If you want to save and post the wireshark capture (zip it up first) here, I’ll take a look…
Are you running any kind of bandwidth monitoring software? Also, can you take a look at router logs and see if the packets are just being dropped.
Running NetPerSec from Ziff-Davis for more than 10 years on all my PCs. Can’t believe it has anything to do with the problem in question. Was there before it occured. I actually saw the traffic through it first, then chekced Comodo firewall logs to see what’s on!
Router logs nothing specific, actually nothing in regard to p. 5100 and the traffic associated. Either it considers it as “normal” (??) or totally discards itl? What I can tell for sure is that there is no further traffic from the router on to the Internet, no blinking internet traffic light at all. Here’s the log from the router since last night:
Thu, 2011-03-24 00:00:01 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. v1sm4006506eeh.20
Thu, 2011-03-24 01:00:00 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. x54sm4034405eeh.19
Thu, 2011-03-24 02:00:00 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. w59sm4058662eeh.10
Thu, 2011-03-24 03:00:01 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. y7sm2586765eeh.21
Thu, 2011-03-24 04:00:00 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. b52sm4106383eei.15
Thu, 2011-03-24 04:33:42 - TCP Packet - Source:217.110.97.196,80 Destination:79.103.207.147,2309 - [FS3 rule match]
Thu, 2011-03-24 04:34:29 - TCP Packet - Source:80.93.23.42,80 Destination:79.103.207.147,2310 - [FS3 rule match]
Thu, 2011-03-24 04:38:24 - TCP Packet - Source:217.110.97.196,80 Destination:79.103.207.147,2309 - [FS3 rule match]
Thu, 2011-03-24 04:49:31 - TCP Packet - Source:80.93.23.42,80 Destination:79.103.207.147,2310 - [FS3 rule match]
Thu, 2011-03-24 05:00:01 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. v60sm51866eeh.16
Thu, 2011-03-24 06:00:00 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. q53sm4151593eeh.11
Thu, 2011-03-24 07:00:01 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. b52sm4175665eei.15
Thu, 2011-03-24 08:00:01 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. v1sm4201707eeh.20
Thu, 2011-03-24 09:00:00 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. q53sm4232116eeh.11
Thu, 2011-03-24 10:00:01 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. b52sm4269778eei.8
Thu, 2011-03-24 10:58:55 - TCP Packet - Source:217.110.97.200,80 Destination:79.103.207.147,2373 - [FS3 rule match]
Thu, 2011-03-24 11:00:01 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. q53sm4310706eeh.4
Thu, 2011-03-24 12:00:00 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. p5sm4236892wbg.11
Thu, 2011-03-24 13:00:00 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. b52sm4401266eei.22
Thu, 2011-03-24 13:59:08 - TCP Packet - Source:62.215.216.130,48442 Destination:79.103.207.147,5900 - [vnc rule match]
Thu, 2011-03-24 14:00:01 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. v1sm4444236eeh.6
Thu, 2011-03-24 15:00:00 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. q53sm4487901eeh.25
Thu, 2011-03-24 16:00:01 - unexpected reply: 530 5.7.0 Must issue a STARTTLS command first. y7sm3032591eeh
It’s quite odd! The vast majority of the packets consist of your computer establishing a connection with the router:
Connection establisher
Request SYN
Acknowledged SYN+ACK
FIN
RST
That’s it!
However, there are a couple of odd packets that consist of a upnp request from the PC to the router, which are tied in with, what appears to be firefox 4?
The router logs suggest you’ve got a problem with the email notification settings. It might be worth turning those off temporarily.
Guess you mean the router’s email notifications for alerts, logs etc? OK turned it off (it never worked actually, though I thought I had entered gmail’s smtp correctly). So… what about those odd packets (affirm it’s FF v4 here), should I worry about them… maybe dig a bit more?
Apart from the packets I mentioned, there’s nothing useful happening in the capture. I’ll take another look at those today.
I’m thinking now about getting you to run Process Monitor. Maybe it will tell use more about internal requests.
Not sure where to go with this one now. Ronny had a look at the WS capture and pretty much said what I said to you. One suggestion offered, disable the BITS service and see if this has any impact.
I installed the NetPerSec application to see if that produced a result on my XP test system, alas, nothing was forthcoming. Procmon didn’t tell us anything. You’ve scanned with just about everything and nothing has shown-up.
At this point my thought are:
There is an unknown application/service on your PC that’s using svchost to produce these connection attempts.
There is a ‘bug’ or conflict perhaps being caused by an incorrect/failed installation
There is some configuration option in the router causing these connections
There is a piece of malware that is ‘undetectable’ :-\
In terms of options:
Reinstall CIS making sure you have correctly removed all other security packages you may have previously installed, first. Use the appropriate removal tools found at Uninstallers ( removal tools) for common antivirus software (Thanks EricJH for the link 
)
Uninstall applications one-by-one and see if the problem stops
Reinstall XP
Doubt it’s a router’s problem… doesn’t happen with my linux or my other xp pc that are directly (ethernet) connected to the router… (even connected them with their wifi only, just to check). Will do as you say, fully uninstall all security apps (checking if the problem stops after each uninstallation), then Comodo, then reinstall. I’d drop XP reinstallation (I’d rather move to Win 7). Thanx pal, will keep you informed!
