I've recently been monitoring my home network traffic heavily (using Netflow).
Today I noticed some odd multicast coming from a Windows 11 laptop (it was left on, but unattended). I have AVG and malwarebytes installed on this laptop.
These entries all appear within 10 seconds due to the netflow reporting interval time.
Multicast Address | Source Port | Destination Port | Packet Byte Size |
---|---|---|---|
192.168.1.255 | 57716 | 3289 | 252 |
192.168.1.255 | 57708 | 22222 | 336 |
192.168.1.255 | 57700 | 22222 | 336 |
255.255.255.255 | 10004 | 10004 | 666 |
I've researched the ports but can't find anything explicable - 3289 seems like it is used for certain Epson devices. I have just one, but I only connect it directly via USB and it would not have been connected at the time.
The 22222 appears to be used by some trojans, but I don't understand why a trojan would do a multicast to this port out to the local network?
And the 10004 doesn't really yield much information either.
I'm still a bit new to this, so sorry if I'm missing something obvious.
I didn't have a port logger running on the machine at the time, but I have had it set up since last night to try to see it happen again and trace down the executable spawning the request. No luck so far.
Thanks for your input!