PRTG Network Monitor - Query

[Griffin NoName]

I downloaded and installed PRTG Network Monitor as I am suddenly using huge amount of bandwidth compared to my normal amount and I wanted to investigate.

During installation I was asked whether I wanted to do something or other with address 192.168.1.81 - it implied I was best to say yes. It was something to do with security. It also seemed to be something to do with running a web server. Typically stupid I did not note what it actually said so this is from my memory and I think my brain is corrupt.

Anyway, having said yes, I continued on, and found that the software was hugely complex to use, way too much info, and I couldn't work out how to see what I actually wanted to see.

So, I uninstalled the s.w (using the PRTG uninstall). I assumed this would reset the 192.168.1.81 to original before installation.

I then downloaded and installed Stone Net Monitor (Softpedia NetMon) which is a dinky little program that shows all I want to know clearly and easy to read. (only thing it lacks, is it doesn't show application usage).

NetMon shows massive amounts of bytes received while I am not doing anything via 192.168.1.81 - normal ports plus 8000 which was definitely connected with PRTG.

Is this normal? Or has whatever was changed by the PRTG installation not been undone by the uninstall?

(I have searched the PRTG User Guide - tells me nothing - I have also googled but don't get anything sensible).

EDIT

I've been looking around at stuff. It's the source IP address, IPv4 TCP/IP that is set to 192.168.1.81 (not assigned, properties show it as default gateway) - I've no idea if this was set like this before I ran PRTG. Is "81" usual?

I've isolated the traffic: 192.168.81 -> 192.168.1.254 via port 8000 shows largest traffic  - so I guess that's alright as presume it is just traffic between laptop and router. Except I am not sure it was port 8000 prior to PRTG.

EDIT AGAIN

On second thoughts, I think IPv4 was source 192.168.1.1 and destination 192.168.1.2 before all this ? How do I reset? (using ipconfig just re-applies 192.168.1.81)

[Sibling Zono (anon1mat0)]

Chances are that the router is controlling the IPs on your network, normal installation uses DHCP and usually devotes a range of IPs for it, depending on the router those could be just besides the router main address (in your case likely 192.168.1.1) or separated (with my last router it uses .100+ for DHCP for instance). You should be able to configure the router to use any range you want although it isn't necessary unless you want to manually assign your IP in your adapter or assign an specific IP to an specific MAC address. I suspect you don't have that many devices connected to your router (normally your PC, and any other device like an iPod, tablet, phone on wifi or a network printer with it's own adapter). The less you have the lower the chance of IP conflicts and the need for specific IP assignments. The other reason is if you want to route specific traffic to your PC (like remote desktop) in which case the internal IP must remain fixed and the router must have a NAT table to which you tell which port goes routed to which internal IP (I would imagine that isn't your case either).

This whole babble points to one last thing: do you really need a sniffer in your home setup? Are the white vans parking on your driveway? 

[Bob in a quantum-state-of-faith]

What Zono said-- that .81 sounds like an internal device, like a laptop/pc, etc.   Certainly the first three: 192.168.1.  is more or less standard practice for local network assignments behind a router or switch.

Some installations need more than 255 addresses, and so change that up some-- typically assigning the 3rd number to specific departments, etc.  There really isn't a reason why you couldn't change it up to whatever you wished-- it's behind the router/switch, and as such (If I understand it right--possible I'm wrong) on the "world" side of the router, all traffic is routed to that number first, and the internal stuff gets redirected via the router/switch software suite.

[Griffin NoName]

This whole babble points to one last thing: do you really need a sniffer in your home setup? Are the white vans parking on your driveway?  

What have I described that is a sniffer?


The items that connect to the router are: Laptop, Kindle, Smart Phone. iTouch - no conflicts in the past. Smart Phone and Kindle working fine today, so, although I haven't checked the iTouch, I'm not worried.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To log onto my router I had bookmarked 192.168.1.254 a couple of years ago - so this hasn't changed. I just checked it.

I think it is my laptop address that has changed from 192.168.1.1 - to 192.168.1.81 and I think the port has been changed to 8000.

But I don't understand how this can have happened as I never entered my router password. ?

