how to monitor incoming UDP messages

Discussion in 'Networking' started by think2, Jan 5, 2013.

  1. think2

    think2 Member

    Joined:
    Dec 29, 2009
    Messages:
    153
    Likes Received:
    1
    Is there any software that I can run on Windows 7 to monitor UDP messages sent to port 514 from my router. I'm trying to get "syslog watcher" to work to monitor my TPLink router and want to see if the router is actually sending messages to my PC.
     
  2. VirtualLarry

    VirtualLarry Lifer

    Joined:
    Aug 25, 2001
    Messages:
    33,372
    Likes Received:
    34
    Did you remember to create an exception in the firewall on the Windows 7 machine for that application?
     
  3. Gryz

    Gryz Golden Member

    Joined:
    Aug 28, 2010
    Messages:
    1,127
    Likes Received:
    3
    Wireshark is a free utility to see any packets going over your ethernet wire. Just configure it to filter only UDP 514, and start capturing. Should not be too complicated.
     
  4. think2

    think2 Member

    Joined:
    Dec 29, 2009
    Messages:
    153
    Likes Received:
    1
    Yes, I have an incoming rule that allows UDP messages to go to syslog watcher for all ports. I also tried turning the firewall off completely.
     
  5. think2

    think2 Member

    Joined:
    Dec 29, 2009
    Messages:
    153
    Likes Received:
    1
    Thanks. With a filter of udp.port == 514, it seems there are no messages of that type being received. In the router, I can trigger an "alert" message by going to the shields up website and running a port scan. The router then (usually) shows a "kernel intrusion" alert in its local log but nothing comes up in wireshark.

    Wireshark doesn't appear in the Windows firewall rules. How does it get round the firewall?

    I've used a command line program called "logger" to generate a syslog message that I type in and that does show up in syslog watcher.
     
  6. Gryz

    Gryz Golden Member

    Joined:
    Aug 28, 2010
    Messages:
    1,127
    Likes Received:
    3
    And you tested your config/test-methodology with other UDP packets ? E.g. if you filter on UDP port 52 (DNS) and then open a bunch of webpages (that you haven't accessed in a while), Wireshark should show you the DNS packets flying around. You probably did that, but just to be sure.

    I don't use Windows Firewall (never looked at it). But I expect that you can only set up rules regarding TCP/IP traffic. That means the firewall hooks in the driver stack somewhere after the IP layer.
    Wireshark can show all frames on your ethernet wire. Including non-IP stuff. Like ARP or IS-IS. Therefor Wireshark probably hooks into the stack after the Ethernet layer, but before the IP layer. Also, sniffers like Wireshark can set the Ethernet interface in promiscuous mode. Which means the Ethernet interface is going to copy all frames it sees up the stack, even the frames that are not destined for its own MAC address.
    So Wireshark will see all frames, even before they reach the MS Firewall.

    You used that on the same machine as where the syslog daemon is running ? Anyway, your first goal should be to make your router sends out syslog packets.

    Set your Wireshark to promiscuous mode. (Mine was set by default).
    Make sure the router and your PC are connected directly (no switch in between).
    Create events on the router that should send syslog messages.
    Watch with Wireshark if any UDP packets get send out, maybe to the wrong IP adress ? There's always a chance that the router tries to send them out over the WAN interface ....

    I don't have any other ideas. It's been two decades since I messed around with syslogd myself. Sorry.
     
  7. imagoon

    imagoon Diamond Member

    Joined:
    Feb 19, 2003
    Messages:
    5,199
    Likes Received:
    0
    Wireshark hooks the network card's stack at layer 2. The Windows firewall is integrated in to the Layer 3 (TCP/IP stack.) This allows wireshark access to everything on the wire. Windows can and does handle the layer 2 protocols like ARP and with the correct software can handle IS-IS / BGP / whatever it just doesn't offer layer to filtering directly in the firewall.

    Also for your testing... DNS is TCP 53 or UDP 53. If you sniff UDP 52 you are not likely to see much since that is older Xerox stuff.
     
  8. Gryz

    Gryz Golden Member

    Joined:
    Aug 28, 2010
    Messages:
    1,127
    Likes Received:
    3
    Of course, sorry for mentioning the wrong number ....
     
  9. think2

    think2 Member

    Joined:
    Dec 29, 2009
    Messages:
    153
    Likes Received:
    1
    Thanks guys. Monitoring UDP port 53 shows a bunch of messages with protocol type of "DNS" so it seems wireshark is working. I guess that means the router isn't sending anything.