Ask Your Question
0

random data going to broadcast

asked 2019-11-13 09:46:01 +0000

kg gravatar image

Hi , I am analysing a PCAP and some random Data is going to the Broadcast Address 255.255.255.255 and also the Gateway Broadcast X.X.X.255.

I don't have access to the host to see which service it is generated from but from port searching in the internet it seems that traffic to Gateway Broadcast X.X.X.255 ist service encore with port 1740. Can't seem to find what this service does! Also the same is happening in Port 1741,1742 And 1743. Pakte Bytes are c50b400100100061

Traffic going to Broadcast IP 255.255.255.255 is generated on Port 49166 and Dst 27127 both unassigned Ports and has this byte stream. baf35b2f7e03757d6f0f29533327c637726d9f336a75766cf988504080726166f6732adc53

I've tried all the Decode and Show As Options from Wireshark but cant seem to know what it is. Has someone had the same Problem maybe?

edit retag flag offensive close merge delete

Comments

Can you share a capture containing the packets in question?? Use a public file share such as Google Drive, DropBox etc. and post a link to it back here.

grahamb gravatar imagegrahamb ( 2019-11-13 11:05:27 +0000 )edit

https://drive.google.com/file/d/1KK-f...

I have activated all the protocol dissectors in Wireshark with the hope that someone can interpret it ...

kg gravatar imagekg ( 2019-11-13 11:41:20 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-11-13 11:59:15 +0000

grahamb gravatar image

If your environment does PLC work then these might be possible answers:

The 1740-43 ports seem to be used by Codesys PLC programming software, see here.

Port 27127 appears to be used by Schneider Electric for Machine Controller discovery, see here.

edit flag offensive delete link more

Comments

it does but I couldn't pinpoint what is generating it. May I ask how did you find out, because I have googled extensively and would gladly be better in my Wireshark skills.

kg gravatar imagekg ( 2019-11-13 12:02:49 +0000 )edit

I googled UDP "27127" and UDP "1740". Note the quotes around the port numbers to only show pages that included those specific numbers. I suspected some form of discovery protocol because UDP broadcasts are a very common way of doing that.

You could also look at the originating MAC address of the broadcasts to determine which host is sending them and then use netstat on the machine to determine the process.

grahamb gravatar imagegrahamb ( 2019-11-13 12:14:07 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-11-13 09:46:01 +0000

Seen: 831 times

Last updated: Nov 13 '19