[Sibling Zono (anon1mat0)]

A "network monitor", that is, a tool that analyzes network traffic is what usually is called in the business as a sniffer.
--
The router will assign IPs however it likes depending on what IP is expiring and what is available, so it isn't impossible to jump from .1 to .81.

As for port 8000 this is a page with some info on programs using it:

http://www.speedguide.net/port.php?port=8000

Is the sniffer reporting high traffic on that port?

Last but not least, is your router wireless and you don't have a password for it??!?!?!!?

[Griffin NoName]

A "network monitor", that is, a tool that analyzes network traffic is what usually is called in the business as a sniffer.

NetMon shows massive amounts of bytes received while I am not doing anything via 192.168.1.81 - normal ports plus 8000 which was definitely connected with PRTG.

...........and, currently I have three sniffers LoL (they all sniff slightly different stuff).

This all started because my down bandwidth has rocketed in the last two months but I haven't been doing anything I haven't always done, so I want to see if I can pin down what is using all the extra bandwidth. Thanks for the link. I don't use any of the s/w it lists - I suppose I could have a trojan. Though seems unlikely with Norton. EDIT: scan on 8000 shows no open ports.

The router will assign IPs however it likes depending on what IP is expiring and what is available, so it isn't impossible to jump from .1 to .81.

Yes, but it was always "1" before, but nor after PRTG it's always "81" -

As for port 8000 this is a page with some info on programs using it:

http://www.speedguide.net/port.php?port=8000

Is the sniffer reporting high traffic on that port?

Yes. It's considerably higher than any other. Source 192.168.1.81 Destination 192.168.1.254

Last but not least, is your router wireless and you don't have a password for it??!?!?!!?

I think it is my laptop address that has changed from 192.168.1.1 - to 192.168.1.81 and I think the port has been changed to 8000.

But I don't understand how this can have happened as I never entered my router password. ?

Yes, of course my wireless router has a password.  I meant PRTG never asked me to enter it.

[Sibling Zono (anon1mat0)]

Are you perchance using your itouch to listen to music while connected to wifi? Considering that shoutcast uses port 8000 I wouldn't be surprised if the app you use for music listening is connecting to your PC while doing so, to confirm review the IP of the itouch (and if it is .254 that would solve the mystery).

Also, have you been using any torrent client? Those have some negative side effects on your regular bandwidth.

[Griffin NoName]

No, no, no. My iTouch is dead at present. I hardly ever use it and the battery is dead. I don't listen to any music on anything (except my analogue CD player from circa 1978). I've never used bit torrents. I never use any of the things port 8000 is listed for. Nothing used to use port 8000, now it does. I'm sure this is something to do with having had PRTG installed (now uninstalled). I just want to get back to port 80 like it used to be.

My PC was always 192.168.1.1 and my laptop 192.168.1.2 - I want it back that way.

{{{have just checked smart phone. it is 192.168.1.82 }}}

[Sibling Zono (anon1mat0)]

The fact that your phone is .82 confirms that DHCP is using that range.

Disclaimer:
The following instructions come without warranty, you may royally screw your network settings while playing with this, and the computer will be unusable re, the internet. Make changes at your own peril.

If you want to force .1 on your PC you have 2 ways:

1. Open your router administrator (that is, navigate to 192.168.1.255 if that is the internal IP) and look for the list of currently attached devices. Some routers have the option to assign a specific IP to a MAC address, and the MAC of the network adapter should be in the list besides it's IP. If your router doesn't support that functionality you have to use option 2.

or,

2. Note, this method requires you to enter the IP address of your ISP DNS server(s) or you will not be able to navigate to the internet.
   a. Open your router administrator and reconfigure the range of IPs assigned by DHCP so that they go from say 192.168.1.10 - 30, that will make the devices in the network change their IPs once their lease expires to a number in the range you specified.

   b. Once the DHCP range is set go to your computer and (in windows) go to: Network and Sharing Center|Change Adapter Settings| and depending on how you connect do a right click on Local Area Connection or Wireless Network Connection and select Internet Protocol Version 4 (TCP/IPv4).

   c. You have two options, you can force the specific IP (192.168.1.1 in your case) or make it the preferred IP (in case you use a laptop and you connect to the internet in other places), If you want to force it, on the General tab change the option from Optain an IP address automatically to Use the following IP address, where you will enter the desired IP. Usually the subnet will be filled automatically (255.255.255.0) and your default gateway will be the IP of the router (or 192.168.1.255 if I understood your case correctly). Below you will have to enter the DNS servers you found previously, note that some routers will act as a DNS server so you can enter the router's IP and it will work, but is many cases that will NOT work and you will need the DNS from your ISP.

