Author Topic: svchost.exe is trying to receive connection ... and 192.168.1.1  (Read 4548 times)

Offline cska133

  • Comodo's Hero
  • *****
  • Posts: 305
I use router with IP 192.168.1.1 and connected my new laptop to Internet trough LAN cable. After setting up Comodo firewall to custom mode Comodo pops up after every new start that svchost.exe is trying to receive connections from Internet. If I create rules and logs there is something about the router address 192.168.1.1... see the screenshots attached.

Is this connection OK or should I block it? Does the router try to connect the laptop and why?

Offline Ronny

  • Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13427
  • Volunteer Moderator
Re: svchost.exe is trying to receive connection ... and 192.168.1.1
« Reply #1 on: April 06, 2012, 03:23:55 PM »
Hi cska133,

This is Universal Plug and Play traffic, do you have this setup on your router + software like torrent or something that needs incoming traffic?
Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline cska133

  • Comodo's Hero
  • *****
  • Posts: 305
Re: svchost.exe is trying to receive connection ... and 192.168.1.1
« Reply #2 on: April 06, 2012, 10:45:23 PM »
well, I think I have it enabled in my router settings.
The problem is this is/this was not my computer, so I dont know what kind of programms are running. Of course I looked throu the installed applications but I can not recognize if someone needs incoming trafic.

How can I check this?
Maybe I can send you a list with running applications? But where to find the appropriate list with all the running programms?

Offline Ronny

  • Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13427
  • Volunteer Moderator
Re: svchost.exe is trying to receive connection ... and 192.168.1.1
« Reply #3 on: April 10, 2012, 01:39:14 PM »
You could try to use this tool to identify the cause;
http://technet.microsoft.com/en-us/sysinternals/bb897437
Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline cska133

  • Comodo's Hero
  • *****
  • Posts: 305
Re: svchost.exe is trying to receive connection ... and 192.168.1.1
« Reply #4 on: April 11, 2012, 06:23:47 AM »
well I can not recognize what processes are trying to connect.
When I start the system without LAn Cable TCPView shows the first screenshot. When I then plug in the LAn cable there is a lot of movement in TCPView. Dont know how can I know that causes the Comodo firewall popup?
After some time TCPView shows the second screenshot

Offline Ronny

  • Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13427
  • Volunteer Moderator
Re: svchost.exe is trying to receive connection ... and 192.168.1.1
« Reply #5 on: April 11, 2012, 09:14:24 AM »
I would assume normally an application on your system will ask the router to open-up ports for it.
The response could cause a trigger here.

Better ways to trace this are process monitor or Microsoft Network Monitor both will show the application that causes the outgoing network traffic.

http://technet.microsoft.com/en-us/sysinternals/bb896645
http://www.microsoft.com/download/en/details.aspx?id=4865
Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline cska133

  • Comodo's Hero
  • *****
  • Posts: 305
Re: svchost.exe is trying to receive connection ... and 192.168.1.1
« Reply #6 on: April 12, 2012, 09:47:19 AM »
so do I need both process monitor or Microsoft Network ?

Offline Ronny

  • Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13427
  • Volunteer Moderator
Re: svchost.exe is trying to receive connection ... and 192.168.1.1
« Reply #7 on: April 12, 2012, 03:49:22 PM »
No I would try one of them to see if that brings any clue's to this.
Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: svchost.exe is trying to receive connection ... and 192.168.1.1
« Reply #8 on: April 12, 2012, 04:35:54 PM »
Just to add to the reply from Ronny. These inbound connections, form what appears to be your router, are standard UPnP/SSDP event notifications. If you have UPnP and SSDP services running under Windows - they are by default - you will see this communication. Basically, it's one UPnP enabled device letting another UPnP enabled device know about it's status.

Here's part of a capture showing what happens:

Code: [Select]
Transmission Control Protocol, Src Port: 19294 (19294), Dst Port: icslap (2869), Seq: 1, Ack: 1, Len: 717
    Source port: 19294 (19294)
    Destination port: icslap (2869)
    [Stream index: 63]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 718    (relative sequence number)]
    Acknowledgement number: 1    (relative ack number)
    Header length: 32 bytes
    Flags: 0x18 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgement: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 2920
    [Calculated window size: 5840]
    [Window size scaling factor: 2]
    Checksum: 0x3d29 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (12 bytes)
        No-Operation (NOP)
        No-Operation (NOP)
        Timestamps: TSval 13830859, TSecr 48804
            Kind: Timestamp (8)
            Length: 10
            Timestamp value: 13830859
            Timestamp echo reply: 48804
    [SEQ/ACK analysis]
        [Bytes in flight: 718]
Hypertext Transfer Protocol
    NOTIFY /upnp/eventing/djlmyxppgj HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): NOTIFY /upnp/eventing/djlmyxppgj HTTP/1.1\r\n]
            [Message: NOTIFY /upnp/eventing/djlmyxppgj HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: NOTIFY
        Request URI: /upnp/eventing/djlmyxppgj
        Request Version: HTTP/1.1
    Host: 192.168.1.209:2869\r\n
    Content-Type: text/xml\r\n
    Content-Length: 463\r\n
        [Content length: 463]
    NT: upnp:event\r\n
    NTS: upnp:propchange\r\n
    SID: uuid:b24654fa-fec2-4242-815f-515056699869\r\n
    SEQ: 0\r\n
    Connection: close\r\n
    Cache-Control: no-cache\r\n
    \r\n
    [Full request URI: http://192.168.1.209:2869/upnp/eventing/djlmyxppgj]
eXtensible Markup Language
    <e:propertyset
        xmlns:e="urn:schemas-upnp-org:event-1-0"
        xmlns:s="urn:schemas-upnp-org:service:WANIPConnection:1">
        <e:property>
            <s:PossibleConnectionTypes>
                IP_Routed
                </s:PossibleConnectionTypes>
            </e:property>
        <e:property>
            <s:ConnectionStatus>
                Connected
                </s:ConnectionStatus>
            </e:property>
        <e:property>
            <s:ExternalIPAddress>
                xx.xx.88.144
                </s:ExternalIPAddress>
            </e:property>
        <e:property>
            <s:PortMappingNumberOfEntries>
                0
                </s:PortMappingNumberOfEntries>
            </e:property>
        </e:propertyset>
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek