ICMP and port 16384 problem - Routers

This is a discussion on ICMP and port 16384 problem - Routers ; I happened to fire up a network sniffer on my PC last night to try and trouble shoot a problem and discovered something that I'm stumped on. I'm seeing TONS of traffic to a port and IP and I don't ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: ICMP and port 16384 problem

  1. ICMP and port 16384 problem

    I happened to fire up a network sniffer on my PC
    last night to try and trouble shoot a problem and
    discovered something that I'm stumped on.

    I'm seeing TONS of traffic to a port and IP
    and I don't know what's causing it. This is
    on an XP machine, so the first thing I did
    was a netstat to see what application was
    causing this (I was assuming virus at this
    point), but nothing came up. Then I ran
    TCPview from sysinternals which shows
    me all tcpip traffic in real time and the windows
    process generating it. Again nothing. Next I
    thought maybe someone is ICMPing me,
    so I checked my router to make sure the
    NAT wasn't forwarding the port to my PC,
    nope. Any ideas? Here's a piece of the
    sniffer log, there's dozens of these every
    second - I have no idea who 65.6.181.87 is:

    1 0.000000 65.6.181.87 192.168.2.103 UDP
    Source port: 16384 Destination port: 16384
    2 0.000034 192.168.2.103 65.6.181.87 ICMP
    Destination unreachable (Port unreachable)
    3 0.029063 65.6.181.87 192.168.2.103 UDP
    Source port: 16384 Destination port: 16384
    4 0.029098 192.168.2.103 65.6.181.87 ICMP
    Destination unreachable (Port unreachable)
    5 0.059852 65.6.181.87 192.168.2.103 UDP
    Source port: 16384 Destination port: 16384
    6 0.059883 192.168.2.103 65.6.181.87 ICMP
    Destination unreachable (Port unreachable)
    7 0.089441 65.6.181.87 192.168.2.103 UDP
    Source port: 16384 Destination port: 16384
    8 0.089486 192.168.2.103 65.6.181.87 ICMP
    Destination unreachable (Port unreachable)
    9 0.120482 65.6.181.87 192.168.2.103 UDP
    Source port: 16384 Destination port: 16384





  2. Re: ICMP and port 16384 problem

    Well, i'm not sure what it is but I can tell you who it's coming from
    and who to contact to stop it:
    Reverse Lookup Results
    Host Type Value
    87.181.6.65.in-addr.arpa PTR adsl-065-006-181-087.sip.bct.bellsouth.net
    181.6.65.in-addr.arpa NS auth01.dns.bellsouth.net
    181.6.65.in-addr.arpa NS auth02.dns.bellsouth.net
    181.6.65.in-addr.arpa NS auth00.dns.bellsouth.net
    auth01.dns.bellsouth.net A 205.152.144.187
    auth02.dns.bellsouth.net A 205.152.132.187
    auth00.dns.bellsouth.net A 205.152.37.187
    IP Address Contact Information

    OrgName: BellSouth.net Inc.
    OrgID: BELL
    Address: 575 Morosgo Drive
    City: Atlanta
    StateProv: GA
    PostalCode: 30324
    Country: US

    ReferralServer: rwhois://rwhois.eng.bellsouth.net:4321

    NetRange: 65.0.0.0 - 65.15.255.255
    CIDR: 65.0.0.0/12
    NetName: BELLSNET-BLK15
    NetHandle: NET-65-0-0-0-1
    Parent: NET-65-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS.BELLSOUTH.NET
    NameServer: NS.ATL.BELLSOUTH.NET
    Comment:
    Comment: For Abuse Issues, email abuse @ bellsouth.net. NO
    ATTACHMENTS. Include IP
    Comment: address, time/date, message header, and attack logs.
    Comment: For Subpoena Request, email ipoperations @ bellsouth.net
    with "SUBPOENA" in
    Comment: the subject line. Law Enforcement Agencies ONLY, please.
    RegDate: 2003-12-29
    Updated: 2004-07-28

