to be initiated from my PC rather than my router

- whatever is doing it seems to be checking every port in turn ad infinitum.

e.g.

TCP, Src Port: 4546, Dst Port 80, seq 653, Ack: 756, Len: 0
TCP, Src Port: 4547, Dst Port 80, seq 653, Ack: 756, Len: 0
etc, etc

I've stopped and started various processes and services that seemed relavant but the traffic still continues.

Anyone know what is driving this????

 

[lhuegele]

Could be some malware or other infection...it could be a misconfigured application or driver...it could be a bad NIC or NIC driver...it could be other faulty hardware....

Good luck