SYN_SENT???

Discussion in 'Networking' started by skinman2, May 23, 2003.

  1. skinman2

    skinman2 Member

    Joined:
    Feb 23, 2003
    Messages:
    44
    Likes Received:
    0
    Hello!

    I ran "netstat" and found out that their was a connection to my computer using Syn_Sent. What is it? Should I be concerned? The ip is 192.168.1.2:5678. I have cable broadband internet. The connection used 9 MB of data transfer during a 7 hour period.

    I dont have a router and no network installed on my computer. I got a new DOCSIS modem... the modem brand is:

    Brand: Scientific Atlanta

    Name: Webstar

    Model Number: DPX 2100


    SYN_SENT
     
  2. kt

    kt Diamond Member

    Joined:
    Apr 1, 2000
    Messages:
    4,997
    Likes Received:
    0
    When making a TCP connection, 3 steps are involved.
    1. Synchronizing
    2. Transmitting
    3. Closing

    It appears the connection in question is waiting for a response (SYN_ACK) after sending out a synchronization packet (SYN_SENT). What I suggest you do is check for any application that is sending those requests. It appears something on your computer is trying to make a connection to that the IP address 192.168.1.2. The IP address is a non-routable IP and since you say you don't have an internal network that's why you are not getting any response.
     
  3. Lord Evermore

    Lord Evermore Diamond Member

    Joined:
    Oct 10, 1999
    Messages:
    9,558
    Likes Received:
    0
    Does this still show up? If so, copy and paste the line. It will show which port on your own machine is in use. 5678 is the port your traffic is going to on the other machine, and could be anything. The standard use is for Remote Replication Agent Connection but I can't find any explanations of what that is for, at least not in English.

    With cable, it is possible that someone else has connected to your machine via the cable network, and is using the built-in file and printer sharing to access files. Since you use a NIC for the cable modem, you do have networking set up. You can disable it in the properties for the local area network (right click properties on Network Neighborhood). Since the most common use of 192.168.1.x would be someone using a router on a cable connection in your area, it is likely that the source is someone with your same cable service connected to the same head-end router.

    Oh, and 9MB over 7 hours is about 160Kbps. If your cable service is supposed to be capped at 128k upload, then it sounds like your upload was being pegged the entire time.

    If you're going to have your computer connected directly to the cable modem, you should consider a firewall of some sort. WindowsXP has a built-in firewall which will prevent people from connecting to your machine from outside. Another type such as ZoneAlarm protects from outside connections as well as preventing rogue programs such as trojans from making connection from your computer to anything else.
     
  4. skinman2

    skinman2 Member

    Joined:
    Feb 23, 2003
    Messages:
    44
    Likes Received:
    0
    TCP server:3155 192.168.1.2:5678 SYN_SENT

    I have a firewall installed on my computer (Winxp). My node is new to the DOCSIS service and everyone else on my node is on the older modems (slower). My cps are @ 1500/192. I will try to disable fill/print sharing.
     
  5. skinman2

    skinman2 Member

    Joined:
    Feb 23, 2003
    Messages:
    44
    Likes Received:
    0
    Nothing really works. The thing still appears up.



     
  6. Garion

    Garion Platinum Member

    Joined:
    Apr 23, 2001
    Messages:
    2,318
    Likes Received:
    0
    There's an app called jpegmpeg that's used for peer-to-peer file sharing. It listens on port 3155. That's consistent with what you are seeing, from a bandwidth and connection perspective.

    What is your IP address on your machine? I wouldn't be surprise to see that YOU are 192.168.1.2. From a DOS prompt, enter "ipconfig" and it should tell you what your address is.

    By the way - How are you finding out that it's transferred 9MB? That's not something typically seen in Netstat.

    L.E. - I hate to tell you this, but you need to check your math. 9MB == 90 Mb == ~9000 Kb. Take that over seven hours (3600 * 7 = 25200) and you get about .36Kb/s. Just a dribble.

    - G
     
  7. Lord Evermore

    Lord Evermore Diamond Member

    Joined:
    Oct 10, 1999
    Messages:
    9,558
    Likes Received:
    0
    9MB = 72000000b/25200 = 2.8Kbps. There's still only 8 bits in a byte, overhead never changes that. :) And 90Mb = 90,000Kb not 9000.

    That is also an average, it could have been using much more throughput during a shorter period.

    I honestly can't even figure out where I got that 160Kbps from originally. Maybe I used gigabytes or something but I can't even repeat that. I think I just divided by 8 or multiplied by 8 one extra time.

    Some cable providers with data transfer caps provide a way to see how much data you've passed during a period.

    It's doubtful that his own machine is 192.x. If it was, he wouldn't be able to access the Internet.

    Based on the line from netstat, skinman2's machine is named "server", listening on 3155 and is connecting to a computer at 192.168.1.2. This is consistent with a trojan or other application connecting to a machine, which is this case happens to be someone on the local cable network since there'd be no other way for the two machines to connect. Because the cable network is shared in a certain way, the machines can see each other even though they aren't on the same IP network.

    The WinXP firewall doesn't block outbound connections at all. So if this program makes a connection to a central server to route traffic through, then the firewall wouldn't do any good. The only time it would help is if someone tried to make a connection directly to you to transfer a file.

    My guess is that whatever is running is connecting to the 192.168.1.2 machine as its central server. Then the connection just sits open to the server; the program regularly updates the server about what files are available; normally someone would use the server to find a list of files and if they wanted one of yours, would make a direct connection to get it. But since you're behind a firewall, they can't, and since the server is on a private IP nobody should be able to even see it.

    First thing to do would be to check if that jpegmpeg is installed. Look in the start menu (check the startup folder while you're there), and check the Add/Remove Programs tool. If you can't find it and don't know about it, check the system tray to make sure it's not running there (you'll need to expand it if you allow XP to hide icons). Then run "msconfig" on the Run dialog and look at the startup tab. If you see it there, uncheck the box (you don't need to reboot immediately, it'll just stop it running next time you boot). Then hit control-alt-delete to bring up the task manager, and on the processes list, find the item named the same as whatever you found running and end task on it.

    Then reboot. Check after a bit to see if it's running. If it's not, then you've stopped it working, and you can find the location and remove it. You may also want to download adaware from http://www.lavasoft.de just to check whether you have anything else installed such as spyware, and also you should be running an antivirus program that keeps a background monitor. Having a computer always connected directly to a broadband service is just unsafe.