So interesting thing..... I was wiresharking my network to try to capture some particular data when I noticed something very strange...

There's UDP broadcasts coming from only one laptop, I know this because of the 255.255.255.255 destination used, however I'm very new to the networking world and to Wireshark.

So.. the source is always the same, which is the IP address of the laptop (Which happens to be our COO's, lol), except the port changes, whatever's happening it seems to increment the port by 1 on each broadcast. In the "info" section of wireshark, the destination port is always the same, 34447. The source port however, changes to wierd things like "myblast", "minilock", "ibm-mgr", etc.

I remotely connected to his registry and checked some very basic general stuff, and checked his system32 folder for any newly modified or obviously bogus files. Came up with nada.

Is this traffic normal? His laptop is the only one doing it. How can I get to the root of this?

Those Broadcasts will never leave your network, so your safe in that respect, however this is not normal behaviour. I would run a full virus scan, spyware scan and rootkit scan.

Starting with rootkit revealer since anything potentially malicious should have been picked up by your AV and shouldnt have made it as far as the NIC.
See what that comes up with and let us know
Cheers

Hmmmm, I'll have to get with the Sr. Sys Admin and figure out the best way about getting that done politely lol. I'll update what we find.

Honestly, there's been several occasions where Trend Micro OfficeScan doesn't pick up something, I've gotten tired of sending them samples(aka doing their job for them).
---BUT----
It may not even be installed on this laptop; it's his personal(Don't blast me, I already know what a bad idea that is.. ).

That's the most important info. What servers are listening on port 34447? The laptop is probably trying to find a printer or something. If the destination port was incrementing, it would likely be a scanner. 34447 is a non standard port so it's probably not malware trying to infect other pcs.

Oh yeah I definitely know it's not trying to infect other PCs; I've seen what that looks like in action with the Mario Forever virus *sigh*.

So to recap...

The source port increments by 1... so this wouldn't be a port scanner right? Wouldn't it be a port scanner if the destination port was incrementing?

As for it trying to find a printer... maybe but.... this is what I don't get...

*UPDATE*

Just had a talk with my system admin and have a much better understanding.

So something is trying to contact anything that will speak with it on port 34447. THe wierd names are just related to the port table in wireshark, and since it's incrementing by 1, thats why the name changes; I can label the port numbers whatever I want. I didn't know this; I thought it was something that was being read in the packet.

I don't think it's looking for a printer as it's a non-standard port and maybe because it's using UDP broadcasts which is fire-and-forget, but then again I'm not sure what normal activity looks like. We have a print server and I think I would see the destination as the IP address of that print server instead of these broadcasts, but, as said earlier, I'm no networking expert.

Possible things that use that port:

rFactor
http://portforward.com/english/routers/por...eed/rFactor.htm
http://en.wikipedia.org/wiki/RFactor

F1 Challenge
http://www.portforward.com/english/applica..._99-02index.htm

I can only find these racing games that use that port.