svchost.exe is trying to receive connection ... and 192.168.1.1

cska133 · April 6, 2012, 3:49pm

I use router with IP 192.168.1.1 and connected my new laptop to Internet trough LAN cable. After setting up Comodo firewall to custom mode Comodo pops up after every new start that svchost.exe is trying to receive connections from Internet. If I create rules and logs there is something about the router address 192.168.1.1… see the screenshots attached.

Is this connection OK or should I block it? Does the router try to connect the laptop and why?

[attachment deleted by admin]

rhgtyink · April 6, 2012, 8:23pm

Hi cska133,

This is Universal Plug and Play traffic, do you have this setup on your router + software like torrent or something that needs incoming traffic?

cska133 · April 7, 2012, 3:45am

well, I think I have it enabled in my router settings.
The problem is this is/this was not my computer, so I dont know what kind of programms are running. Of course I looked throu the installed applications but I can not recognize if someone needs incoming trafic.

How can I check this?
Maybe I can send you a list with running applications? But where to find the appropriate list with all the running programms?

rhgtyink · April 10, 2012, 6:39pm

You could try to use this tool to identify the cause;

cska133 · April 11, 2012, 11:23am

well I can not recognize what processes are trying to connect.
When I start the system without LAn Cable TCPView shows the first screenshot. When I then plug in the LAn cable there is a lot of movement in TCPView. Dont know how can I know that causes the Comodo firewall popup?
After some time TCPView shows the second screenshot

[attachment deleted by admin]

rhgtyink · April 11, 2012, 2:14pm

I would assume normally an application on your system will ask the router to open-up ports for it.
The response could cause a trigger here.

Better ways to trace this are process monitor or Microsoft Network Monitor both will show the application that causes the outgoing network traffic.

http://www.microsoft.com/download/en/details.aspx?id=4865

cska133 · April 12, 2012, 2:47pm

so do I need both process monitor or Microsoft Network ?

rhgtyink · April 12, 2012, 8:49pm

No I would try one of them to see if that brings any clue’s to this.

Radaghast · April 12, 2012, 9:35pm

Just to add to the reply from Ronny. These inbound connections, form what appears to be your router, are standard UPnP/SSDP event notifications. If you have UPnP and SSDP services running under Windows - they are by default - you will see this communication. Basically, it’s one UPnP enabled device letting another UPnP enabled device know about it’s status.

Here’s part of a capture showing what happens:

Transmission Control Protocol, Src Port: 19294 (19294), Dst Port: icslap (2869), Seq: 1, Ack: 1, Len: 717
    Source port: 19294 (19294)
    Destination port: icslap (2869)
    [Stream index: 63]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 718    (relative sequence number)]
    Acknowledgement number: 1    (relative ack number)
    Header length: 32 bytes
    Flags: 0x18 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgement: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 2920
    [Calculated window size: 5840]
    [Window size scaling factor: 2]
    Checksum: 0x3d29 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (12 bytes)
        No-Operation (NOP)
        No-Operation (NOP)
        Timestamps: TSval 13830859, TSecr 48804
            Kind: Timestamp (8)
            Length: 10
            Timestamp value: 13830859
            Timestamp echo reply: 48804
    [SEQ/ACK analysis]
        [Bytes in flight: 718]
Hypertext Transfer Protocol
    NOTIFY /upnp/eventing/djlmyxppgj HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): NOTIFY /upnp/eventing/djlmyxppgj HTTP/1.1\r\n]
            [Message: NOTIFY /upnp/eventing/djlmyxppgj HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: NOTIFY
        Request URI: /upnp/eventing/djlmyxppgj
        Request Version: HTTP/1.1
    Host: 192.168.1.209:2869\r\n
    Content-Type: text/xml\r\n
    Content-Length: 463\r\n
        [Content length: 463]
    NT: upnp:event\r\n
    NTS: upnp:propchange\r\n
    SID: uuid:b24654fa-fec2-4242-815f-515056699869\r\n
    SEQ: 0\r\n
    Connection: close\r\n
    Cache-Control: no-cache\r\n
    \r\n
    [Full request URI: http://192.168.1.209:2869/upnp/eventing/djlmyxppgj]
eXtensible Markup Language
    <e:propertyset
        xmlns:e="urn:schemas-upnp-org:event-1-0"
        xmlns:s="urn:schemas-upnp-org:service:WANIPConnection:1">
        <e:property>
            <s:PossibleConnectionTypes>
                IP_Routed
                </s:PossibleConnectionTypes>
            </e:property>
        <e:property>
            <s:ConnectionStatus>
                Connected
                </s:ConnectionStatus>
            </e:property>
        <e:property>
            <s:ExternalIPAddress>
                xx.xx.88.144
                </s:ExternalIPAddress>
            </e:property>
        <e:property>
            <s:PortMappingNumberOfEntries>
                0
                </s:PortMappingNumberOfEntries>
            </e:property>
        </e:propertyset>