How to find process sending SNMP packets?
Hi all
I post to the Security forum - maybe Vista Networking might have been better? Anyway - here's the issue:
I see a Vista machine sending SNMP requests (udp/161) with a default community "public" regulary to two (2) IP-addresses that do not belong to any known network. I would like to find out what process sends these requests. The computer has never been a member
of a domain, and the SNMP feature is not installed.
I have used Sysinternal's TCPView and netstat but I was unable to find any application sending udp/161 traffic. Yet on the wire I clearly see the traffic:
18:37:28.718784 PortC, IN: IP 192.168.1.70.57210 > 192.168.0.3.161:
GetRequest(63) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2[|snmp]
Any ideas? Suggestions appreciated.
Best
Maurice
July 13th, 2011 7:39pm
Hi,
Thanks for posting in Microsoft TechNet forums.
SNMP provides security by using community names and SNMP authentication traps.
An SNMP trap is an event notification message sent by the SNMP Trap service running on an SNMP host. The SNMP trap is sent to other SNMP hosts or to an SNMP management system,
which are known as trap destinations.
Please refer to http://technet.microsoft.com/en-us/library/cc754924.aspx
Best Regards
Magon Liu
TechNet Subscriber Support
in forum. If you have any feedback on our support, please contact
tnmff@microsoft.com
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 14th, 2011 11:45am
Hello Magon Liu
Thanks for reading and answering. According to the TechNet article you referenced the system would need to be configured to send a trap. But the SNMP Feature is not installed on this Vista machine, and on the wire I don't see a trap but a SNMP get Request.
So I assume it's not Windows sending the traffic. Do you have any other suggestion on how to find the sending application?
/Maurice
July 15th, 2011 8:32am
Hi,
Please Listen to port 161, if it is open, that means your router has snmp service builded-in and set it to enabled.
Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 15th, 2011 8:48am
Hi Maurice, you said..
and the SNMP feature is not installed.
I'd suggest double-check in 'Turn Windows features on or off' from Programs and Features - perhaps you've been toying with a Mail program or similar and the feature has been turned on without you realizing.
I don't really know that much about it as yet though, sorry..
Regards, pkn2011
July 15th, 2011 6:59pm
Hello
I just verified Windows Features and SNMP is still unchecked ...
/Maurice
Free Windows Admin Tool Kit Click here and download it now
July 16th, 2011 4:20am
Hi Again,
is it to do somehow with the conversion ip4 to ip6 - I've snmp.exe process running. and can see Local Port - snmp using UDP on same PID (2688) as Local Port 161 using UDPv6 -- (in TCPview); No idea what it means tho..
pkn2011
July 16th, 2011 5:23am
Hi,
Is there any update?
Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 18th, 2011 11:18pm
Magon - I cannot see how the router comes into the picture. I see the Vista computer sending SNMP packets, and I can capture them on the wire. When running netstat with different arguments I cannot see any process listening on udp/161, and TCPView does not
show nay process listening/sending on UDP 161 either.
/Maurice
July 19th, 2011 10:37am
Hi Maurice, you said..
18:37:28.718784 PortC, IN: IP 192.168.1.70.57210 > 192.168.0.3.161:
GetRequest(63) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2[|snmp]
I'd also suspect it's the router as the IP 192. I've seen in other threads when people are referring to their routers. Wait a sec - see if I can find a relevant comment..
yes here.. " and reset the router to factory defaults. Now I'm using the 192.168.1.1 net"
also you said: "and the SNMP feature is not installed."
Check services too; perhaps the service is running - but it's not showing up in Programs and features?
Just trying to be helpful, Regards. pkn2011
Free Windows Admin Tool Kit Click here and download it now
July 19th, 2011 9:28pm
Hi everybody,
in my opinion Maurice is talking about the "Print Spooler" service of windows that sends these snmp packages. Just try the following Maurice:
- Stop "Print Spooler" service in Microsoft Management mmc. You will see that no more snmp packages are being sent.
Cheers,
Chris
August 6th, 2011 5:03am