Go Back   AnandTech Forums > Hardware and Technology > Networking

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Home and Garden
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2014
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 01-05-2013, 04:53 PM   #1
think2
Member
 
Join Date: Dec 2009
Posts: 141
Default how to monitor incoming UDP messages

Is there any software that I can run on Windows 7 to monitor UDP messages sent to port 514 from my router. I'm trying to get "syslog watcher" to work to monitor my TPLink router and want to see if the router is actually sending messages to my PC.
think2 is offline   Reply With Quote
Old 01-05-2013, 06:35 PM   #2
VirtualLarry
Lifer
 
VirtualLarry's Avatar
 
Join Date: Aug 2001
Posts: 26,422
Default

Did you remember to create an exception in the firewall on the Windows 7 machine for that application?
__________________
Rig(s) not listed, because I change computers, like some people change their socks.
ATX is for poor people. And 'gamers.' - phucheneh
haswell is bulldozer... - aigomorla
"DON'T BUY INTEL, they will send secret signals down the internet, which
will considerably slow down your computer". - SOFTengCOMPelec
VirtualLarry is offline   Reply With Quote
Old 01-05-2013, 07:10 PM   #3
Gryz
Senior Member
 
Gryz's Avatar
 
Join Date: Aug 2010
Posts: 450
Default

Wireshark is a free utility to see any packets going over your ethernet wire. Just configure it to filter only UDP 514, and start capturing. Should not be too complicated.
Gryz is offline   Reply With Quote
Old 01-05-2013, 07:18 PM   #4
think2
Member
 
Join Date: Dec 2009
Posts: 141
Default

Quote:
Originally Posted by VirtualLarry View Post
Did you remember to create an exception in the firewall on the Windows 7 machine for that application?
Yes, I have an incoming rule that allows UDP messages to go to syslog watcher for all ports. I also tried turning the firewall off completely.
think2 is offline   Reply With Quote
Old 01-05-2013, 07:50 PM   #5
think2
Member
 
Join Date: Dec 2009
Posts: 141
Default

Quote:
Originally Posted by Gryz View Post
Wireshark is a free utility to see any packets going over your ethernet wire. Just configure it to filter only UDP 514, and start capturing. Should not be too complicated.
Thanks. With a filter of udp.port == 514, it seems there are no messages of that type being received. In the router, I can trigger an "alert" message by going to the shields up website and running a port scan. The router then (usually) shows a "kernel intrusion" alert in its local log but nothing comes up in wireshark.

Wireshark doesn't appear in the Windows firewall rules. How does it get round the firewall?

I've used a command line program called "logger" to generate a syslog message that I type in and that does show up in syslog watcher.
think2 is offline   Reply With Quote
Old 01-06-2013, 07:48 AM   #6
Gryz
Senior Member
 
Gryz's Avatar
 
Join Date: Aug 2010
Posts: 450
Default

Quote:
Originally Posted by think2 View Post
Thanks. With a filter of udp.port == 514, it seems there are no messages of that type being received. In the router, I can trigger an "alert" message by going to the shields up website and running a port scan. The router then (usually) shows a "kernel intrusion" alert in its local log but nothing comes up in wireshark.
And you tested your config/test-methodology with other UDP packets ? E.g. if you filter on UDP port 52 (DNS) and then open a bunch of webpages (that you haven't accessed in a while), Wireshark should show you the DNS packets flying around. You probably did that, but just to be sure.

Quote:
Wireshark doesn't appear in the Windows firewall rules. How does it get round the firewall?
I don't use Windows Firewall (never looked at it). But I expect that you can only set up rules regarding TCP/IP traffic. That means the firewall hooks in the driver stack somewhere after the IP layer.
Wireshark can show all frames on your ethernet wire. Including non-IP stuff. Like ARP or IS-IS. Therefor Wireshark probably hooks into the stack after the Ethernet layer, but before the IP layer. Also, sniffers like Wireshark can set the Ethernet interface in promiscuous mode. Which means the Ethernet interface is going to copy all frames it sees up the stack, even the frames that are not destined for its own MAC address.
So Wireshark will see all frames, even before they reach the MS Firewall.

Quote:
I've used a command line program called "logger" to generate a syslog message that I type in and that does show up in syslog watcher.
You used that on the same machine as where the syslog daemon is running ? Anyway, your first goal should be to make your router sends out syslog packets.

Set your Wireshark to promiscuous mode. (Mine was set by default).
Make sure the router and your PC are connected directly (no switch in between).
Create events on the router that should send syslog messages.
Watch with Wireshark if any UDP packets get send out, maybe to the wrong IP adress ? There's always a chance that the router tries to send them out over the WAN interface ....

I don't have any other ideas. It's been two decades since I messed around with syslogd myself. Sorry.
Gryz is offline   Reply With Quote
Old 01-06-2013, 01:17 PM   #7
imagoon
Diamond Member
 
imagoon's Avatar
 
Join Date: Feb 2003
Location: Chicagoland, IL
Posts: 4,849
Default

Wireshark hooks the network card's stack at layer 2. The Windows firewall is integrated in to the Layer 3 (TCP/IP stack.) This allows wireshark access to everything on the wire. Windows can and does handle the layer 2 protocols like ARP and with the correct software can handle IS-IS / BGP / whatever it just doesn't offer layer to filtering directly in the firewall.

Also for your testing... DNS is TCP 53 or UDP 53. If you sniff UDP 52 you are not likely to see much since that is older Xerox stuff.
imagoon is offline   Reply With Quote
Old 01-06-2013, 08:20 PM   #8
Gryz
Senior Member
 
Gryz's Avatar
 
Join Date: Aug 2010
Posts: 450
Default

Of course, sorry for mentioning the wrong number ....
Gryz is offline   Reply With Quote
Old 01-06-2013, 09:55 PM   #9
think2
Member
 
Join Date: Dec 2009
Posts: 141
Default

Thanks guys. Monitoring UDP port 53 shows a bunch of messages with protocol type of "DNS" so it seems wireshark is working. I guess that means the router isn't sending anything.
think2 is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 09:02 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.