none
Non-existing IP found from "Process Monitor” RRS feed

  • Question

  • Dear Support, 

    By using “Process Monitor” log run from our DC, there are some abnormal SMB attempts to an non-existing IP 172.16.1.1. 
    Could you have idea what is these non-existing IP?

    Log “Process Monitor”:
    "11:08:38.7169055 AM","System","4","TCP Reconnect","DC1.CONTOSO.LOCAL:53376 -> 172.16.1.1:microsoft-ds","SUCCESS","Length: 0, seqnum: 0, connid: 0"

    "10:21:12.5756273 AM","System","4","TCP Reconnect","DC1.CONTOSO.LOCAL:59862 -> 172.21.163.17:microsoft-ds","SUCCESS","Length: 0, seqnum: 0, connid: 0"

    "10:21:12.5756311 AM","System","4","TCP Reconnect","DC1.CONTOSO.LOCAL:59861 -> 172.23.144.1:microsoft-ds","SUCCESS","Length: 0, seqnum: 0, connid: 0"

    Reference:

    TCP and UDP ports used by Apple software products
    https://support.apple.com/en-us/HT202944
    445 TCP Microsoft SMB Domain Server microsoft-ds

    Port 445 is opened on a Windows Server when using the Windows Event Collector
    https://support.symantec.com/en_US/article.TECH88796.html
    According to Microsoft port 445 is the microsoft-ds (NetBios helper) port and also used for
    SMB Fax Service 
    SMB Print Spooler 
    SMB Server 
    SMB Remote Procedure Call Locator 
    SMB Distributed File System 
    SMB Net Logon

    Process Monitor v3.50
    https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

    Thanks!

    Best Regards, 
    Daniel 



    • Edited by Daniel Chiu Tuesday, December 25, 2018 3:11 PM
    Friday, December 21, 2018 9:54 AM