svchost.exe is trying to receive connection ... and

I use router with IP and connected my new laptop to Internet trough LAN cable. After setting up Comodo firewall to custom mode Comodo pops up after every new start that svchost.exe is trying to receive connections from Internet. If I create rules and logs there is something about the router address… see the screenshots attached.

Is this connection OK or should I block it? Does the router try to connect the laptop and why?

[attachment deleted by admin]

Hi cska133,

This is Universal Plug and Play traffic, do you have this setup on your router + software like torrent or something that needs incoming traffic?

well, I think I have it enabled in my router settings.
The problem is this is/this was not my computer, so I dont know what kind of programms are running. Of course I looked throu the installed applications but I can not recognize if someone needs incoming trafic.

How can I check this?
Maybe I can send you a list with running applications? But where to find the appropriate list with all the running programms?

You could try to use this tool to identify the cause;

well I can not recognize what processes are trying to connect.
When I start the system without LAn Cable TCPView shows the first screenshot. When I then plug in the LAn cable there is a lot of movement in TCPView. Dont know how can I know that causes the Comodo firewall popup?
After some time TCPView shows the second screenshot

[attachment deleted by admin]

I would assume normally an application on your system will ask the router to open-up ports for it.
The response could cause a trigger here.

Better ways to trace this are process monitor or Microsoft Network Monitor both will show the application that causes the outgoing network traffic.

so do I need both process monitor or Microsoft Network ?

No I would try one of them to see if that brings any clue’s to this.

Just to add to the reply from Ronny. These inbound connections, form what appears to be your router, are standard UPnP/SSDP event notifications. If you have UPnP and SSDP services running under Windows - they are by default - you will see this communication. Basically, it’s one UPnP enabled device letting another UPnP enabled device know about it’s status.

Here’s part of a capture showing what happens:

Transmission Control Protocol, Src Port: 19294 (19294), Dst Port: icslap (2869), Seq: 1, Ack: 1, Len: 717
    Source port: 19294 (19294)
    Destination port: icslap (2869)
    [Stream index: 63]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 718    (relative sequence number)]
    Acknowledgement number: 1    (relative ack number)
    Header length: 32 bytes
    Flags: 0x18 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgement: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 2920
    [Calculated window size: 5840]
    [Window size scaling factor: 2]
    Checksum: 0x3d29 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (12 bytes)
        No-Operation (NOP)
        No-Operation (NOP)
        Timestamps: TSval 13830859, TSecr 48804
            Kind: Timestamp (8)
            Length: 10
            Timestamp value: 13830859
            Timestamp echo reply: 48804
    [SEQ/ACK analysis]
        [Bytes in flight: 718]
Hypertext Transfer Protocol
    NOTIFY /upnp/eventing/djlmyxppgj HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): NOTIFY /upnp/eventing/djlmyxppgj HTTP/1.1\r\n]
            [Message: NOTIFY /upnp/eventing/djlmyxppgj HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: NOTIFY
        Request URI: /upnp/eventing/djlmyxppgj
        Request Version: HTTP/1.1
    Content-Type: text/xml\r\n
    Content-Length: 463\r\n
        [Content length: 463]
    NT: upnp:event\r\n
    NTS: upnp:propchange\r\n
    SID: uuid:b24654fa-fec2-4242-815f-515056699869\r\n
    SEQ: 0\r\n
    Connection: close\r\n
    Cache-Control: no-cache\r\n
    [Full request URI:]
eXtensible Markup Language