UDP 0.0.0.0

Henry_Hub · February 7, 2009, 8:46pm

When I start up, Comodo Network Defence tells me svchost.exe is makeing a UDP connection from address
0.0.0.0:68 to 255.255.255.255:67.

I know ports 67 & 68 are for Bootstrap Protocol, but this is not a disk-less workstation ( are there any of these any more?)

Why would svchost.exe be using address 0.0.0.0 and this port? Or is this a trojan?

Henry_Hub · February 7, 2009, 9:44pm

Since I found an answer to my query elsewhere, I thought I post the answer in case some else is worrying about this:

"Typically this traffic is related to normal DHCP operation and is not an attack on your network. DHCP (Dynamic Host Configuration Protocol) is how your computer gets its unique IP address. When a system starts up on a network it must first request an IP address (assume it is not using a static IP address), and it does this by broadcasting a request to the DHCP server:

UDP 0.0.0.0:68 → 255.255.255.255:67

since the requesting system doesn’t have an IP address (why it is asking) it uses 0.0.0.0 and since its new to the network it doesn’t know where the DHCP server is, so it broadcasts the request to the entire network (255.255.255.255). "

Cheers

panic · February 8, 2009, 1:17am

How would this apply to a LAN that has no internet connection but still uses DHCP for IP address allocation???

AFAIK, DHCP is purely an internal operation, where LAN workstations will contact a DHCP server on the interior of the LAN.

Port 1900 is generally used for UPnP discovery and is unrelated to DHCP.

After the DHCP request has been resolved, there very well may be other traffic (maybe even the traffic you’ve described), but this subsequent traffic is absolutely unrelated to the DHCP discovery and resolution.

Let’s not complicate things by introducing unrelated info.

Cheers,
Ewen

Henry_Hub · February 8, 2009, 1:23pm

Thanks for the replies.

Now that I have the experts here could some one tell me why Comodo’s Active Connections differs from what you get using NETSTAT?