I missed this from a previous post (it’s nested in another quote). An answer to Rad’s straw clutch.
TCP/UDP 5100 is mainly used for sending and receiving webcam feeds to/from other users. UDP isn’t actually used, but it usually needs to be enabled to for the service to work.
So, un-plug the web cab & disable any associated software for it and see if that quietens 5100.
@kail: Yeah did that yesterday (had a pvt msg with Radaghast about it) uninstalling my Logitech cam (usb cable+drv+app) after first disabling it and uninstalling it from device manager… After rebooting, the problem persisted. Anyway the cam is here (and on previous system) for more than 7 years, but the p.5100 problem started only recently. I have a paranoid idea that all this has somehow to do with openvpn! Will try some troubleshooting and repost. Think that the last time this problem reoccured (and is present since a few days) I was enabling a vpn connection…
what it does is walk over and over again on these uPNP queries.
<m:GetStatusInfo xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\"/>
<m:GetTotalBytesSent xmlns:m=\"urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1\"/>
<m:GetTotalBytesReceived xmlns:m=\"urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1\"/>
<m:GetTotalPacketsSent xmlns:m=\"urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1\"/>
<m:GetTotalPacketsReceived xmlns:m=\"urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1\"/>
<m:GetCommonLinkProperties xmlns:m=\"urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1\"/>
And that every second. so it looks like it’s querying for available BW real-time.
Here is a similar issue, seems like some form of corruption somewhere…
http://forums.techguy.org/networking/902977-solved-constantly-up-downloading-traffic.html
After a little more analysis, I’ve found the flowing:
Each connection consists of ten frames. Eight of those are standard TCP set-up (SYN, SYN/ACK, FIN, RST etc.) Two frames are TCP PSH (Push) frames, one from the PC to the router:
POST /ctl/CmnIfCfg HTTP/1.1
Content-Type:text/xml; charset="utf-8"
SOAP Action: "urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1#GetTotalBytesSent"
User-Agent: Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)
Host: 192.168.0.1:5100
Content-Length: 309
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<m:GetTotalBytesSent xmlns:m="urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1"/>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
and the other, which is a response, from the router to the PC:
HTTP/1.1 200 OK
Content-Type: text/xml
Connection: close
Content-Length: 353
Server: Netgear/1.0 UPnP/1.0 miniupnpd/1.0
<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:GetTotalBytesSentResponse xmlns:u="urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1">
<NewTotalBytesSent>2916278884</NewTotalBytesSent>
</u:GetTotalBytesSentResponse>
</s:Body>
</s:Envelope>
Based on the above:
- Is your router connected directly to the Internet, or is there a modem in-between?
- Are you using a games console on you LAN? (PS3/XBOX)
- Are you using any p2p clients with upnp port forwarding?
- Which firefox extensions are you using?
- Directly connected
- PS3 (wifi) but I’m neither forwarding p. 5100 to it, nor PS3 is ON at any point (not even my wifi which I mostly keep it off for security reasons)
- Rarely utorrent (but it’s not a running process and its port is different)
- See attached jpgs
You might want to know the weird behavior has stopped all by its own (imagine that!)… Three reboots from Friday and it has not occured again! Didn’t uninstall anything yet, didn’t kill anything. Same system boot doesn’t produce the result it was delivering for several days before! I tend to believe I’m gonna see it again though…
Any thoughts on 1,2,3,4??
[attachment deleted by admin]
With regard to 1 to 4, I’m really just covering bases. All of those were potential candidates for generating upup packets.
I’m not familiar with a couple of those firefox addons, so I’ll have a look at those, not that I believe any of them are the cause.
Interesting it’s stopped again, what’s changed since Friday?
I’m beginning to suspect this is something on the router, are you using custom firmware?
Didn’t change anything except from uninstalling the cam!!
I disabled, uninstalled the device and all its drivers+software, unplugged usb, but to no avail (ie the problem was still there after @least 2 reboots and with the cam unplugged and its s/w-drv out of the system) then reinstalled again with the problem STILL there (even after rebooting several times). Dunno if all this had to do with “corrupted” software/drivers installation or not.
It’s so weird, this behavior had appeared (again), right from boot to reboot for almost 9+ days. Suddenly after a reboot, it redisappeared. Remember the other time, it stopped after disabling telephony and remote desktop administration access and did NOT come up, after re-enabling them as “on-demand” and having them being running. I wasn’t able to tell what triggered it again after a few days, I just thought it was a vpn connection (which wasn’t). BEFORE it re-disappeared, I tampered with killing those services again, to see if I actually could stop the problem. To my surprise I couldn’t!! Disabled them for next boot, rebooted with them inactive, still there. Re-enabled them as “on-demand” problem still there (with them started or not after reboot). And after several boots (for othere reasons) the problem stopped… all by its own. No lights blinking on the router, no traffic in Netpersec or comodo logs no tries from the PC to router’s p. 5100.
No changes on registry’s \currentversion\run\ , no changes in start of msconfig, and I reverted back the changes I did to services.msc
The only one I can think of is the camera - which btw was working “properly”. Then again, the way it twice stopped and restarted is so peculiar, especially the fact that it persisted after reinstalling the cam and rebooting.
Router’s firmware is from NETGEAR, wouldn’t easily mess with custom ones unless I had something serious to gain 