[Griffin NoName]

Thanks.

I don't think it was using DHCP prior to all this.

[Sibling Zono (anon1mat0)]

It is certain that you were using DHCP, otherwise you would've had to set the IP for every single device you connected to your network.

[Griffin NoName]

Oh. Hmmm. This is all so annoying.

[Bob in a quantum-state-of-faith]

It is certain that you were using DHCP, otherwise you would've had to set the IP for every single device you connected to your network.

Oh, the days back-when, I was using Win 3.1.1 as an ad-hoc networking engine.  We'd fire that puppy up (pre-internet) to move files from one PC's hard drive to the next, typically to the one with the tape drive, for weekly archival duties.

I do remember asking about DHCP not long after that... and I also remember manually setting up the ISP addys on my networks.  This was when we finally migrated to Win95, as I recall.

That all takes me back.

[Bluenose]

Griff, could you run "ipconfig /all" from an elevated command prompt and post the results here?

If you're running Windows7 you'll need to click on the start menu, type command in the search box then right click on the command prompt entry in the search results then select "run as administrator"to get an elevated command prompt.

[Griffin NoName]

Running Vista Business SP 1

Windows IP Configuration

  Host Name . . . . . . . . . . . . : Laptop0908
  Primary Dns Suffix  . . . . . . . :
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : home

Wireless LAN adapter Wireless Network Connection:

  Connection-specific DNS Suffix  . : home
  Description . . . . . . . . . . . : Intel(R) WiFi Link 5100 AGN
  Physical Address. . . . . . . . . : 00-16-EA-25-D2-54
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::b968:2548:c6f2:70c1%11(Preferred)
  IPv4 Address. . . . . . . . . . . : 192.168.1.81(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : 10 June 2013 22:10:57
  Lease Expires . . . . . . . . . . : 12 June 2013 16:31:17
  Default Gateway . . . . . . . . . : 192.168.1.254
  DHCP Server . . . . . . . . . . . : 192.168.1.254
  DHCPv6 IAID . . . . . . . . . . . : 369104618
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-75-E9-6E-00-1A-80-D6-AA-0A
  DNS Servers . . . . . . . . . . . : 192.168.1.254
  NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Intel(R) 82567LM Gigabit Network Connection
  Physical Address. . . . . . . . . : 00-1A-80-D6-AA-0A
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : isatap.{EA854BEC-15D0-40B1-B9F6-E093D1B667C7}
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . : home
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 17:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : 6TO4 Adapter
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 14:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
  Physical Address. . . . . . . . . : 02-00-54-55-4E-01
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes


Incidentally, have run ipconfig /release ipconfig /renew - about a week ago now.

[Bluenose]

Thanks Griff.

You're definitely running DHCP and your PC is assigned 192.168.1.81.  Your DHC server is your gateway, this is all normal.

Since you were sure you had an IP of 1292.168.1.1, I was concerned that the software you had installed may have installed  pseudo adapter or a VPN vonnection or some such thing with the 81 IP. 

If you want to manuall set your IP address to 192.168.1.1 (or .2) you will need to manually configure your adapter's address.  From the contorl panel open the network and sharing centre.  In the left hand pane, click on Change Adapter Settings.  Right-click on the Wireless adapter icon (its name will be something like "Wireless Network Connection" and select Properties.  Click on the Internet Protocol Version 4 (TCP/IPv4) and then press Properties.  Select the "Use the following IP address" radio button and enter the followin in the reveant boxes:
IP address: 192.168.1.1 (or ...2, as desired)
Subnet mask: 255.255.255.0
Default gateway: 192.168.1.254

Click on the "Use the following DNS server address" radio button
Enter the following in the relevant fields:
Preferred DNS: 192.168.1.254
Alternate DNS: 8.8.8.8   (this is the Google globally available DNS server, a good choice for secondary if you don't have another one to use)

Hope this helps.

