'system' is generating TCP Packets, who, what, where?

My PIX Firewall is picking up a few machine in my network that are sending
TCP Packets to a non-existant host across one of our WAN Links. They
packets are one way and are about 6-7 seconds apart. I've included a
decoded copy of the packet bing sent.

When I use the SysInternals TDIMON.exe to look to see who is generating the
traffic, It is the Process 'System:4'
System:4 89ECE8A0 TDI_CONNECT TCP:0.0.0.0:1025 10.12.0.10:4606 TIMEOUT

How can I find out what is really causing the TCP Packets.

One machine is a WinXP SP2, the other is a Win2003 SP2 running Terminal
Services.

Any help would be appreciated!

Thank you,
Scott<-





Packet Info

Flags: 0x00

Status: 0x00

Packet Length: 66

Timestamp: 11:12:00.655613 05/25/2006

Ethernet Header

Destination: 00:09:7C:F7:16:E0

Source: 00:11:25:6B:A9:F1

Protocol Type: 0x0800 IP

IP Header - Internet Protocol Datagram

Version: 4

Header Length: 5 (20 bytes)

Type of Service: %00000000

000. .... Precedence: Routine

...0 .... Normal Delay

.... 0... Normal Throughput

.... .0.. Normal Reliability

.... ..0. ECT bit - transport protocol will ignore
the CE bit

.... ...0 CE bit - no congestion



Total Length: 48

Identifier: 25485

Fragmentation Flags: %010

0.. Reserved

.1. Do Not Fragment

..0 Last Fragment



Fragment Offset: 0 (0 bytes)

Time To Live: 128

Protocol: 6 TCP - Transmission Control Protocol

Header Checksum: 0x829F

Source IP Address: 10.1.0.133

Dest. IP Address: 10.12.0.10

No IP Options

TCP - Transport Control Protocol

Source Port: 1025 blackjack

Destination Port: 4606

Sequence Number: 3670101211

Ack Number: 0

Offset: 7 (28 bytes)

Reserved: %000000

Flags: %000010

0. .... (No Urgent pointer)

.0 .... (No Ack)

.. 0... (No Push)

.. .0.. (No Reset)

.. ..1. SYN

.. ...0 (No FIN)



Window: 65535

Checksum: 0x30E8

Urgent Pointer: 0

TCP Options:

Option Type: 2 Maximum Segment Size

Length: 4

MSS: 1460

Option Type: 1 No Operation

Option Type: 1 No Operation

Option Type: 4

Length: 2



FCS - Frame Check Sequence

FCS (Calculated): 0xEA9D6ADA

That is difficult and may not be feasible.

"Scott Townsend" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> My PIX Firewall is picking up a few machine in my network that are sending
> TCP Packets to a non-existant host across one of our WAN Links. They
> packets are one way and are about 6-7 seconds apart. I've included a
> decoded copy of the packet bing sent.
>
> When I use the SysInternals TDIMON.exe to look to see who is generating
> the traffic, It is the Process 'System:4'
> System:4 89ECE8A0 TDI_CONNECT TCP:0.0.0.0:1025 10.12.0.10:4606 TIMEOUT
>
> How can I find out what is really causing the TCP Packets.
>
> One machine is a WinXP SP2, the other is a Win2003 SP2 running Terminal
> Services.
>
> Any help would be appreciated!
>
> Thank you,
> Scott<-
>
>
>
>
>
> Packet Info
>
> Flags: 0x00
>
> Status: 0x00
>
> Packet Length: 66
>
> Timestamp: 11:12:00.655613 05/25/2006
>
> Ethernet Header
>
> Destination: 00:09:7C:F7:16:E0
>
> Source: 00:11:25:6B:A9:F1
>
> Protocol Type: 0x0800 IP
>
> IP Header - Internet Protocol Datagram
>
> Version: 4
>
> Header Length: 5 (20 bytes)
>
> Type of Service: %00000000
>
> 000. .... Precedence: Routine
>
> ...0 .... Normal Delay
>
> .... 0... Normal Throughput
>
> .... .0.. Normal Reliability
>
> .... ..0. ECT bit - transport protocol will ignore
> the CE bit
>
> .... ...0 CE bit - no congestion
>
>
>
> Total Length: 48
>
> Identifier: 25485
>
> Fragmentation Flags: %010
>
> 0.. Reserved
>
> .1. Do Not Fragment
>
> ..0 Last Fragment
>
>
>
> Fragment Offset: 0 (0 bytes)
>
> Time To Live: 128
>
> Protocol: 6 TCP - Transmission Control Protocol
>
> Header Checksum: 0x829F
>
> Source IP Address: 10.1.0.133
>
> Dest. IP Address: 10.12.0.10
>
> No IP Options
>
> TCP - Transport Control Protocol
>
> Source Port: 1025 blackjack
>
> Destination Port: 4606
>
> Sequence Number: 3670101211
>
> Ack Number: 0
>
> Offset: 7 (28 bytes)
>
> Reserved: %000000
>
> Flags: %000010
>
> 0. .... (No Urgent pointer)
>
> .0 .... (No Ack)
>
> .. 0... (No Push)
>
> .. .0.. (No Reset)
>
> .. ..1. SYN
>
> .. ...0 (No FIN)
>
>
>
> Window: 65535
>
> Checksum: 0x30E8
>
> Urgent Pointer: 0
>
> TCP Options:
>
> Option Type: 2 Maximum Segment Size
>
> Length: 4
>
> MSS: 1460
>
> Option Type: 1 No Operation
>
> Option Type: 1 No Operation
>
> Option Type: 4
>
> Length: 2
>
>
>
> FCS - Frame Check Sequence
>
> FCS (Calculated): 0xEA9D6ADA
>
>

