strange ip, strange log

hi guys,
maybe only I can’t understand the issue, but please explain me:
my local net is 192.168.2.*, the router is Actually my ip is
The usual block all is the last rule #9 in my list.

I have got the following line in the activity log:

Date/Time :2007-09-30 15:46:56
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP =, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Reason: Network Control Rule ID = 9

The source is another host on the local net, the destination is unknown for me. The questions are: why it is occured at all, why it is logged

thanks in advance

“upnp-mcast” means Universal Plug & Play Multicast which broadcasts on UDP port 1900. It’s just a normal part of the Windows networking package which you can read about here

To answer the 2nd part of the question, it is blocked because it is an Incoming traffic. The Rule #9 should by default, log everything it blocks.


I’m really sorry, maybe I’m not familiar with this thing, but what does this ip ( mean?
Is this the local host again?
And finally should I allow this, or preferred to block it out?


you might tracert.exe the ip, then dns, then might google.




That is an internal (Intranet/LAN) Multicast IP address; it’s not an assigned IP address, such as for your computer - it could/can/will be used for different resources on the LAN at different times. The traffic itself is coming from another resource on your network. It’s already being blocked, as you can see in your logs.

A Multicast (typically, Protocol = IGMP) is basically a “shout out” to the network from a network resource (router, printer, etc) to see if anybody’s home (for some particular purpose). This seems to happen a lot more when a different method of communication is unsuccessful.

As to whether or not you should block it, I will say that’s ultimately up to you (and your level of paranoia). I will give you some guidelines that I use…

  1. Is my connection working; am I able to do everything I need to?
  2. Is the traffic already blocked?

If the answer is yes to both, I figure I don’t need to allow the incoming connection. Thus, I will create a rule to specifically block it without logging (so I don’t have to see it again). That is done this way…

Open Network Monitor. Go to the very last (BLock & Log All) rule.
Right-click and select “Add/Add Before.” Build the new rule this way:

Action: Block
Protocol: UDP (as per your log entry)
Direction: In
Source IP: Any
Destination IP:
Source Port: Any
Destination Port: 1900
OK, and reboot.

Hope that helps,


thanks, I need to learn a lot about network communication.

It can be a bit confusing and overwhelming. Most of it’s outside my paygrade, I’m afraid. You may find Wikipedia helpful to research things you come across; they usually have relatively easy-to-understand explanations. If all you have is that IP address, here’s how you can find out more info… search it on Google; one of the results is the ARIN page (you can also go straight to ARIN and look it up) This shows the entire IP range associated… -

Search either end of that on Google, and you will get results referring to MultiCast.

You can then use MultiCast on Wikipedia,

You still may not understand it, but at least you know more of what you’re dealing with.

Hope that helps,


thanks, I find also the following link:

Good find, pan. (:CLP)