As for the traffic on port 8000 have a look at http://www.speedguide.net/port.php?port=8000 I would want to be sure that there is not some sort of malware going on.  If you have any idea when this traffic started, you could simply perform a system restore to a point in time before that.  Just type "System Restore" in th esearch box just above the start button when you click on it, then select system restore from the results.  Choose a restore point from the desired date.  This will not affect any data, but will return you system to the state it was in at that time.  This is a good way to get rid of suspect software - the only gotcha is if the software has disable system restore, and then you know for sure that something untoward has happenned.  Let ma know if this helps or if you need more assistance.

Best of luck.

[Griffin NoName]

Thanks Blue.

I just found my notes from 2010 when I last did stuff on the hub. Apparently then it was 192.168.1.62 - so much for my memory.

The router is set to IP 192.168.1.81 - it is not set to "always use this IP address".

My other devices that use my wireless broadband all follow 81 - ie. 82 / 83 / 84.

I think I'll leave all this as is.

I had looked at the speedguide.net entry and eliminated the malware - clicking on the links to the individual nasties takes one to the Symantec site - and I use Norton, so if Symantec list them it seems unlikely that it would let them through (except during installation of Norton, which always seems a weakness in the whole idea to me). I've run a short scan, no problems show up. I am loathe to run a full scan as it takes about a day and a half - 36+ hours. Still I would like to know why my traffic is all coming and going via port 8000.

I don't know if I have a suitable restore point as I don't know when all this started, unless it was the PRTG installaion. I don't.

[Bob in a quantum-state-of-faith]

A bit of googling, reveals a common use for 8000 is something called "iRDMI"  (lower-case I, upper case RDMI)

It apparently stands for Intel Remote Desktop Management.    I do not know what that is, but it sounds like something that would be pre-installed in an Intel-branded PC/Laptop.


Edit:  this is interesting:  http://whatportis.com/8000

8000TCP & UDP iRDMI (Intel Remote Desktop Management Interface) sometimes erroneously used instead of port 8080
Info: Official | Searches: 2886

8000TCP Commonly used for internet radio streams such as those using SHOUTcast
Info: Un-Official | Searches: 2886

Have you ever installed an internet streaming software, such as Real Player or similar, that streams radio stations over the web?   The software could be pre-caching stuff you once--briefly-- looked it.   It's trying to be "helpful". 

Look at your running services too-- if you see "iRDMI" or a radio-streaming service?  Try manually stopping it-- (easiest is Ctrl-Alt-Del, bring up the Task Manager, then go to the Services tab).

[Bluenose]

You know, there are two things that really give me the screaming ab-dabs, one is software that thinks it's smarter than me and the other is software that tries to be "helpful" by doing stuff and not telling me.

The arrogance of the people that write this rubbish really ticks me off.  

[Griffin NoName]

A bit of googling, reveals a common use for 8000 is something called "iRDMI"  (lower-case I, upper case RDMI)

It apparently stands for Intel Remote Desktop Management.    I do not know what that is, but it sounds like something that would be pre-installed in an Intel-branded PC/Laptop.


Edit:  this is interesting:  http://whatportis.com/8000

8000TCP & UDP iRDMI (Intel Remote Desktop Management Interface) sometimes erroneously used instead of port 8080
Info: Official | Searches: 2886

8000TCP Commonly used for internet radio streams such as those using SHOUTcast
Info: Un-Official | Searches: 2886

Have you ever installed an internet streaming software, such as Real Player or similar, that streams radio stations over the web?   The software could be pre-caching stuff you once--briefly-- looked it.   It's trying to be "helpful".  

Look at your running services too-- if you see "iRDMI" or a radio-streaming service?  Try manually stopping it-- (easiest is Ctrl-Alt-Del, bring up the Task Manager, then go to the Services tab).

No no, no, and no. Nothing ever of this sort. So it's not that.

Agree Bluenose. I am sick and tired of stuff that happens, like eg Apple processes running when I don't have any Apple stuff. I don't use Apple stuff. I always say NO to Apple stuff (like when IE attempts to make me install any). But as fast as I stop them running at start up, I find them running at start up again.

