[Dshield] Odd dhcp Chatter Activity
security at admin.fulgan.com
Thu Apr 22 12:23:47 GMT 2004
The reg entries you showed us looks like XP's automatic, serverless
IP config (basically, it picks up an IP from a reserved range randomly
and broadcast it via ARP. If someone answers, then it picks a new IP).
It looks like DHCP but it's actually not.
The TDIMon log you're showing here is meaningless: all it lists is a
series of successful calls to the DeviceIOControl API with the
IOCTL_TCP_QUERY_INFORMATION_EX control code: the way drivers get
information on the state of a TCP interface. It might simply be the
windows update module that checks wether there is some bandwidth
available to get it's patch or something like that.
So, you've made a lot of monitoring but actually came up with no hard
evidence of anything happening. Try the following instead: get your
hand on a small hub (NOT a switch) and connect the problematic
machine to it. Then connect your own machine and start Ethereal in
promiscuous mode (or any network sniffer that support this option. if
you want to use the Network monitor, you'll need to get the version
that comes with SMS, not the one that comes with the NT/2000/2003
servers). Get that log and see if there is something strange
happening. Remember to start the trace BEFORE you start the machine.
More information about the list