The Difficult part I understand, but not feasible? There has to be a way to
find out what is generating the Packets... Both are trying to communicate
with the same IP, Same source, Destination Ports and same interval.

There has to be a way.....(-;

Thanks,
Scott<-
"Karl Levinson" <(E-Mail Removed)> wrote in message
news:u%(E-Mail Removed)...
> That is difficult and may not be feasible.
>
> "Scott Townsend" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> My PIX Firewall is picking up a few machine in my network that are
>> sending TCP Packets to a non-existant host across one of our WAN Links.
>> They packets are one way and are about 6-7 seconds apart. I've included
>> a decoded copy of the packet bing sent.
>>
>> When I use the SysInternals TDIMON.exe to look to see who is generating
>> the traffic, It is the Process 'System:4'
>> System:4 89ECE8A0 TDI_CONNECT TCP:0.0.0.0:1025 10.12.0.10:4606 TIMEOUT
>>
>> How can I find out what is really causing the TCP Packets.
>>
>> One machine is a WinXP SP2, the other is a Win2003 SP2 running Terminal
>> Services.
>>
>> Any help would be appreciated!
>>
>> Thank you,
>> Scott<-
>>
>>
>>
>>
>>
>> Packet Info
>>
>> Flags: 0x00
>>
>> Status: 0x00
>>
>> Packet Length: 66
>>
>> Timestamp: 11:12:00.655613 05/25/2006
>>
>> Ethernet Header
>>
>> Destination: 00:09:7C:F7:16:E0
>>
>> Source: 00:11:25:6B:A9:F1
>>
>> Protocol Type: 0x0800 IP
>>
>> IP Header - Internet Protocol Datagram
>>
>> Version: 4
>>
>> Header Length: 5 (20 bytes)
>>
>> Type of Service: %00000000
>>
>> 000. .... Precedence: Routine
>>
>> ...0 .... Normal Delay
>>
>> .... 0... Normal Throughput
>>
>> .... .0.. Normal Reliability
>>
>> .... ..0. ECT bit - transport protocol will ignore
>> the CE bit
>>
>> .... ...0 CE bit - no congestion
>>
>>
>>
>> Total Length: 48
>>
>> Identifier: 25485
>>
>> Fragmentation Flags: %010
>>
>> 0.. Reserved
>>
>> .1. Do Not Fragment
>>
>> ..0 Last Fragment
>>
>>
>>
>> Fragment Offset: 0 (0 bytes)
>>
>> Time To Live: 128
>>
>> Protocol: 6 TCP - Transmission Control Protocol
>>
>> Header Checksum: 0x829F
>>
>> Source IP Address: 10.1.0.133
>>
>> Dest. IP Address: 10.12.0.10
>>
>> No IP Options
>>
>> TCP - Transport Control Protocol
>>
>> Source Port: 1025 blackjack
>>
>> Destination Port: 4606
>>
>> Sequence Number: 3670101211
>>
>> Ack Number: 0
>>
>> Offset: 7 (28 bytes)
>>
>> Reserved: %000000
>>
>> Flags: %000010
>>
>> 0. .... (No Urgent pointer)
>>
>> .0 .... (No Ack)
>>
>> .. 0... (No Push)
>>
>> .. .0.. (No Reset)
>>
>> .. ..1. SYN
>>
>> .. ...0 (No FIN)
>>
>>
>>
>> Window: 65535
>>
>> Checksum: 0x30E8
>>
>> Urgent Pointer: 0
>>
>> TCP Options:
>>
>> Option Type: 2 Maximum Segment Size
>>
>> Length: 4
>>
>> MSS: 1460
>>
>> Option Type: 1 No Operation
>>
>> Option Type: 1 No Operation
>>
>> Option Type: 4
>>
>> Length: 2
>>
>>
>>
>> FCS - Frame Check Sequence
>>
>> FCS (Calculated): 0xEA9D6ADA
>>
>>
>
>

