views:

632

answers:

3

I recently turned on Windows Firewall logging on my computer and started tracking incoming and outgoing connections. Something curious about the logfiles is that I have noticed numerous UDP packets (in fact, it constitutes basically all of my incoming traffic) that don't have my host as destination or source showing up in the logs.

I thought this might be a implementation detail for UDP (the packets are hopping over my computer in the subnet) but Wikipedia'ing UDP didn't enlighten me any more, and I don't see why my computer should be forwarding these packets in the first place.

Any ideas?

Edit 1: Here is what a log file line with the mysterious UDP packet looks like:

2008-10-11 16:04:31 ALLOW UDP 18.243.7.218 239.255.255.250 49152 3702 0 - - - - - - - RECEIVE

Is 239.255.255.250 a broadcast address? Now that you mention it, the UDP packets I'm seeing have very specific destinations, basically 224.0.0.252, 239.255.255.250, 18.243.255.255. I also get phantom ICMP pings addressed to 224.0.0.1.

A: 

Hard to say without analyzing the log data, but they could be broadcast packets on the segment, in which case you're system would listen to them. This is possible in IPv4 and IPv6.

Your system should not be forwarding them unless it's set up to route, but it can certainly be listening to packets all the time (various network protocols use UDP).

Nick
+1  A: 

It depends on the type of connection you are on. On most cable modem ISP's you are basicly on the same LAN as your neigburs, and can usualy see some of their traffic (like brodcast).

Id recomend you install packet sniffer and see what is realy going on. Good multiplatform packet sniffer is Wireshark

Luka Marinko
+6  A: 

The packets addressed to IPs starting with 239 and 224 are multicast packets. This is a way to address traffic to a group of computers without broadcasting it to an entire network. It is used by various legitimate protocols.

224.0.0.252 is the address used by the Link Local Name Resolution protocol.

239.255.255.250 is the address used by the Simple Service Discovery Protocol.

224.0.0.1 is the all hosts address, used by your router to see who on your network is willing to participate in multicast conversations.

The ones addressed to 18.243.255.255 look like broadcasts, again this is used by many legitimate protocols such as Bonjour.

As recommended by Luka, a good protocol analyzer like Wireshark will tell you precisely what each of these packets are and what they contain.

Tim Farley