1

I've recently been monitoring my home network traffic heavily (using Netflow).

Today I noticed some odd multicast coming from a Windows 11 laptop (it was left on, but unattended). I have AVG and malwarebytes installed on this laptop.

These entries all appear within 10 seconds due to the netflow reporting interval time.

Multicast Address Source Port Destination Port Packet Byte Size
192.168.1.255 57716 3289 252
192.168.1.255 57708 22222 336
192.168.1.255 57700 22222 336
255.255.255.255 10004 10004 666

I've researched the ports but can't find anything explicable - 3289 seems like it is used for certain Epson devices. I have just one, but I only connect it directly via USB and it would not have been connected at the time.

The 22222 appears to be used by some trojans, but I don't understand why a trojan would do a multicast to this port out to the local network?

And the 10004 doesn't really yield much information either.

I'm still a bit new to this, so sorry if I'm missing something obvious.

I didn't have a port logger running on the machine at the time, but I have had it set up since last night to try to see it happen again and trace down the executable spawning the request. No luck so far.

Thanks for your input!

Improve this question
4
  • "Same timestamp (+/- 10 seconds)" isn't really the exact same timestamp – it could still be three different programs having started at roughly the same time. (I feel like I've seen 3289 + 22222 somewhere in the past – faintly remember that it was some licensing thing, either antivirus software probing for duplicate licenses, or licensing software doing the same.)
    – grawity_u1686
    Commented Mar 28 at 11:54
  • @u1686_grawity You are very right... I've edited my question to fix that. Thanks for your input - If you happen to remember any more details on where you've seen this combination before please update me. Thanks again!
    – fredmeister77
    Commented Mar 28 at 12:12
  • You might find a tool such as Nirsoft's free CurrPorts, nirsoft.net/utils/cports.html, useful. That utility shows application, IP addresses, ports, etc. Click on a column header to sort by it.
    – DrMoishe Pippik
    Commented Mar 28 at 17:49
  • @DrMoishePippik Thanks! That is indeed what I've been using today, just didn't have it running at the correct time. But now I finally caught it with CurrPorts :) But thank you again for the recommendation!
    – fredmeister77
    Commented Mar 28 at 20:37

2 Answers 2

Reset to default
0

Port 3289 is used for the ENPC protocol which is mainly used to acquire the status and make settings for the module or printer. It seems to be used by at least the Epson printers (link).

Port 22222 can be used by many products, but also by several trojans. The legitimate users are the Redgate licensing client and EasyEngine. If you don't have them installed, then it doesn't automatically mean that your computer is infected.

Port 10004 is known to be used by the EMC Replication Manager and some BitTorrent clients.

Please note that the above information is incomplete, and that any product can decide to use any port that it likes, without paying attention to conventions and standards. Using more tracking software and searching for programs that are listening on these ports is the first step.

Improve this answer
1
  • Thank you for your answer. This is the info I did come across as well... Was just being a bit paranoid due to a security alert on an email account... I ended up finding the cause of these shared broadcasts and will provide an answer detailing it shortly. But again, I greatly appreciate it!
    – fredmeister77
    Commented Mar 29 at 15:38
0

I was eventually able to recreate this behavior with cPorts running - It seems to happen often on user login (but not always) and then a bit randomly (sometimes about once an hour, but it can go a long time without occurring).

The UDP ports are bound to by dasHost.exe. And these ports do all seem to be broadcast on at the same time. It appears to be coming (at least in part) from "Universal Print". This is the only entry in my Windows Event Viewer that corresponds almost exactly to the timing of these UDP broadcasts (with no other events coming close).

There are always two information events that accompany these broadcasts, first:

The description for Event ID 1 from source Universal Print cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Device is neither AAD/Domain Joined or Workplace Joined. mcpmanagementservice.dll

The locale specific resource for the desired message is not present

and then:

The description for Event ID 1 from source Universal Print cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Initialization Successful. Enabled=false, CloudPrintSolution=Unknown, DiscoveryEndpoint=, OAuthAuthority=, OAuthClientId=, DiscoveryResourceId=, PrintResourceId= mcpmanagementservice.dll

The locale specific resource for the desired message is not present

I can understand the 3289 broadcast from this POV with it being an Epson port, the others I am still unsure on but I feel a bit better knowing the origin. I will still likely try to dig in further for more information.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .