Strange packets captured

answered 2019-06-02 22:15:52 +0000

SYN-bit

18344 ●9 ●301 ●255 https://SYN-b.it

Thanks for uploading the file and making sure the picture is available. The only things I can deduct are:

IP address 112.11.202.22 Geo-locates to China
Port 8999 might be related to Crypto, backup or quicktime (or something else completely)
The packets are sent out every ~29 sec, which is kind-of odd (usually one would then see around 30 sec interval)
Most UDP payload is the same in every packet, except for byte offset 4-7. These 32 bits seem to count up. As the value increases with ~29000000 between the packets, this looks like a microsecond counter.

Hope this helps a bit...

edit flag offensive delete link

Comments

I don't know what that traffic is, but to take the discovery process a little further:

If you own/control 192.168.31.177, you could check to see if their is a UDP listener for that traffic coming in. If so, the name of the executable might give you a clue. As admin/root, in Linux, you could try

netstat -unlp

or in Windows,

netstat -p udp -nab

Since it is a Dell mac, I am assuming that it is not MacOS.

Look for UDP port 8999 in the results listing; is their an executable? If so, see if you can find where it came from. Maybe the folder it is in... or from Google.

Bob Jones ( 2019-06-02 23:19:08 +0000 )edit

add a comment

Not from a picture, and especially not from a picture that is no longer available. Could you upload the pcap file somewhere on a public share like dropbox, onedrive, etc and post the link here?

SYN-bit ( 2019-06-02 20:44:00 +0000 )edit

Oh, I'm sorry. https://drive.google.com/open?id=13Va...

awfulme ( 2019-06-02 21:18:52 +0000 )edit

Strange packets captured

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Strange packets captured edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Strange packets captured