Go Back   AnandTech Forums > Hardware and Technology > Networking

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Home and Garden
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2014
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 05-23-2003, 03:48 AM   #1
skinman2
Member
 
Join Date: Feb 2003
Posts: 44
Default SYN_SENT???

Hello!

I ran "netstat" and found out that their was a connection to my computer using Syn_Sent. What is it? Should I be concerned? The ip is 192.168.1.2:5678. I have cable broadband internet. The connection used 9 MB of data transfer during a 7 hour period.

I dont have a router and no network installed on my computer. I got a new DOCSIS modem... the modem brand is:

Brand: Scientific Atlanta

Name: Webstar

Model Number: DPX 2100


SYN_SENT
skinman2 is offline   Reply With Quote
Old 05-23-2003, 04:51 AM   #2
kt
Diamond Member
 
kt's Avatar
 
Join Date: Apr 2000
Posts: 4,712
Default SYN_SENT???

When making a TCP connection, 3 steps are involved.
1. Synchronizing
2. Transmitting
3. Closing

It appears the connection in question is waiting for a response (SYN_ACK) after sending out a synchronization packet (SYN_SENT). What I suggest you do is check for any application that is sending those requests. It appears something on your computer is trying to make a connection to that the IP address 192.168.1.2. The IP address is a non-routable IP and since you say you don't have an internal network that's why you are not getting any response.
__________________
Beer: Helping ugly people get laid since 3000 B.C.
kt is offline   Reply With Quote
Old 05-23-2003, 06:16 AM   #3
Lord Evermore
Diamond Member
 
Join Date: Oct 1999
Posts: 9,558
Default RE: SYN_SENT???

Does this still show up? If so, copy and paste the line. It will show which port on your own machine is in use. 5678 is the port your traffic is going to on the other machine, and could be anything. The standard use is for Remote Replication Agent Connection but I can't find any explanations of what that is for, at least not in English.

With cable, it is possible that someone else has connected to your machine via the cable network, and is using the built-in file and printer sharing to access files. Since you use a NIC for the cable modem, you do have networking set up. You can disable it in the properties for the local area network (right click properties on Network Neighborhood). Since the most common use of 192.168.1.x would be someone using a router on a cable connection in your area, it is likely that the source is someone with your same cable service connected to the same head-end router.

Oh, and 9MB over 7 hours is about 160Kbps. If your cable service is supposed to be capped at 128k upload, then it sounds like your upload was being pegged the entire time.

If you're going to have your computer connected directly to the cable modem, you should consider a firewall of some sort. WindowsXP has a built-in firewall which will prevent people from connecting to your machine from outside. Another type such as ZoneAlarm protects from outside connections as well as preventing rogue programs such as trojans from making connection from your computer to anything else.
__________________
neochat has fallen...

Tokio Hotel!
Tokio Hotel MySpace

Rule 1 for posting: make your thread title actually mention the topic of the post.
Lord Evermore is offline   Reply With Quote
Old 05-23-2003, 06:32 AM   #4
skinman2
Member
 
Join Date: Feb 2003
Posts: 44
Default SYN_SENT???

TCP server:3155 192.168.1.2:5678 SYN_SENT

I have a firewall installed on my computer (Winxp). My node is new to the DOCSIS service and everyone else on my node is on the older modems (slower). My cps are @ 1500/192. I will try to disable fill/print sharing.
skinman2 is offline   Reply With Quote
Old 05-23-2003, 06:41 AM   #5
skinman2
Member
 
Join Date: Feb 2003
Posts: 44
Default SYN_SENT???

Nothing really works. The thing still appears up.



skinman2 is offline   Reply With Quote
Old 05-23-2003, 12:30 PM   #6
Garion
Platinum Member
 
Join Date: Apr 2001
Posts: 2,317
Default SYN_SENT???

There's an app called jpegmpeg that's used for peer-to-peer file sharing. It listens on port 3155. That's consistent with what you are seeing, from a bandwidth and connection perspective.

What is your IP address on your machine? I wouldn't be surprise to see that YOU are 192.168.1.2. From a DOS prompt, enter "ipconfig" and it should tell you what your address is.

By the way - How are you finding out that it's transferred 9MB? That's not something typically seen in Netstat.

L.E. - I hate to tell you this, but you need to check your math. 9MB == 90 Mb == ~9000 Kb. Take that over seven hours (3600 * 7 = 25200) and you get about .36Kb/s. Just a dribble.

- G
Garion is offline   Reply With Quote
Old 05-25-2003, 04:00 AM   #7
Lord Evermore
Diamond Member
 
Join Date: Oct 1999
Posts: 9,558
Default RE: SYN_SENT???

9MB = 72000000b/25200 = 2.8Kbps. There's still only 8 bits in a byte, overhead never changes that. :-) And 90Mb = 90,000Kb not 9000.

That is also an average, it could have been using much more throughput during a shorter period.

I honestly can't even figure out where I got that 160Kbps from originally. Maybe I used gigabytes or something but I can't even repeat that. I think I just divided by 8 or multiplied by 8 one extra time.

Some cable providers with data transfer caps provide a way to see how much data you've passed during a period.

It's doubtful that his own machine is 192.x. If it was, he wouldn't be able to access the Internet.

Based on the line from netstat, skinman2's machine is named "server", listening on 3155 and is connecting to a computer at 192.168.1.2. This is consistent with a trojan or other application connecting to a machine, which is this case happens to be someone on the local cable network since there'd be no other way for the two machines to connect. Because the cable network is shared in a certain way, the machines can see each other even though they aren't on the same IP network.

The WinXP firewall doesn't block outbound connections at all. So if this program makes a connection to a central server to route traffic through, then the firewall wouldn't do any good. The only time it would help is if someone tried to make a connection directly to you to transfer a file.

My guess is that whatever is running is connecting to the 192.168.1.2 machine as its central server. Then the connection just sits open to the server; the program regularly updates the server about what files are available; normally someone would use the server to find a list of files and if they wanted one of yours, would make a direct connection to get it. But since you're behind a firewall, they can't, and since the server is on a private IP nobody should be able to even see it.

First thing to do would be to check if that jpegmpeg is installed. Look in the start menu (check the startup folder while you're there), and check the Add/Remove Programs tool. If you can't find it and don't know about it, check the system tray to make sure it's not running there (you'll need to expand it if you allow XP to hide icons). Then run "msconfig" on the Run dialog and look at the startup tab. If you see it there, uncheck the box (you don't need to reboot immediately, it'll just stop it running next time you boot). Then hit control-alt-delete to bring up the task manager, and on the processes list, find the item named the same as whatever you found running and end task on it.

Then reboot. Check after a bit to see if it's running. If it's not, then you've stopped it working, and you can find the location and remove it. You may also want to download adaware from http://www.lavasoft.de just to check whether you have anything else installed such as spyware, and also you should be running an antivirus program that keeps a background monitor. Having a computer always connected directly to a broadband service is just unsafe.
__________________
neochat has fallen...

Tokio Hotel!
Tokio Hotel MySpace

Rule 1 for posting: make your thread title actually mention the topic of the post.
Lord Evermore is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 11:37 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.