Hi all I post to the Security forum - maybe Vista Networking might have been better? Anyway - here's the issue: I see a Vista machine sending SNMP requests (udp/161) with a default community "public" regulary to two (2) IP-addresses that do not belong to any known network. I would like to find out what process sends these requests. The computer has never been a member of a domain, and the SNMP feature is not installed. I have used Sysinternal's TCPView and netstat but I was unable to find any application sending udp/161 traffic. Yet on the wire I clearly see the traffic: 18:37:28.718784 PortC, IN: IP 192.168.1.70.57210 > 192.168.0.3.161: GetRequest(63) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2[|snmp] Any ideas? Suggestions appreciated. Best Maurice

Hi, Thanks for posting in Microsoft TechNet forums. SNMP provides security by using community names and SNMP authentication traps. An SNMP trap is an event notification message sent by the SNMP Trap service running on an SNMP host. The SNMP trap is sent to other SNMP hosts or to an SNMP management system, which are known as trap destinations. Please refer to http://technet.microsoft.com/en-us/library/cc754924.aspx Best Regards Magon Liu TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tnmff@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hello Magon Liu Thanks for reading and answering. According to the TechNet article you referenced the system would need to be configured to send a trap. But the SNMP Feature is not installed on this Vista machine, and on the wire I don't see a trap but a SNMP get Request. So I assume it's not Windows sending the traffic. Do you have any other suggestion on how to find the sending application? /Maurice

Hi, Please Listen to port 161, if it is open, that means your router has snmp service builded-in and set it to enabled. Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Maurice, you said.. and the SNMP feature is not installed. I'd suggest double-check in 'Turn Windows features on or off' from Programs and Features - perhaps you've been toying with a Mail program or similar and the feature has been turned on without you realizing. I don't really know that much about it as yet though, sorry.. Regards, pkn2011

Hello I just verified Windows Features and SNMP is still unchecked ... /Maurice

Hi Again, is it to do somehow with the conversion ip4 to ip6 - I've snmp.exe process running. and can see Local Port - snmp using UDP on same PID (2688) as Local Port 161 using UDPv6 -- (in TCPview); No idea what it means tho.. pkn2011

Hi, Is there any update? Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Magon - I cannot see how the router comes into the picture. I see the Vista computer sending SNMP packets, and I can capture them on the wire. When running netstat with different arguments I cannot see any process listening on udp/161, and TCPView does not show nay process listening/sending on UDP 161 either. /Maurice

Hi Maurice, you said.. 18:37:28.718784 PortC, IN: IP 192.168.1.70.57210 > 192.168.0.3.161: GetRequest(63) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2[|snmp] I'd also suspect it's the router as the IP 192. I've seen in other threads when people are referring to their routers. Wait a sec - see if I can find a relevant comment.. yes here.. " and reset the router to factory defaults. Now I'm using the 192.168.1.1 net" also you said: "and the SNMP feature is not installed." Check services too; perhaps the service is running - but it's not showing up in Programs and features? Just trying to be helpful, Regards. pkn2011

Hi everybody, in my opinion Maurice is talking about the "Print Spooler" service of windows that sends these snmp packages. Just try the following Maurice: - Stop "Print Spooler" service in Microsoft Management mmc. You will see that no more snmp packages are being sent. Cheers, Chris