    RAbuseHandle: ABUSE81-ARIN
    RAbuseName: Abuse Group
    RAbusePhone: +1-404-499-5224
    RAbuseEmail: abuse @ bellsouth.net

    RTechHandle: JG726-ARIN
    RTechName: Geurin, Joe
    RTechPhone: +1-404-499-5240
    RTechEmail: ipoperations @ bellsouth.net

    OrgAbuseHandle: ABUSE81-ARIN
    OrgAbuseName: Abuse Group
    OrgAbusePhone: +1-404-499-5224
    OrgAbuseEmail: abuse @ bellsouth.net

    OrgTechHandle: JG726-ARIN
    OrgTechName: Geurin, Joe
    OrgTechPhone: +1-404-499-5240
    OrgTechEmail: ipoperations @ bellsouth.net


  3. Re: ICMP and port 16384 problem

    Thanks for all the lookup info, I guess my
    big confusion is how is this even getting to
    my PC? It should be stopped at the router
    since 16384 isn't set up to NAT to my PC.

    "kevincw01" wrote in message
    news:1138741999.750243.15770@z14g2000cwz.googlegro ups.com...
    > Well, i'm not sure what it is but I can tell you who it's coming from
    > and who to contact to stop it:
    > Reverse Lookup Results
    > Host Type Value
    > 87.181.6.65.in-addr.arpa PTR adsl-065-006-181-087.sip.bct.bellsouth.net
    > 181.6.65.in-addr.arpa NS auth01.dns.bellsouth.net
    > 181.6.65.in-addr.arpa NS auth02.dns.bellsouth.net
    > 181.6.65.in-addr.arpa NS auth00.dns.bellsouth.net
    > auth01.dns.bellsouth.net A 205.152.144.187
    > auth02.dns.bellsouth.net A 205.152.132.187
    > auth00.dns.bellsouth.net A 205.152.37.187
    > IP Address Contact Information
    >
    > OrgName: BellSouth.net Inc.
    > OrgID: BELL
    > Address: 575 Morosgo Drive
    > City: Atlanta
    > StateProv: GA
    > PostalCode: 30324
    > Country: US
    >
    > ReferralServer: rwhois://rwhois.eng.bellsouth.net:4321
    >
    > NetRange: 65.0.0.0 - 65.15.255.255
    > CIDR: 65.0.0.0/12
    > NetName: BELLSNET-BLK15
    > NetHandle: NET-65-0-0-0-1
    > Parent: NET-65-0-0-0-0
    > NetType: Direct Allocation
    > NameServer: NS.BELLSOUTH.NET
    > NameServer: NS.ATL.BELLSOUTH.NET
    > Comment:
    > Comment: For Abuse Issues, email abuse @ bellsouth.net. NO
    > ATTACHMENTS. Include IP
    > Comment: address, time/date, message header, and attack logs.
    > Comment: For Subpoena Request, email ipoperations @ bellsouth.net
    > with "SUBPOENA" in
    > Comment: the subject line. Law Enforcement Agencies ONLY, please.
    > RegDate: 2003-12-29
    > Updated: 2004-07-28
    >
    > RAbuseHandle: ABUSE81-ARIN
    > RAbuseName: Abuse Group
    > RAbusePhone: +1-404-499-5224
    > RAbuseEmail: abuse @ bellsouth.net
    >
    > RTechHandle: JG726-ARIN
    > RTechName: Geurin, Joe
    > RTechPhone: +1-404-499-5240
    > RTechEmail: ipoperations @ bellsouth.net
    >
    > OrgAbuseHandle: ABUSE81-ARIN
    > OrgAbuseName: Abuse Group
    > OrgAbusePhone: +1-404-499-5224
    > OrgAbuseEmail: abuse @ bellsouth.net
    >
    > OrgTechHandle: JG726-ARIN
    > OrgTechName: Geurin, Joe
    > OrgTechPhone: +1-404-499-5240
    > OrgTechEmail: ipoperations @ bellsouth.net
    >




