Port 24224?

[ThreeDee]

I'm seeing alot of hits on this particular port from IP's from around the globe .. I have done a search on these forums to no avail and googled to no avail in an attempt to find some info on what this port is used for primarily ...

Does Steam use this port ? ..as I do play TF2 and CS:S alot ...???

I did a quick search over at steampowered.com in regards to this port as well and didnt find anything

just curious

 

[Fint]

UDP or TCP?

 

[Nenu]

Do you use a torrent client or any P2P software that uses a specific port.
If so check what port it uses.
It could be P2P traffic trying to connect to you.

 

[computadorka]

what is the dst IP? resolve it.

run a windump and see when it happens and how often.

then do the -X switch to look at the packet innards.

 

[ThreeDee]

UDP ..and I don't run P2P programs of anykind

they are all different IP's from around the world ...no single IP is really hammering me on that specific port

66.91.23.226
122.52.95.238
67.82.249.102
84.202.201.178
69.3.235.235

first 5 in my logs ..range from in the states to Norway .. 1 hit a piece

I am running 2 computers behind a SmoothWall Express 3.0 box with red setup for PPPoE and my ActionTec modem setup in transparent bridging mode

one comp is XP Pro ..the other (my main one) is Vista ..then I have my X360 on same network as well

as far as logs say , the destination IP is my external IP that I get from my ISP ..so my smoothie box .. the source being those that I posted (5 of them anyways)

looking at a netstat type mod called connview , nothing ever shows as being connected to any internal IP's on those ports or anything else from those IP's.. that I have seen anyways

I haven't been real vigilante on that end as of yet tho

I have never ran a windump before ..I did some googling and found a program WinPcap and installed it as administrator on my Vista box .. and then downloaded WindDump into the winpcap folder in program files and am now listenning on my nvidia onboard nic ..and I set it to report for port 24224 for now ...

alot of stuff comes up of course when doing

windump.exe -i 1 host my.internal.ip.address

so I know it's working

this page
http://wiki.tibbo.net/doku.php/windump
has commands to use without having to dig thru the manual .. I don't have time right now tho to do anything extensive , but will play with it later

I don't think it's really cause for alarm or anything , I just see that port come up alot and I don't know what it is these IP's are trying to connect to ..so I'm curious whilst learning more about properly maintaining/protecting a network

thanks


[F]old|[H]ard

 

[jpochedl]

Is that the source or destination port?

 

[Nenu]

This might help.
If you want to quickly see what connections have been made to your PC and which files are doing the talking, make a batch file containing the following, or type into the run box:

netstat -b 5

This will display the Executables making connections and will display active connections every 5 seconds.
To stop the capture and read the results, press ctrl+c and dont answer the prompt.
Change the parameters to suite. Display the parameters with netstat /? (you probably know, but just in case )

 

[ThreeDee]

destination port ...source ports seem to vary every time

thanks for the tips and commands ...running that netstat -b 5 just shows a couple firefox connections and my one putty connection I have to my smoothie box ...under the foreign address column it only shows .75:http for every entry

I'll run this again and see what it shows again when I have some more time


[F]old|[H]ard

 

[computadorka]

If you run smooothwall as your perimeter firewall I believe it comes with tcpdump.

you can run this command:

tcpdump -nnvpXi eth0 dst port 24224 -w 24224.text

where eth0 is you internal port. So if you see any traffic you know it is getting past your firewall. you can let that run and let it write to the file for a while, but make sure you not getting constant traffic first with or that file will fill up quick.

let it run for a while and see what you get. If you get nothing your smoothie is probably blocking it.

if you like next,

run the same command, except on your external interface, eth1 or what have you. You may see traffic as its on the outside of your firewall.

If you dont trust the source IP you can put a block/drop packets from those IPs.

also you can save that file and open it with wireshark to check out what it is trying to do.

You can also run that command on your windows box, except the port wont be eth, it will be a number that identifies your nic, run windump -D to see what number your NIC is binded to.

sounds interesting. If its really evil traffic, you may want to capture it and post it for us to take a look at.