Last time i used Wireshark, when i restricted all internet access with my firewalls there used to be 0 activity. Now a few months later this thing pops up. What is it and how do i get rid of it ? Im concerned that it's getting past my 2 firewalls.
image : https://ibb.co/rx8qFkj
The raknet dissector is a heuristic dissector that has no preferences to specify a port.
It could be a fluke that your traffic matches the weak heuristic test for a match.
epan/dibe ssectors/packet-raknet.c
test_raknet_heur(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree _U_, void* data _U_)
{
if (tvb_memeql(tvb, 1 + 8, RAKNET_OFFLINE_MESSAGE_DATA_ID, sizeof(RAKNET_OFFLINE_MESSAGE_DATA_ID)) == 0) {
/* ID_UNCONNECTED_PING */
return TRUE;
}
...
Disable it (Analyze -> Enabled Protocols... -> Search: "raknet") and see if another dissector claims the packets.
now UDP picks them i recognize the 31313 port, i ran it in cmd netstat -nabo but it does not appear so i can't figure out what app is doing this :
They are coming from different ips in like 3 countries
306 74.725687 185.17.164.238 192.168.0.24 UDP 75 14349 → 31313 Len=33
Is this on a Windows machine? Similar question answered using sysinternals.
UDP Port 889 Broadcast (ip.ttl "Time to Live" only 1)
I turned off everything again, blocked all traffic with my firewalls, reseted Wireshark protocols back to default and now it looks like everything is back to normal. No more RakNet packets. The question now is was it just a "fluke" or is somebody spying on me.
found this today ... now im more worried : https://youtu.be/LCsX5dZc1kc
Asked: 2024-03-28 19:49:21 +0000
Seen: 248 times
Last updated: Mar 28
