A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows 7 » Windows 7 Forum
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

How do I chase down who is doing a multicast?



 
 
Thread Tools Rate Thread Display Modes
  #1  
Old April 7th 18, 12:25 AM posted to alt.windows7.general
T
external usenet poster
 
Posts: 4,600
Default How do I chase down who is doing a multicast?

Hi All,

How do I chase down who is doing a multicast (224.0.0.252) on
my local network.

My Windows Security log is gobsmacked with the following:

Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 5355
Destination Address: 192.168.202.215
Destination Port: 52860
Protocol: 17

This gets me no whe

# nmap -A -T4 -Pn 224.0.0.252

Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-06 16:22 PDT
Nmap done: 1 IP address (0 hosts up) scanned in 0.85 seconds


My firewall shows no traffic outbound to 224.0.0.252


Many thanks,
-T
Ads
  #2  
Old April 7th 18, 12:42 AM posted to alt.windows7.general
VanguardLH[_2_]
external usenet poster
 
Posts: 10,881
Default How do I chase down who is doing a multicast?

T wrote:

5355


Based on that port number:

https://en.wikipedia.org/wiki/Link-L...ame_Resolution

which also has a hyperlink to:

https://technet.microsoft.com/library/bb878128

Seems that every host running the DNS client is going to use LLMNR. I
suspect if you disable LLMNR that sharing services could get impacted.

http://www.pciqsatalk.com/2016/03/di...r-netbios.html

Are you allowing rogue hosts to enter your intranet, like letting users
bring their own laptops into work to connect directly to the corporate
network instead of into a DMZ'ed subnet? LLMNR traffic is not routable
(because it is a local link protocol); that is, it cannot pass across
routers, so the problem is not with external hacking into your intranet.

https://tools.ietf.org/rfc/rfc4795.txt

So do you trust the hosts permitted to physically connect to the same
subnet within your intranet?
  #3  
Old April 7th 18, 01:10 AM posted to alt.windows7.general
T
external usenet poster
 
Posts: 4,600
Default How do I chase down who is doing a multicast?

On 04/06/2018 04:42 PM, VanguardLH wrote:
T wrote:

5355


Based on that port number:

https://en.wikipedia.org/wiki/Link-L...ame_Resolution

which also has a hyperlink to:

https://technet.microsoft.com/library/bb878128

Seems that every host running the DNS client is going to use LLMNR. I
suspect if you disable LLMNR that sharing services could get impacted.

http://www.pciqsatalk.com/2016/03/di...r-netbios.html

Are you allowing rogue hosts to enter your intranet, like letting users
bring their own laptops into work to connect directly to the corporate
network instead of into a DMZ'ed subnet? LLMNR traffic is not routable
(because it is a local link protocol); that is, it cannot pass across
routers, so the problem is not with external hacking into your intranet.

https://tools.ietf.org/rfc/rfc4795.txt

So do you trust the hosts permitted to physically connect to the same
subnet within your intranet?


Good Lord Vanguard! I have been google'ing my ass over
all this for hours before asking for help. You hit it
out of the ball park. And give me a way to figure the next
out out myself. Wow! Impressive!

Anyway, to answer your question, this network leg is their
general office and not a high security Point of Sale (POS)
leg. They are allowed to bring "certain" devices, with
permission, and run them on this leg. (They are
under threat of death of doing that on the POS legs.)

I did an arp scan and everyone is legit. Just the usual
suspects.

The traffic on multicast traffic on port 5355 is so
prodigious that my File Integrity Monitoring (FIM) software
server is crashing trying to log the tidal was of notices
placed in the client's security logs.

Thank you!
-T


  #4  
Old April 7th 18, 01:38 AM posted to alt.windows7.general
T
external usenet poster
 
Posts: 4,600
Default How do I chase down who is doing a multicast?

Hi Vanguard,

At this point I am thinking you know everything, so please forgive
this question:

Do you know how to convert this to a .reg file?


Many thanks,
-T


To disable LLMNR:

1) winR gpedit.msc

2) Local Computer Policy
-- Computer Configuration
-- Administrative Templates
-- Network
-- DNS Client

3) Click on “Turn Off Multicast Name Resolution” and set it to
“Enabled”


  #5  
Old April 7th 18, 02:09 AM posted to alt.windows7.general
VanguardLH[_2_]
external usenet poster
 
Posts: 10,881
Default How do I chase down who is doing a multicast?

T wrote:

At this point I am thinking you know everything, so please forgive
this question:


Nah, I'm just arrogant enough to think that I know everything. My
family celebrates when I'm wrong and swear when I'm [always] right.

