Help with mystery IP Traffic

[Eddy]

So, I'm using a Zone Alarm Firewall and a NetworkActiV Packet Sniffer to
inspect my home dlink network. I notice that my computer (192.168.0.100) is
initiating a lot of tcp traffic with the router (192.168.0.1).

The traffic also appears to have a pattern. The source and destination are
always the router and the computer. The traffic all occurs over port 80 and
a port that continually increments by some process running on my computer.
The port numbers seem to cycle between 1000 and 4000.

The funny thing is, Zone Alarm catches every third attempt. The others pass
through and are picked up by the packet inspector.

Here's a sample of the traffice:


TCP 62 192.168.0.100 192.168.0.1 2720 80 [2008.02.26 -
09:53:05.562]

TCP 54 192.168.0.100 192.168.0.1 2720 80 [2008.02.26 -
09:53:05.562]

TCP 58 192.168.0.1 192.168.0.100 80 2720 [2008.02.26 -
09:53:05.562]

This cycle is continually initiated by my machine, incrementing the source
port number each cycle.

Any ideas on how to track down the service or dll generating this?

 

[smlunatick]

So, I'm using a Zone Alarm Firewall and a NetworkActiV Packet Sniffer to
inspect my home dlink network.  I notice that my computer (192.168.0.100) is
initiating a lot of tcp traffic with the router (192.168.0.1).

The traffic also appears to have a pattern.  The source and destination are
always the router and the computer.  The traffic all occurs over port 80and
a port that continually increments by some process running on my computer. 
The port numbers seem to cycle between 1000 and 4000.

The funny thing is, Zone Alarm catches every third attempt.  The others pass
through and are picked up by the packet inspector.

Here's a sample of the traffice:

 TCP   62    192.168.0.100     192.168.0.1   2720    80  [2008.02.26 -
09:53:05.562]

 TCP   54    192.168.0.100     192.168.0.1   2720    80  [2008.02.26 -
09:53:05.562]

 TCP   58    192.168.0.1   192.168.0.100     80  2720  [2008.02.26 -
09:53:05.562]

This cycle is continually initiated by my machine, incrementing the source
port number each cycle.

Any ideas on how to track down the service or dll generating this?

How long did your configure the DHCP Lease time in the DCHP service of
the router?

 

[Hotmail]

DHCP is a 1 week lease. Interesting question.

So, I'm using a Zone Alarm Firewall and a NetworkActiV Packet Sniffer to
inspect my home dlink network. I notice that my computer (192.168.0.100)
is
initiating a lot of tcp traffic with the router (192.168.0.1).

The traffic also appears to have a pattern. The source and destination
are
always the router and the computer. The traffic all occurs over port 80
and
a port that continually increments by some process running on my
computer.
The port numbers seem to cycle between 1000 and 4000.

The funny thing is, Zone Alarm catches every third attempt. The others
pass
through and are picked up by the packet inspector.

Here's a sample of the traffice:

TCP 62 192.168.0.100 192.168.0.1 2720 80 [2008.02.26 -
09:53:05.562]

TCP 54 192.168.0.100 192.168.0.1 2720 80 [2008.02.26 -
09:53:05.562]

TCP 58 192.168.0.1 192.168.0.100 80 2720 [2008.02.26 -
09:53:05.562]

This cycle is continually initiated by my machine, incrementing the
source
port number each cycle.

Any ideas on how to track down the service or dll generating this?

How long did your configure the DHCP Lease time in the DCHP service of
the router?

 

[Eddy]

How long did your configure the DHCP Lease time in the DCHP service of the router?

So I got curious about this question and ran procmon. Sure enough I find a
repeating set of registry activity surrounding setting dhcp.

Thread: 3568
Class: Registry
Operation: ReqQueryValue
Path:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0EE64983-19E0-4170-A0E7-86F60CEEB10A}\DhcpServer

Date:
Duration

Type REG_SZ
Length 24
Data: 192.168.0.1

Aha! What is going on?