brian at dessent.net
Tue May 17 02:40:35 GMT 2005
John Gordon wrote:
> I ran a packet monitor on a client's PCs after they
> complained about lan traffic even with no obvious open apps.
> 1497 is in heavy use. Worry about evil using port 1497 even
> though PCs show clean even scanning for rootkits. Thought
> maybe 1497 traffic was related to a Maxtor network hd, but
> Maxtor support only listed another port they use (4301 or
> thereabouts) for firewall pinhole purposes. Packet
> monitor's destination IPs for packet 1497 is another PCs in
> the LAN.
Why don't you use tcpview (windows) or netstat (*nix) to show what
process is generating the traffic? I find that a lot of the time using
a port number based on "well known ports" is often misleading, since the
assignments in those lists tend to be for very very old protocols, a lot
of them being things that nobody has used for decades. Once you have
the name of the process you can poke at the binary (using e.g. process
explorer) to determine what software product it is associated with,
assuming it's not something you recognise.
More information about the list