Is there any software that I can run on Windows 7 to monitor UDP messages sent to port 514 from my router. I'm trying to get "syslog watcher" to work to monitor my TPLink router and want to see if the router is actually sending messages to my PC.
how to monitor incoming UDP messages
- Thread starter think2
- Start date
VirtualLarry
No Lifer
- Aug 25, 2001
- 56,570
- 10,202
- 126
Did you remember to create an exception in the firewall on the Windows 7 machine for that application?
Yes, I have an incoming rule that allows UDP messages to go to syslog watcher for all ports. I also tried turning the firewall off completely.
Thanks. With a filter of udp.port == 514, it seems there are no messages of that type being received. In the router, I can trigger an "alert" message by going to the shields up website and running a port scan. The router then (usually) shows a "kernel intrusion" alert in its local log but nothing comes up in wireshark.
Wireshark doesn't appear in the Windows firewall rules. How does it get round the firewall?
I've used a command line program called "logger" to generate a syslog message that I type in and that does show up in syslog watcher.
Gryz
Golden Member
- Aug 28, 2010
- 1,551
- 204
- 106
And you tested your config/test-methodology with other UDP packets ? E.g. if you filter on UDP port 52 (DNS) and then open a bunch of webpages (that you haven't accessed in a while), Wireshark should show you the DNS packets flying around. You probably did that, but just to be sure.
I don't use Windows Firewall (never looked at it). But I expect that you can only set up rules regarding TCP/IP traffic. That means the firewall hooks in the driver stack somewhere after the IP layer.
Wireshark can show all frames on your ethernet wire. Including non-IP stuff. Like ARP or IS-IS. Therefor Wireshark probably hooks into the stack after the Ethernet layer, but before the IP layer. Also, sniffers like Wireshark can set the Ethernet interface in promiscuous mode. Which means the Ethernet interface is going to copy all frames it sees up the stack, even the frames that are not destined for its own MAC address.
So Wireshark will see all frames, even before they reach the MS Firewall.
You used that on the same machine as where the syslog daemon is running ? Anyway, your first goal should be to make your router sends out syslog packets.
Set your Wireshark to promiscuous mode. (Mine was set by default).
Make sure the router and your PC are connected directly (no switch in between).
Create events on the router that should send syslog messages.
Watch with Wireshark if any UDP packets get send out, maybe to the wrong IP adress ? There's always a chance that the router tries to send them out over the WAN interface ....
I don't have any other ideas. It's been two decades since I messed around with syslogd myself. Sorry.
Wireshark hooks the network card's stack at layer 2. The Windows firewall is integrated in to the Layer 3 (TCP/IP stack.) This allows wireshark access to everything on the wire. Windows can and does handle the layer 2 protocols like ARP and with the correct software can handle IS-IS / BGP / whatever it just doesn't offer layer to filtering directly in the firewall.
Also for your testing... DNS is TCP 53 or UDP 53. If you sniff UDP 52 you are not likely to see much since that is older Xerox stuff.
Also for your testing... DNS is TCP 53 or UDP 53. If you sniff UDP 52 you are not likely to see much since that is older Xerox stuff.
Thanks guys. Monitoring UDP port 53 shows a bunch of messages with protocol type of "DNS" so it seems wireshark is working. I guess that means the router isn't sending anything.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 24K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 19K
-
-
-
Facebook
Twitter