Found ProcExp from SysInternals, then looked at the System Process
Properties, there is a TCP/IP tab
then every 6-7 seconds the TCp Connection would show up. I did a stack trace
on it and came up with:

ntoskrnl.exe+0xa3d9
ntoskrnl.exe+0x95063
ntoskrnl.exe+0x982a8
ntoskrnl.exe+0xa62d3
ntoskrnl.exe+0xa63a2
ntoskrnl.exe+0xa63e5
ntoskrnl.exe+0x699f
ntoskrnl.exe+0xc577
RpshSi.sys+0x59822
ntoskrnl.exe+0x9603c
ntoskrnl.exe+0xb3b5
ntoskrnl.exe+0x9d128
ntoskrnl.exe+0x18c81


RpshSi.sys is part of COMTROL, a Serial to TCP/IP Device. The RpshSi.sys
Device Driver was installed on both machines trying to communicate to the
Serial to TCP/IP Device.

thanks!

"Karl Levinson" <(E-Mail Removed)> wrote in message
news:u%(E-Mail Removed)...
> That is difficult and may not be feasible.
>
> "Scott Townsend" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> My PIX Firewall is picking up a few machine in my network that are
>> sending TCP Packets to a non-existant host across one of our WAN Links.
>> They packets are one way and are about 6-7 seconds apart. I've included
>> a decoded copy of the packet bing sent.
>>
>> When I use the SysInternals TDIMON.exe to look to see who is generating
>> the traffic, It is the Process 'System:4'
>> System:4 89ECE8A0 TDI_CONNECT TCP:0.0.0.0:1025 10.12.0.10:4606 TIMEOUT
>>
>> How can I find out what is really causing the TCP Packets.
>>
>> One machine is a WinXP SP2, the other is a Win2003 SP2 running Terminal
>> Services.
>>
>> Any help would be appreciated!
>>
>> Thank you,
>> Scott<-
>>
>>
>>
>>
>>
>> Packet Info
>>
>> Flags: 0x00
>>
>> Status: 0x00
>>
>> Packet Length: 66
>>
>> Timestamp: 11:12:00.655613 05/25/2006
>>
>> Ethernet Header
>>
>> Destination: 00:09:7C:F7:16:E0
>>
>> Source: 00:11:25:6B:A9:F1
>>
>> Protocol Type: 0x0800 IP
>>
>> IP Header - Internet Protocol Datagram
>>
>> Version: 4
>>
>> Header Length: 5 (20 bytes)
>>
>> Type of Service: %00000000
>>
>> 000. .... Precedence: Routine
>>
>> ...0 .... Normal Delay
>>
>> .... 0... Normal Throughput
>>
>> .... .0.. Normal Reliability
>>
>> .... ..0. ECT bit - transport protocol will ignore
>> the CE bit
>>
>> .... ...0 CE bit - no congestion
>>
>>
>>
>> Total Length: 48
>>
>> Identifier: 25485
>>
>> Fragmentation Flags: %010
>>
>> 0.. Reserved
>>
>> .1. Do Not Fragment
>>
>> ..0 Last Fragment
>>
>>
>>
>> Fragment Offset: 0 (0 bytes)
>>
>> Time To Live: 128
>>
>> Protocol: 6 TCP - Transmission Control Protocol
>>
>> Header Checksum: 0x829F
>>
>> Source IP Address: 10.1.0.133
>>
>> Dest. IP Address: 10.12.0.10
>>
>> No IP Options
>>
>> TCP - Transport Control Protocol
>>
>> Source Port: 1025 blackjack
>>
>> Destination Port: 4606
>>
>> Sequence Number: 3670101211
>>
>> Ack Number: 0
>>
>> Offset: 7 (28 bytes)
>>
>> Reserved: %000000
>>
>> Flags: %000010
>>
>> 0. .... (No Urgent pointer)
>>
>> .0 .... (No Ack)
>>
>> .. 0... (No Push)
>>
>> .. .0.. (No Reset)
>>
>> .. ..1. SYN
>>
>> .. ...0 (No FIN)
>>
>>
>>
>> Window: 65535
>>
>> Checksum: 0x30E8
>>
>> Urgent Pointer: 0
>>
>> TCP Options:
>>
>> Option Type: 2 Maximum Segment Size
>>
>> Length: 4
>>
>> MSS: 1460
>>
>> Option Type: 1 No Operation
>>
>> Option Type: 1 No Operation
>>
>> Option Type: 4
>>
>> Length: 2
>>
>>
>>
>> FCS - Frame Check Sequence
>>
>> FCS (Calculated): 0xEA9D6ADA
>>
>>
>
>