What I want is a tiny program that just analyses traffic in and out on port 8000 - ie. a "specific" port, so I can see the data being sent and received. One would think this was a common desire, actually looking at what gets sent etc, but all I can find by googling is one such program which looks a bit dodgy and may not even quite do that. I'm not sure why no one has invented such a prgram, as then one could see one's bank account details actually being sent to Nigeria for example.

EDIT: ok, found a little netmon utility, dinky, got data to/from port 8000 - unfortunately the filter didn't work so got other ports data as well - anyway it all looks like rubbish to me - attached - only thing I was doing while this data was captured was a bit of google searching - I mean it is not total rubbish, for example it endlessly identifies my hub, but basically I can't see anything of interest like send £2000 to Bluenose

[Sibling Zono (anon1mat0)]

Have you tried blocking the port 8000 on the windows firewall? One of the transmissions is going to BT, so it may be one of those "helpful" ghost services Blue was mentioning before, although I do see some traffic going outside on ports different from 8000 too. In theory, the ports used by you should be limited to those of http (80, 8080 in some cases), https, skype, google talk and perhaps flash; everything else, depends on the application, but there is no explicit reason to have those ports open.

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Perhaps you want to try locking out all ports but those you use and see what happens.

[Bluenose]

I second Zono's idea about blocking port 8000 to see what happens.  Also, you might want to have a look at your router and see if it has the ability to block this traffic.  It's a bit hard with domestic gateways as these often have only a crude and not very configurable firewalls, but it might be worth a try.  Also, depending on the device it might be possible to get it to log the traffic on port 8000 as well.

[Griffin NoName]

I was thinking of using my firewall to investigate port 8000 so yes, will do this. I don't think my router blocks anything, the technical description did not include any such capabilities or firewall. (it''s old, maybe I should replace it).

Blue -the NetMon utility logged the traffic (data) in the file I attached above. It logs the type of traffic etc etc as well, though I did not attach that log here.


EDIT

I've put a Monitor on port 8000 in the firewall for the specific IP addresses. But although I can see the traffic going in and out in my NETMON utility, it doesn't show up in the firewall log. This is odd. I've double-checked the rule is correct and switched on and I've put it as the first rule to be applied so it isn't being hidden by any block rule. I am a bit stumped by this. And I have tried rebooting just in case the new rule didn't take effect if not rebooted.

I've put a monitor on port 80 as well, which is being used. I can see it being used in NetMon. But again, this does not show up in the firewall log.

What I do have many times a second in the firewall log is:

Category: Firewall - Activities
Date & Time,Risk,Activity,Status,Recommended Action,Category
15/06/2013 03:58:08,Info,"Rule \"Default Block UPnP Discovery\" stealthed (192.168.1.254, Port ssdp(1900) ). Inbound UDP packet. ",Detected,No Action Required,Firewall - Activities
   Rule "Default Block UPnP Discovery" stealthed (192.168.1.254, Port ssdp(1900) ).<br>    Inbound UDP packet. <br>    Local address, service is (239.255.255.250, Port ssdp(1900) ).<br>    Remote address, service is (192.168.1.254, Port (30968) ).<br>    Process name is "C:\Windows\System32\svchost.exe".

I am wondering why this happens so many times a minute. I know it's plug and play discovery, but it seems ridiculous to be being blocked almost every second. Norton says the shout to p&p happens every so often, not many times a second. It's not a problem so much as the log is filled up with it over and over (pages and pages and pages) so that it is next to impossible to see anything else in the log.

I am also getting lots of
EVTENG. EXE (WIFI event logger) targetting NIS (Norton) Open process  token giving "Unauthorized access"
which doesn't make sense to me.

Oh, yes it does, it is just NIS attempting to be "tamper proof" and doesn't matter at all.

EDIT AGAIN
Have tried changing monitor 8000 to block - still nothing in log despite seeing traffic in NetMon.
NB. Block In and out, any computer, port 8000 local and remote. TCP and UDP. (actually it is only TCP showing in NetMon). Make log entry.
Monitor on port 80 still not showing in log.

I have run Malwarebytes - nothing found. except the nice little NetMon program, which has now been fixed. But my problems started before that was installed.