Ask Your Question
0

Why is Port (5037) Active on Loopback?

asked 2022-05-24 20:52:30 +0000

Vtechie gravatar image

updated 2022-07-23 08:20:18 +0000

grahamb gravatar image

I start up the Loopback Adapter on Wireshark, then I will start another Wireshark capture for my ethernet interface. When I do this, the Loopback Adapter will have at least 2 frames, with port (5037). This is an Android device and I'm on Windows 10. In Resource Monitor on my Windows 10, I have an extra Network name that gets most of the traffic. Is there anyway to find out if these are connected?

Thank you so very much,

Vtechie

In the preview this looks like it is all jumbled together, but in my view of it as I have copied and pasted, it is not that way. Sorry, I cannot straighten it out.

60 Points needed to upload a picture. I do not have that yet.

Frame 1: 56 bytes on wire, 56 bytes captured on interface \Device\NPF_Loopback, id 0
Null/Loopback
    Family: IP (2)
Internet Protocol Version 4, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 52
    Identification: 0xc45a (50266)
    Flags: 0x40, Don't fragment
        0... .... = Security flag: Not evil
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 128
    Protocol: TCP (6)
    Header Checksum: 0x0000 incorrect, should be 0x3867(may be caused by "IP checksum offload"?)
        [Expert Info (Error/Checksum): Bad checksum [should be 0x3867]]
    [Header checksum status: Bad]
    [Calculated Checksum: 0x3867]
    Source Address: 127.0.0.1 (127.0.0.1)
    <Source or Destination Address: 127.0.0.1 (127.0.0.1)>
    <[Source Host: 127.0.0.1]>
    <[Source or Destination Host: 127.0.0.1]>
    Destination Address: 127.0.0.1 (127.0.0.1)
    <Source or Destination Address: 127.0.0.1 (127.0.0.1)>
    <[Destination Host: 127.0.0.1]>
    <[Source or Destination Host: 127.0.0.1]>
Transmission Control Protocol, Src Port: 49688 (49688), Dst Port: 5037 (5037), Seq: 0, Len: 0
    Source Port: 49688 (49688)
    Destination Port: 5037 (5037)
    <Source or Destination Port: 49688 (49688)>
    <Source or Destination Port: 5037 (5037)>
    [Stream index: 0]
    [Conversation completeness: Incomplete (37)]
    [TCP Segment Len: 0]
    Sequence Number: 0    (relative sequence number)
    Sequence Number (raw): 2276443805
    [Next Sequence Number: 1    (relative sequence number)]
    Acknowledgment Number: 0
    Acknowledgment number (raw): 0
    1000 .... = Header Length: 32 bytes (8)
    Flags: 0x002 (SYN)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 5037]
                [Connection establish request (SYN): server port 5037]
                <Message: Connection establish request (SYN): server port 5037>
                [Severity ...
(more)
edit retag flag offensive close merge delete

Comments

So you are off line and communicating with an hacker that you identified as using Android? In my book that sound rather unlikely.

The sinlge SYN packet shown has nothing that validates your suggestion.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2022-05-25 05:38:14 +0000 )edit

Also note from your output:

Flags: 0x40, Don't fragment
        0... .... = Security flag: Not evil
grahamb gravatar imagegrahamb ( 2022-05-25 18:59:48 +0000 )edit

Still just a standard tcp connection attempt with a SYN in frame 1 and a RST in frame 2, probably because there's nothing listening on the destination port (5037) which is assigned by IANA to be the Android ADB Server port.

grahamb gravatar imagegrahamb ( 2022-07-23 08:24:26 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-07-23 11:08:09 +0000

Guy Harris gravatar image

60 Points needed to upload a picture. I do not have that yet.

If you wanted to upload a screenshot showing the text you pasted, then it's a Very Good Thing that you don't have 60 points, because it forced you to paste it as text; text is easier to read, and it's possible to select and copy text from it and paste it elsewhere. Even if you do eventually get 60 points, please just paste text rather than screenshots or other pictures whenever possible.

In the preview this looks like it is all jumbled together, but in my view of it as I have copied and pasted, it is not that way. Sorry, I cannot straighten it out.

Just put four additional blanks at the beginning of every line (even lines that already have four or more blanks, so that the lines are all indented by the same amount); that forces it to be shown as preformatted text.

This is an Android device and I'm on Windows 10

There's no Android device traffic there. The text you show is for traffic captured on the Windows 10 machine, and it's captured on the loopback interface, meaning it's not traffic that has gone over any network interface on your Windows machine, it's traffic sent from one process on your Windows machine to another process on the same machine, to the "loopback address" 127.0.0.1.

As Google - or whatever part of Alphabet now owns Android - says:

Android Debug Bridge (adb) is a versatile command-line tool that lets you communicate with a device. The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device. It is a client-server program that includes three components:

  • A client, which sends commands. The client runs on your development machine. You can invoke a client from a command-line terminal by issuing an adb command.
  • A daemon (adbd), which runs commands on a device. The daemon runs as a background process on each device.
  • A server, which manages communication between the client and the daemon. The server runs as a background process on your development machine.

The traffic you're capturing is probably the client tried to connect to the server (the initial SYN) and the server responding to that attempt by rejecting it (the responding RST). There's no traffic in that capture between the Android device and the server, as that traffic would go over a LAN interface on your Windows machine, and would show up in a capture on that interface, not on the loopback interface.

So port 5037 is active on the loopback interface because you're using adb on your Windows machine.

edit flag offensive delete link more

Comments

Two pedantic comments:

  • The Ask editor has a keyboard shortcut for pre-formatted text, Ctrl + K.
  • I would argue that port 5037 isn't "active" as in open and able to accept data as the response is a TCP RST. The client is attempting to connect to port 5037 but I don't think that really counts as making the port "active".
grahamb gravatar imagegrahamb ( 2022-07-24 10:58:29 +0000 )edit

I'm not using my laptop for any development and therefore when I see an active port (5037) because there is traffic trying to get a response. I do not have an Android Debug Bridge active nor have I used one before as of yet. I am just running a Dell Laptop and iPhones along with the Asus Router and Hitron Modem. I am asking question for a reason. I wanted to find out more about how this port (5037) is being accessed and why. If it is LAN device that I is in my home by mischievousness then I would like to know more about it, and how would I be able to track that down to the user?

Vtechie gravatar imageVtechie ( 2022-07-24 18:49:03 +0000 )edit

I wanted to find out more about how this port (5037) is being accessed

It's being accessed by another program running on your machine. The traffic is showing up on the loopback interface, and it's coming from and sent to the IP address 127.0.0.1, which mean it's not coming from another machine on your network.

If it is LAN device

It isn't, as indicated above.

Guy Harris gravatar imageGuy Harris ( 2022-07-24 18:52:54 +0000 )edit

I have Microsoft Windows 10, no Android Device charged let alone plugged in. I have seen more Android Devices talk on Wireshark Ethernet interface then I think should be happening. When I do netsh ras: show mode offline, it say I am online and in another place too. I think it is all intranet activity.

Vtechie gravatar imageVtechie ( 2022-07-24 19:39:53 +0000 )edit

I think it is all intranet activity.

Traffic from 127.0.0.1 to 127.0.0.1 is about as "intranet" as it gets - it's on a network that's internal to your computer, with no physical network (Ethernet, Wi-Fi, PPP over two tin cans and a string) involved.

Guy Harris gravatar imageGuy Harris ( 2022-07-25 09:42:32 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-05-24 20:52:30 +0000

Seen: 1,242 times

Last updated: Jul 23 '22