Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Network gurus... UDP outbound to port 1230 every 17 seconds?

539 views

Skip to first unread message

Josh Miller

unread,

May 5, 2004, 5:00:25 PM5/5/04

I am experiencing some very strange network activity. Some of the
boxes on my network are sending a UDP packet from the NTP port (UDP
123) outbound to IP 85.85.170.170 port 1230 every 17 seconds. I have
all recent MS patches installed and up-to-date TrendMicro AV sigs.
There was another post about what looks like exactly the same thing
happening to someone else back in November but he posted
anonymously... http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=098a01c3ad27%2475131320%24a401280a%40phx.gbl

Can anyone explain this?
TIA
duhjosh~~at~~hotmail~~dot~~c~o~m

anon...@discussions.microsoft.com

unread,

May 5, 2004, 5:55:37 PM5/5/04

Network Time Protocol (NTP) uses UDP port 123 to
sychronize network time.

>.
>

Josh Miller

unread,

May 6, 2004, 11:24:34 AM5/6/04

duh...@hotmail.com (Josh Miller) wrote in message news:<2e1feb28.04050...@posting.google.com>...

> I am experiencing some very strange network activity. Some of the
> boxes on my network are sending a UDP packet from the NTP port (UDP
> 123) outbound to IP 85.85.170.170 port 1230 every 17 seconds. I have

> http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=098a01c3ad27%2475131320%24a401280a%40phx.gbl

Well I finally figured out what this was. I hope the anonymous poster
who had this same problem back in November was able to figure out what
was going on quickly and didn't spend too much time on this. I'll
post the details here in case this weird behavior is noticed by
someone else. Maybe it will save a day of troubleshooting and
tracking... :)

It turned out to be an HP printer on my network that wasn't DHCP'ing
all of a sudden and registered itself as 85.85.170.170. I used MS's
network monitor to watch one of my servers that was sending data out
to IP 85.85.170.170 port 1230 and grabbed the MAC address of the box.
Looking up the MAC vendor code online I determined that it was an HP
NIC. The only HP NICs I have on my network are printers. After
finally finding the MAC in my DHCP system and turning off the
suspected printer, the requests stopped. Something had happened to
this stupid printer where all of a sudden it wasn't able to DHCP, it
registered itself as 85.85.170.170 and started broadcasting NTP
requests to port 123 on subnet 255.255.255.255. We reset the printer
back to factory defaults and everything was fine after that. Oh well,
another day wasted tracking down weird network behavior. Hopefully
the next time someone sees this behavior and Google's it they will
come across this solution. :D

0 new messages