Do you know how to convert this to a .reg file?

To disable LLMNR:
1) winR gpedit.msc
2) Local Computer Policy
-- Computer Configuration
-- Administrative Templates
-- Network
-- DNS Client
3) Click on Turn Off Multicast Name Resolution and set it to
Enabled


Unfortunately I'm at home almost all the time I'm on Usenet and my home
desktop PC is running a Home edition of Windows 7 x64. No gpedit.msc
there; however, all polices are registry entries. In the past, I
remember Microsoft providing an Excel spreadsheet of policy settings and
their equivalent registry locations. So did the search:

https://www.google.com/search?q=micr...+sprea dsheet

which found:

https://www.microsoft.com/en-us/down....aspx?id=25250

I download the .xlsx file, opened it, and searched on "multicast". The
"Turn off multicast name resolution" setting was the first hit. It
tells you the registry key and data item you have to change its value
along with lots of descriptions. Once you figure out the registry and
add the data item (if absent) to your desired value, export that
registry key to have a .reg file to stow away for later reuse.
  #6  
Old April 7th 18, 03:28 AM posted to alt.windows7.general
B00ze
external usenet poster
 
Posts: 472
Default How do I chase down who is doing a multicast?

On 2018-04-06 21:09, VanguardLH wrote:

Unfortunately I'm at home almost all the time I'm on Usenet and my home
desktop PC is running a Home edition of Windows 7 x64. No gpedit.msc
there; however, all polices are registry entries. In the past, I
remember Microsoft providing an Excel spreadsheet of policy settings and
their equivalent registry locations. So did the search:

https://www.google.com/search?q=micr...+sprea dsheet

which found:

https://www.microsoft.com/en-us/down....aspx?id=25250

I download the .xlsx file, opened it, and searched on "multicast". The
"Turn off multicast name resolution" setting was the first hit. It
tells you the registry key and data item you have to change its value
along with lots of descriptions. Once you figure out the registry and
add the data item (if absent) to your desired value, export that
registry key to have a .reg file to stow away for later reuse.


Wow, this can come in Handy; Thanks!

--
! _\|/_ Sylvain /
! (o o) Memberavid-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society
oO-( )-Oo Windows error 21 It'll never work, really!

  #7  
Old April 7th 18, 03:33 AM posted to alt.windows7.general
T
external usenet poster
 
Posts: 4,600
Default How do I chase down who is doing a multicast?

On 04/06/2018 06:09 PM, VanguardLH wrote:
T wrote:

At this point I am thinking you know everything, so please forgive
this question:


Nah, I'm just arrogant enough to think that I know everything. My
family celebrates when I'm wrong and swear when I'm [always] right.


My wife is right about 90% of the time. Whenever she is right,
it is "so what else is new?" Whenever I am right, it is strutting
and ticker tape time.


Do you know how to convert this to a .reg file?

To disable LLMNR:
1) winR gpedit.msc
2) Local Computer Policy
-- Computer Configuration
-- Administrative Templates
-- Network
-- DNS Client
3) Click on Turn Off Multicast Name Resolution and set it to
Enabled


Unfortunately I'm at home almost all the time I'm on Usenet and my home
desktop PC is running a Home edition of Windows 7 x64. No gpedit.msc
there; however, all polices are registry entries. In the past, I
remember Microsoft providing an Excel spreadsheet of policy settings and
their equivalent registry locations. So did the search:

https://www.google.com/search?q=micr...+sprea dsheet

which found:

https://www.microsoft.com/en-us/down....aspx?id=25250

I download the .xlsx file, opened it, and searched on "multicast". The
"Turn off multicast name resolution" setting was the first hit. It
tells you the registry key and data item you have to change its value
along with lots of descriptions. Once you figure out the registry and
add the data item (if absent) to your desired value, export that
registry key to have a .reg file to stow away for later reuse.


Wow! You did it again. I LOVE THAT SPREADSHEET !!!! (I converted
it to .ODX. Chuckle.)

THANK YOU!!!!


Windows Registry Editor Version 5.00

; Disable Link Local Multicast Name Resolution (LLMNR)
; Note the double negative: "enable" turn LLMNR off

; dword:00000000 is enabled (turns LLMNR off)
; dword:00000001 is disabled (turns LLMNR back on)
; completely missing is "not configured"
; [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows NT\DNSClient]

; note: you need to reboot to take effect

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows NT\DNSClient]
"EnableMulticast"=dword:00000000


 




Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off






All times are GMT +1. The time now is 01:16 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright 2004-2024 PCbanter.
The comments are property of their posters.