Thanks for posting this, that's something I did not know.

"Scott Townsend" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Found ProcExp from SysInternals, then looked at the System Process
> Properties, there is a TCP/IP tab
> then every 6-7 seconds the TCp Connection would show up. I did a stack
> trace on it and came up with:
>
> ntoskrnl.exe+0xa3d9
> ntoskrnl.exe+0x95063
> ntoskrnl.exe+0x982a8
> ntoskrnl.exe+0xa62d3
> ntoskrnl.exe+0xa63a2
> ntoskrnl.exe+0xa63e5
> ntoskrnl.exe+0x699f
> ntoskrnl.exe+0xc577
> RpshSi.sys+0x59822
> ntoskrnl.exe+0x9603c
> ntoskrnl.exe+0xb3b5
> ntoskrnl.exe+0x9d128
> ntoskrnl.exe+0x18c81
>
>
> RpshSi.sys is part of COMTROL, a Serial to TCP/IP Device. The RpshSi.sys
> Device Driver was installed on both machines trying to communicate to the
> Serial to TCP/IP Device.
>
> thanks!

Hi Scott ,

Glad to see your knowledge sharing. Now, please let me know if you still
have concerns.

Have a good day.


Best regards,

Vincent Xu
Microsoft Online Partner Support

================================================== ====
Get Secure! - www.microsoft.com/security
================================================== ====
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
================================================== ====
This posting is provided "AS IS" with no warranties,and confers no rights.
================================================== ====



