Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Interpreting Results - Microsoft Network Monitor 3.1


  • Please log in to reply
2 replies to this topic

#1 On the fence

On the fence

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 11 March 2008 - 03:23 PM

I just installed Microsoft's Network Monitor 3.1 recently to see why the internet connection has been so slow. Wondering if someone in the office was using a bittorrent app or something like that.

When I filtered the report to show only my computer's traffic, I noticed that I was getting some strange results. About 95% of the entries being logged was this back and forth between another computer on the network and mine. This other computer is wired to the network and shares a printer connected to mine but all other computers also share this printer and are not communicating with mine.

So, I guess I just wanted to see if anyone can tell me if this is a "normal" type of transaction or not. I tried rebooting the network and rebooting my computer, I tried disabling and re-enabling network connections. After the connection was restored each time these entries would show up again. I have a McAfee Firewall installed that does not seem to mind this type of communication, no alerts, or red flags.

Here's a snippet/example of the extries I'm seeing:
Frame# Time Offset Source Destination Protocol Name Description
3 0.000000 192.168.1.56 192.168.1.55 MSRPC MSRPC: c/o Request: unknown Call=0x58B70 Opnum=0x45 Context=0x0 Hint=0xDA
4 0.000000 192.168.1.55 192.168.1.56 MSRPC MSRPC: c/o Response: unknown Call=0x58B70 Context=0x0 Hint=0x18 Cancels=0x0
5 0.000000 192.168.1.56 192.168.1.55 MSRPC MSRPC: c/o Request: unknown Call=0x58B71 Opnum=0x4 Context=0x0 Hint=0x28
6 0.000000 192.168.1.55 192.168.1.56 MSRPC MSRPC: c/o Response: unknown Call=0x58B71 Context=0x0 Hint=0x10 Cancels=0x0
7 0.000000 192.168.1.56 192.168.1.55 MSRPC MSRPC: c/o Request: unknown Call=0x58B72 Opnum=0x1D Context=0x0 Hint=0x14
8 0.000000 192.168.1.55 192.168.1.56 MSRPC MSRPC: c/o Response: unknown Call=0x58B72 Context=0x0 Hint=0x18 Cancels=0x0
9 0.000000 192.168.1.56 192.168.1.55 MSRPC MSRPC: c/o Request: unknown Call=0x58B73 Opnum=0x45 Context=0x0 Hint=0xDA
10 0.000000 192.168.1.55 192.168.1.56 MSRPC MSRPC: c/o Response: unknown Call=0x58B73 Context=0x0 Hint=0x18 Cancels=0x0

I understand that MSRPC stands for Microsoft Remote Procedure Call, but I guess my concern is that this type of protocol could be hijacked by an intruder.

Can anyone clarify this for me?

Appreciate the help!

Edit: Moved topic to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Baric

Baric

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hudson, NH, USA
  • Local time:03:04 AM

Posted 12 March 2008 - 12:18 AM

It's not really a problem, but if the traffic concerns you, just go to the 192.168.1.56 box and have them stop monitoring the printer queue. I suspect they have the print queue status window running with automatic refresh set, or something similar. Once you said you shared a printer this other box was using, the opnum field can be resolved to a particular Rpc call, in this case for the MS Remote Printing protocol (MS-RPRN). If you look at the trace, you see pairs of requests and responces for 3 different opnums, repeated in sequence over and over. opnum0x45 is RpcOpenPrinterEx(), 0x4 is RpcEnumJobs(), and 0x1D is RpcClosePrinter(). So you have is someone at IP 192.168.1.56 who is in a loop opening a printer on your box, enumerating the jobs on it, then closing the printer. Sounds like the printer status window with auto-refresh running to me, but it could be any application that is getting current printer jobs every so often.

Hope that helps.

#3 On the fence

On the fence
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 17 March 2008 - 04:03 PM

Excellent analysis, thank you for pointing me in the right direction.
You are right that it is not something to be concerned about. (Unless of course it were degrading the speed of the network)

Turns out it is WordPerfect (word processor) making these printer requests. I'm not sure why WordPerfect is so fixed on printing but as soon as I shut down that app on that machine, the communication ceases. When I re-open it the chatter begins again. Like you said it could be that a setting got turned on on that machine. I'll look into that.

Thanks for the response and for the transferring this topic to the appropriate forum.

Great!

PS: is there a database you could point me to for interpreting these codes next time? I'm also not familiar with some of the protocols.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users