  4. Re: ICMP and port 16384 problem

    RobR wrote:
    > 1 0.000000 65.6.181.87 192.168.2.103 UDP
    > Source port: 16384 Destination port: 16384
    > 2 0.000034 192.168.2.103 65.6.181.87 ICMP
    > Destination unreachable (Port unreachable)

    It looks like 65.6.181.87 is trying to reach port 16384 and the TCP/IP
    stack is replying with the ICMP packet that the port was unreachable. If
    your PC sent a UDP packet 65.6.181.87 then the NAT function in the
    router will normally forward anything coming back on that port from that
    IP address to the originating PC. There are two questions here:
    1) Why are you getting this UDP traffic in the first place?
    2) Why is the router forwarding it rather than dropping it?

    You don't indicate the type of router. Is it possible that there is a
    configuration option that is causing the router to forward all traffic
    to this particular PC? I assume you don't have this PC in the DMZ. A
    Google on that port shows lots of entries related to VoIP.
    Jim

  5. Re: ICMP and port 16384 problem

    If it were VoIP then it wouldn't be connecting to a consumer DSL
    line....unless you're using skype which uses a p2p approach to voip.
    the original questions remain however. Jim is right, unless you're in
    the DMZ(or fwding the port), your computer must have initiated the
    connection.


  6. Re: ICMP and port 16384 problem


    "kevincw01" wrote in message
    news:1138752640.163756.192910@g44g2000cwa.googlegr oups.com...
    > If it were VoIP then it wouldn't be connecting to a consumer DSL
    > line....unless you're using skype which uses a p2p approach to voip.
    > the original questions remain however. Jim is right, unless you're in
    > the DMZ(or fwding the port), your computer must have initiated the
    > connection.
    >


    Which was my thought, ie I was originating the traffic.
    I do have an IAX2 client on this PC and an Asterisk
    VoIP server at work, but the VoIP client wasn't
    running, and the IP address I was seeing wasn't
    related to any of my hardware at work, and the client
    uses port 5060. The utilities I used should
    also have shown if the traffic was related to an application
    on my PC (I doubled checked the processes to make
    sure there wasn't something running in the background
    I wasn't aware of).

    The IP resolved to something with SIP in the FQDN
    which also made me think VoIP. In any event, it has
    stopped, I guess it's one of those mysteries that will
    remain unsolved, at least for now but I'll keep an eye
    out during my use of VoIP.

    The router is a Linksys WRT54G running DD-WRT v22 firmware.
    There's no easy way I'm aware of to check UPnP ports on v22
    (v23 has this but has issues) but that's a possible explanation as to
    why traffic was actually making it to my PC.

    Thanks for the help, I appreciate it.



  7. Re: ICMP and port 16384 problem

    Voip Learning and Translating Tutorial
    Voice Over IP is a new communication means that let you telephone with
    Internet at almost null cost.
    How this is possible, what systems are used, what is the standard, all
    that is covered by this Howto.


    http://www.freewebs.com/voipformula/VoIP-HOWTO.html


  8. Re: ICMP and port 16384 problem


    "kimi" wrote in message
    news:1139000445.055767.261920@f14g2000cwb.googlegr oups.com...
    > Voip Learning and Translating Tutorial
    > Voice Over IP is a new communication means that let you telephone with
    > Internet at almost null cost.
    > How this is possible, what systems are used, what is the standard, all
    > that is covered by this Howto.
    >
    >
    > http://www.freewebs.com/voipformula/VoIP-HOWTO.html
    >


    Not sure why you posted that, was that supposed to be
    for my benefit?



  9. Re: ICMP and port 16384 problem

    it's probably a newsgroup spam bot. Whatever you do, don't give the
    spammer traffic by clicking on the link.


+ Reply to Thread