--------------------
>>From: "Scott Townsend" <(E-Mail Removed)>
>>References: <(E-Mail Removed)>
<u#(E-Mail Removed)>
>>Subject: Re: 'system' is generating TCP Packets, who, what, where?
>>Date: Thu, 25 May 2006 11:57:31 -0700
>>Lines: 187
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
>>X-RFC2646: Format=Flowed; Response
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
>>Message-ID: <(E-Mail Removed)>
>>Newsgroups:
microsoft.public.windows.server.networking,microso ft.public.windows.server.g
eneral,microsoft.public.windows.server.security
>>NNTP-Posting-Host: 204-145-245-49.enm.com 204.145.245.49
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFT NGP02.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.general:96901
microsoft.public.windows.server.security:12490
microsoft.public.windows.server.networking:39025
>>X-Tomcat-NG: microsoft.public.windows.server.networking
>>
>>Found ProcExp from SysInternals, then looked at the System Process
>>Properties, there is a TCP/IP tab
>>then every 6-7 seconds the TCp Connection would show up. I did a stack
trace
>>on it and came up with:
>>
>>ntoskrnl.exe+0xa3d9
>>ntoskrnl.exe+0x95063
>>ntoskrnl.exe+0x982a8
>>ntoskrnl.exe+0xa62d3
>>ntoskrnl.exe+0xa63a2
>>ntoskrnl.exe+0xa63e5
>>ntoskrnl.exe+0x699f
>>ntoskrnl.exe+0xc577
>>RpshSi.sys+0x59822
>>ntoskrnl.exe+0x9603c
>>ntoskrnl.exe+0xb3b5
>>ntoskrnl.exe+0x9d128
>>ntoskrnl.exe+0x18c81
>>
>>
>>RpshSi.sys is part of COMTROL, a Serial to TCP/IP Device. The RpshSi.sys
>>Device Driver was installed on both machines trying to communicate to the
>>Serial to TCP/IP Device.
>>
>>thanks!
>>
>>"Karl Levinson" <(E-Mail Removed)> wrote in message
>>news:u%(E-Mail Removed).. .
>>> That is difficult and may not be feasible.
>>>
>>> "Scott Townsend" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> My PIX Firewall is picking up a few machine in my network that are
>>>> sending TCP Packets to a non-existant host across one of our WAN
Links.
>>>> They packets are one way and are about 6-7 seconds apart. I've
included
>>>> a decoded copy of the packet bing sent.
>>>>
>>>> When I use the SysInternals TDIMON.exe to look to see who is
generating
>>>> the traffic, It is the Process 'System:4'
>>>> System:4 89ECE8A0 TDI_CONNECT TCP:0.0.0.0:1025 10.12.0.10:4606 TIMEOUT
>>>>
>>>> How can I find out what is really causing the TCP Packets.
>>>>
>>>> One machine is a WinXP SP2, the other is a Win2003 SP2 running
Terminal
>>>> Services.
>>>>
>>>> Any help would be appreciated!
>>>>
>>>> Thank you,
>>>> Scott<-
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Packet Info
>>>>
>>>> Flags: 0x00
>>>>
>>>> Status: 0x00
>>>>
>>>> Packet Length: 66
>>>>
>>>> Timestamp: 11:12:00.655613 05/25/2006
>>>>
>>>> Ethernet Header
>>>>
>>>> Destination: 00:09:7C:F7:16:E0
>>>>
>>>> Source: 00:11:25:6B:A9:F1
>>>>
>>>> Protocol Type: 0x0800 IP
>>>>
>>>> IP Header - Internet Protocol Datagram
>>>>
>>>> Version: 4
>>>>
>>>> Header Length: 5 (20 bytes)
>>>>
>>>> Type of Service: %00000000
>>>>
>>>> 000. .... Precedence: Routine
>>>>
>>>> ...0 .... Normal Delay
>>>>
>>>> .... 0... Normal Throughput
>>>>
>>>> .... .0.. Normal Reliability
>>>>
>>>> .... ..0. ECT bit - transport protocol will
ignore
>>>> the CE bit
>>>>
>>>> .... ...0 CE bit - no congestion
>>>>
>>>>
>>>>
>>>> Total Length: 48
>>>>
>>>> Identifier: 25485
>>>>
>>>> Fragmentation Flags: %010
>>>>
>>>> 0.. Reserved
>>>>
>>>> .1. Do Not Fragment
>>>>
>>>> ..0 Last Fragment
>>>>
>>>>
>>>>
>>>> Fragment Offset: 0 (0 bytes)
>>>>
>>>> Time To Live: 128
>>>>
>>>> Protocol: 6 TCP - Transmission Control Protocol
>>>>
>>>> Header Checksum: 0x829F
>>>>
>>>> Source IP Address: 10.1.0.133
>>>>
>>>> Dest. IP Address: 10.12.0.10
>>>>
>>>> No IP Options
>>>>
>>>> TCP - Transport Control Protocol
>>>>
>>>> Source Port: 1025 blackjack
>>>>
>>>> Destination Port: 4606
>>>>
>>>> Sequence Number: 3670101211
>>>>
>>>> Ack Number: 0
>>>>
>>>> Offset: 7 (28 bytes)
>>>>
>>>> Reserved: %000000
>>>>
>>>> Flags: %000010
>>>>
>>>> 0. .... (No Urgent pointer)
>>>>
>>>> .0 .... (No Ack)
>>>>
>>>> .. 0... (No Push)
>>>>
>>>> .. .0.. (No Reset)
>>>>
>>>> .. ..1. SYN
>>>>
>>>> .. ...0 (No FIN)
>>>>
>>>>
>>>>
>>>> Window: 65535
>>>>
>>>> Checksum: 0x30E8
>>>>
>>>> Urgent Pointer: 0
>>>>
>>>> TCP Options:
>>>>
>>>> Option Type: 2 Maximum Segment Size
>>>>
>>>> Length: 4
>>>>
>>>> MSS: 1460
>>>>
>>>> Option Type: 1 No Operation
>>>>
>>>> Option Type: 1 No Operation
>>>>
>>>> Option Type: 4
>>>>
>>>> Length: 2
>>>>
>>>>
>>>>
>>>> FCS - Frame Check Sequence
>>>>
>>>> FCS (Calculated): 0xEA9D6ADA
>>>>
>>>>
>>>
>>>
>>
>>
>>