Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

HELP - Getting swamped with traffic on ports 1900/1901

Status
Not open for further replies.
TheAggie

TheAggie

Programmer
Aug 27, 2002
48
US
Context:
I have a 3-computer home network (1 XP Home, 2 XP-Pro) connected via Cat5 through a Linksys router to a cable modem then out to the internet via Charter.

Lately I had been noting a lot of traffic (via the modem light) when nothing much was going on. Finally found it (i think) tonight by running CommView. CommView shows that over 60% of my network traffic is UDP packets between port 1901 of my router (192.168.1.1) and port 1900 of 239.255.255.250. Any idea what this is???

P.S. CommView is GREAT for snooping this kind of stuff but a tad pricey at $150 for a home user. Does anyone know of a cheaper option(s) for monitoring IP traffic down to the packet level. I do use Wallwatcher but that is just for simple logging.

Mark
 
Sort by date Sort by votes
Used by Microsoft for its Messenger client and for the SSDP Discovery service (uPnP).
 
Upvote 0 Downvote
Bill,
Thanks but this doesn't seem to fit because:
1) Messenger is not running on any of the computers
2) The message seems to be originating from the router

I noticed you mentioned uPnP. I believe the Linksys supports uPnP. Could that be the cause? Is there a way to turn uPnP off in the router to test that? What would be the downside of turning it off (what does uPnP provide)?

Mark
 
Upvote 0 Downvote
What model router? The BEFSRxx series usually has the uPnP choice on the password page. The WRT54G does not allow it to be enabled/disabled.

 
Upvote 0 Downvote
If you are not currently running a firewall, you should.
It gives you back some control over your ports.
 
Upvote 0 Downvote
I have a BEFSR41 and turned off the uPnP and the messages went away totally. Thanks

I did some more looking an noted that the messages on 1901 only occure about 4 times a minute. This is not much traffic so it is not the cause of the modem light flashing constantly. The only reason it shows up as a large percentage is when nothing else is going on.

That leads to another question. The light is still flashing a lot at times on my router (like right now) when there appears to be no local traffic. Note: I vene unplugged everything from the router (except the modem) and it was still flashing. Does anyone know how to figure what may be the cause. Could it be someone is assaulting my firewall and the firewall is blocking it? Is there a way to identify what is going on? I am concerned it may be choaking my bandwidth.
 
Upvote 0 Downvote
one of the tabs for logging...enable logging and then after setting the IP to one of your machines use one of the programs here to log traffic...

Note, you will see logs of port scans, machines trying to attach to port 80, etc...don't freak out...

There are still lots of people doing portscans...unless you get daily repeated portscans from a particular IP, they don't use enough traffic to cause any problems...

Port 80 attempts could be from port scanners, or codered type infected machines where the virus tried to go find other machines to infect...

That you are looking for and should be concerned with is IP's that constantly portscan your machine...once you have a log of a week or more of daily portscans from a particular machine, then it might be time to talk to your ISP...or you can just ignore it as its really not going to do much to your connection.

PS, another tool thats great for watching open ports on the local machine is Active Ports...its freeware...just search google for it.
 
Upvote 0 Downvote
I am running WallWatcher which is one of the IP monitoring applications Rumble mentioned and I have my router set to generate the messages but evidence of what is causing the constant light flashing is not showing up on the log. I have heard the not everything shows up on that log (such as items that the router is configured to block).

Two things I am considering:
1) Configure the router to forward all unsolicited messages to an IP address that is not used and then see if they show up on CommView or the WallWatcher logs.
2) Bring the HP Internet Advisor (a harware protocol analyser) we have at work home and hook it between the router and the modem and manually monitor the traffic.

#2 is my last choice because I have only used it once before for doing IP a few years ago and it was not that easy to use.

Any Opinions?
 
Upvote 0 Downvote
Just skip all other options that always leave you with questions and go directly to traffic capture. Introduce a 10/100 hub between the modem and router and then take a pc or laptop loaded with etherreal (free on the net) and watch the packets. This will force you to learn about layer2 addressing versus layer 3 and about different protocol types as well as the Layer 4 ports that lead to various applications. This can be intimidating but once you start to learn about traffic and its behaviors, it makes everything easier to manage. In my experience, this is the easiest way to truely understand what is going on.

Brian
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CryptoTuke
  • Locked
  • Question
Maximum buffer size on Winsock for sending one block of data over TCP / IP
Replies
1
Views
773
maybeimaleo
maybeimaleo
sologeek
  • Locked
  • Question
VPN server help
Replies
0
Views
549
sologeek
sologeek
jmarkus
  • Locked
  • Question
Can I have a different private IP address which isn't on my router's subnet?
Replies
6
Views
646
sbcsu
sbcsu
BuilderSpec
  • Locked
  • Question
LDAP with AD/LDS
Replies
0
Views
177
BuilderSpec
BuilderSpec
DrB0b
  • Locked
  • Question
Multiple WiNG Zebra Access Points with possible issue
Replies
1
Views
545
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top