Ask Your Question
0

Port 5228 shows hpvroom when it is chrome

asked 2019-10-30 02:56:32 +0000

hbackus gravatar image

Wireshark shows TCP port 5228 as HP Virtual Room (hpvroom). This is the well-known port for 5228. By running netstat -b at the same time Wireshark logs the capture as hpvroom netstat shows that chrome.exe trying to connect to the destination port 5228. Is there another dissector that would long this as chrome? Is there other data on this in the Wireshark forum? I have some information that this could be XMPP or GCM connection attempts also. I have management freaking out over port 5228 attempts without knowing what application initiated the conversation. They don't believe it is an HP Virtual Room conversation or an Android conversation since our workstations are Windows 7 Pro systems exclusively. Any information or pointing me to a resource would be appreciated.

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
0

answered 2022-06-22 06:32:36 +0000

Noguru gravatar image

MG-SOFT Net Inspector 6.5.0.828 - Multiple Vulnerabilities EDB-ID: 5269 CVE: 2008-1402 2008-1401 2008-1400

edit flag offensive delete link more
0

answered 2019-10-30 05:20:33 +0000

Jaap gravatar image

updated 2019-10-30 05:21:05 +0000

The answer was one simple search away: https://www.speedguide.net/port.php?port=5228, and here. It states:

Google Chrome user settings sync (facorites, history, passwords) uses port 5228

PS: If management is 'freaking out' over a port access it should educate itself on modern day networking, IMHO.

edit flag offensive delete link more

Comments

VP-level an above make decisions on magazine articles and Sales Engineers (spin doctors). :-) Presentation is everything (even if it isn't accurate).;-)

hbackus gravatar imagehbackus ( 2019-11-01 12:44:14 +0000 )edit
0

answered 2019-10-30 05:28:00 +0000

Chuckc gravatar image

updated 2019-10-30 05:34:45 +0000

https://developers.google.com/web/ilt...
Chrome currently uses Firebase Cloud Messaging (FCM) as its push service. FCM recently adopted the Web Push protocol. FCM is the successor to Google Cloud Messaging (GCM) and supports the same functionality and more.
https://firebase.google.com/docs/clou...
If your organization has a firewall to restrict traffic to or from the Internet, you need to configure it to allow mobile devices to connect with FCM in order for devices on your network to receive messages. FCM typically uses port 5228, but it sometimes uses 5229 and 5230.

The traffic is probably encrypted so not what you will get if setting decode to TLS for port 5228
You can map the port number to "google" by setting up a personal "services" files: https://www.wireshark.org/docs/man-pa...

Name Resolution (services)
The services file is used to translate port numbers into names. Both the global services file and personal services files are used if they exist.

The file has the standard services file syntax; each line contains one (service) name and one transport identifier separated by white space. The transport identifier includes one port number and one transport protocol name (typically tcp, udp, or sctp) separated by a /.

An example is:

mydns 5045/udp # My own Domain Name Server mydns 5045/tcp # My own Domain Name Server

Put your custom "services" file in the folder pointed to by Help->About->Folders: Personal Configuration My services file for testing:

google      5228/tcp    # Google Cloud/Firebase messaging
edit flag offensive delete link more

Comments

Excellent, thanks so much for the details.

hbackus gravatar imagehbackus ( 2019-11-01 12:39:20 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-10-30 02:56:32 +0000

Seen: 9,955 times

Last updated: Oct 30 '19