One computer filling logs with UDP Broadcast Default deny block

pfBasic

My logs recently started filling up with this, why is the computer all of the sudden trying to broadcast non stop on the same port that isn't used for anything specific? If I Easy pass it while logging it just goes through once and once it's successful it stops unless I flush the state. Wireshark doesn't capture it.

I'm just curious as to what is happening here and why?

LAN	Default deny rule IPv4 (1000000103)	  192.168.1.99:889	  192.168.1.255:889	UDP

johnpoz

"Wireshark doesn't capture it. "

Wireshark running where?  If pfsense is seeing it to block that it would be caught by capture..

I would have to guess that is Mac OS X machine doing that???

pfBasic

@johnpoz:

"Wireshark doesn't capture it. "

Wireshark running where?  If pfsense is seeing it to block that it would be caught by capture..

I would have to guess that is Mac OS X machine doing that???

Wireshark running on the computer that is causing the block, 192.168.1.99. Wireshark doesn't pick it up whether I pass or block the traffic?

And actually no, it's a Windows 7 Desktop.

johnpoz

Well 889 is normally MAC OS X RPC.. I have no idea what would be running on your windows 7 machine that would be broadcasting on that port..

If the pc is putting it on the wire and your running wireshark on that pc and not seeing it - your running wireshark wrong ;) hehe

Do a packet capture on pfsense for that port.. Download it and post it up so we can look to see what exactly is in the packets - this could give a hint to what is actually doing it or what its looking for, etc.

pfBasic

Yeah I'm sure I'm using it wrong. I've never used it before today. I just turned it on to grab everything on all interfaces and didn't see anything going to 192.168.1.255, so I tried again to get everything on all interfaces for port 889 and got nothing at all.

Here is the packet capture output for pfSense:

12:29:33.802955 d0:50:99:28:f1:25 > 00:15:17:7d:e7:cb, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:29:33.803081 d0:50:99:28:f1:25 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 23930, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:29:46.582713 d0:50:99:28:f1:25 > 00:15:17:7d:e7:cb, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:29:46.582961 d0:50:99:28:f1:25 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 23979, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:29:59.277514 d0:50:99:28:f1:25 > 00:15:17:7d:e7:cb, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:29:59.277594 d0:50:99:28:f1:25 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 24009, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:30:11.928093 d0:50:99:28:f1:25 > 00:15:17:7d:e7:cb, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:30:11.928342 d0:50:99:28:f1:25 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 24023, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:30:24.705849 d0:50:99:28:f1:25 > 00:15:17:7d:e7:cb, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:30:24.705971 d0:50:99:28:f1:25 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 24065, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:30:37.481607 d0:50:99:28:f1:25 > 00:15:17:7d:e7:cb, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:30:37.482105 d0:50:99:28:f1:25 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 24421, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:30:50.258238 d0:50:99:28:f1:25 > 00:15:17:7d:e7:cb, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:30:50.258362 d0:50:99:28:f1:25 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 24585, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:31:03.034995 d0:50:99:28:f1:25 > 00:15:17:7d:e7:cb, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:31:03.035242 d0:50:99:28:f1:25 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 24784, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:31:15.781144 d0:50:99:28:f1:25 > 00:15:17:7d:e7:cb, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:31:15.781392 d0:50:99:28:f1:25 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 25307, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:31:28.384498 d0:50:99:28:f1:25 > 00:15:17:7d:e7:cb, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420
12:31:28.384622 d0:50:99:28:f1:25 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 1462: (tos 0x0, ttl 1, id 25373, offset 0, flags [DF], proto UDP (17), length 1448)
    192.168.1.99.889 > 192.168.1.255.889: [udp sum ok] UDP, length 1420

johnpoz

click the download button in packet capture and post up the file.. That does not allow to see any data.. But those seem to be large packets!!  Like some sort of stream.. length is 1420..

Your PC is a Asrock system and your pfsense is intel system.. Seems odd that its sending the directed broadcast .255 to 00:15:17:7d:e7:cb and all FF's mac..  You sure you don't have a mask wrong or something and .255 is host?  Are you using say a /22 or something?

pfBasic

Oh, sorry here you go! And thank you for taking your time to help me out.

packetcapture.pcap

pfBasic

@johnpoz:

click the download button in packet capture and post up the file.. That does not allow to see any data.. But those seem to be large packets!!  Like some sort of stream.. length is 1420..

Your PC is a Asrock system and your pfsense is intel system.. Seems odd that its sending the directed broadcast .255 to 00:15:17:7d:e7:cb and all FF's mac..  You sure you don't have a mask wrong or something and .255 is host?  Are you using say a /22 or something?

It's certainly possible I've messed something up. Although the network is working perfectly well.

It's a /24 network.

johnpoz

So I see the same question here - but no answer

https://ask.wireshark.org/questions/59565/udp-broadcast-port-889

At a loss to what that traffic would be.. They are large packets - but nothing really in them.. I have tried decoding them as different things.. But not sure what that traffic is..

pfBasic

Interesting, well thank you for your help, I really do  appreciate it.

I just clicked Easy pass in the logs then edited the rule to block it without logging so at least it won't be flooding the logs.

johnpoz

I would be very interested in what the traffic is.. Can you figure out what process on your pc is sending it?  That can be hard with UDP.. But I really would look to what is sending that traffic.. Maybe someone else can tell from that sniff.  But I have been unable to figure out what it is.. its not bt-dht or something..

But someone with better wireshark fu than me might figure it out from your sniff.. Lets hope because I am now very curious ;)

There are few tools you can use on windows to try and figure out what is the process sending them - which can give us a clue to what it is..  But I can tell you I have never seen such traffic before…

pfBasic

I'd be glad to look into it more and report back, I just don't have a clue as to what I'm doing with Wireshark. I literally installed it this morning because I was curious about those logs.

johnpoz

wireshark is not going to be able to tell you what process is sending the traffic on windows.  But seems you have more machine than 1 sending.  Your sniff you attached shows its coming from 192.168.1.26, not .99

you could use something like https://technet.microsoft.com/en-us/sysinternals/tcpview.aspx

To try and catch what is sending the UDP.  While is more geared to your tcp traffic, it can do udp as well.

https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx

is another tool that could be used to track down what is creating udp traffic.

Since its sending from udp 889.. you could also see if its listening on that port.  Say simple netstat -anb could show you the process if what is sending is also listening, etc.

pfBasic

Ok thanks I'll check that out and report back. It was both the same machine, different DHCP lease

johnpoz

yup same machine see the same mac in both.. that 28:f1:15 as the sender.

pfBasic

Thank you for links to those programs! I used process monitor and had it figured out right away! Great tools, very easy to use.

It was some bloatware software from the motherboard manufacturer.

ASRock XFast LAN by cFosSpeed Service

Uninstalled.

johnpoz

Have to look to what it was suppose to be doing sending data to a broadcast address..

Glad you got it sorted.. I recall cfosSpeed - its been around for many years as some form of optimization/shaping tool.. Been years and years since looked at it.. Now going to have to figure out for my own curiosity what it was doing sending very large packets with no real data in them out to a brodcast address..

There are lots of sysinternal tools that are very useful..  Too bad many of those features/functions are not just built right into the OS.. many of those tools should just come with the OS…

edit:  So it was this
http://www.asrock.com/feature/XFast/XFastLAN/index.asp

Why and the F would it send out large packets to broacast???  Wonder if there is any whitepaper on it.

doktornotor

Asus is well known for producing completely idiotic "addons" to their MBs. I recall some crap called XFastUSB or something, just broke USB completely. Ugh.

pfBasic

Haha yeah, when I uninstalled it took me to their website and had a questionnaire with a long list of reasons why I uninstalled. They were all along the lines of because your program makes things worse not better.

Harvy66

I never install 3rd-party if I don't have to. If drivers have both an install and just the drivers, I got with just the drivers. Except my Razer, which I would like to find another mouse, but all mice require 3rd-party apps for their custom features.