Why is MS listening

Dear Group,

I am wondering about several lines in the return to a
netstat -a
command on my pc!

They show that microsoft is listening. Is this legitimate and which
program is served by these connections?

TCP x-xxxxxxxxxxx:microsoft-ds g-xxxxxxxxxxx:0 LISTENING
UDP x-xxxxxxxxxxx:microsoft-ds *:*

There are two more lines which I do not know what they could refer to
UDP x-almjf4iscdqrx:isakmp *:*
UDP x-almjf4iscdqrx::4500 *:*

What do they refer to?

I dont know whether it is worth is, but I changed by PC name to all xs.

Is there a document which explains the meaning of these lines?

Thanks for any helpful replies.

GR.

Re: Why is MS listening

NoSpam wrote:
> Dear Group,
>
> I am wondering about several lines in the return to a
> netstat -a
> command on my pc!
>
> They show that microsoft is listening. Is this legitimate and which
> program is served by these connections?
>
> TCP x-xxxxxxxxxxx:microsoft-ds g-xxxxxxxxxxx:0 LISTENING
> UDP x-xxxxxxxxxxx:microsoft-ds *:*
>
> There are two more lines which I do not know what they could refer to
> UDP x-almjf4iscdqrx:isakmp *:*
> UDP x-almjf4iscdqrx::4500 *:*
>
> What do they refer to?
>
> I dont know whether it is worth is, but I changed by PC name to all xs.
>
> Is there a document which explains the meaning of these lines?
>
> Thanks for any helpful replies.
>
> GR.
>
>
>




You might find tcpview useful a GUI with same info




John

Re: Why is MS listening

Am Sun, 15 Jul 2007 15:36:23 +0000 schrieb NoSpam:

> TCP x-xxxxxxxxxxx:microsoft-ds g-xxxxxxxxxxx:0 LISTENING
> UDP x-xxxxxxxxxxx:microsoft-ds *:*

Microsoft shares via Nebios (seee network environment on your desktop),
the printer stuff is afaik a standard share, the same is $C if I remember
correctely.

> There are two more lines which I do not know what they could refer to
> UDP x-almjf4iscdqrx:isakmp *:*
> UDP x-almjf4iscdqrx::4500 *:*
>

M$ IPSec implementation, port 500 is IPSec without NAT traversal 4500 is
(mostly) behind a firewall (NAT),

> I dont know whether it is worth is, but I changed by PC name to all xs.

It doesn't matter.

> Is there a document which explains the meaning of these lines?

google.com look for ipsec windows and microsoft data shares or similar

Re: Why is MS listening

Burkhard Ott wrote:
> Am Sun, 15 Jul 2007 15:36:23 +0000 schrieb NoSpam:
>> TCP x-xxxxxxxxxxx:microsoft-ds g-xxxxxxxxxxx:0 LISTENING
>> UDP x-xxxxxxxxxxx:microsoft-ds *:*
>
> Microsoft shares via Nebios

Nope. microsoft-ds is short for Microsoft DirectSMB (port 445), which is
an alternative method to access shares. NetBIOS uses different ports:

135/tcp RPC portmapper
137/udp NetBIOS name service
138/udp netbios datagram service
139/tcp NetBIOS session service

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Why is MS listening

John,

Thanks for your reply and the links.

As far as the links are concerned:

I had looked at TCPView for Windows v2.4 in link
http://www.microsoft.com/technet/sysinternals/Networking/Tcp View.mspx
but found no location for a download of the program. Where can I find one?

Unfortunately many of the useful features of netstat are not accessible to
me
because they are available only in WinXP and in Winserver 2003. My system
in Win2000.

I still dont know why and what MS is listening to.

Thank you
GR.


"John Mason Jr" wrote in message
news:139kmmhjg4idaf2@news.supernews.com...
> NoSpam wrote:
> > Dear Group,
> >
> > I am wondering about several lines in the return to a
> > netstat -a
> > command on my pc!
> >
> > They show that microsoft is listening. Is this legitimate and which
> > program is served by these connections?
> >
> > TCP x-xxxxxxxxxxx:microsoft-ds g-xxxxxxxxxxx:0 LISTENING
> > UDP x-xxxxxxxxxxx:microsoft-ds *:*
> >
> > There are two more lines which I do not know what they could refer to
> > UDP x-almjf4iscdqrx:isakmp *:*
> > UDP x-almjf4iscdqrx::4500 *:*
> >
> > What do they refer to?
> >
> > I dont know whether it is worth is, but I changed by PC name to all xs.
> >
> > Is there a document which explains the meaning of these lines?
> >
> > Thanks for any helpful replies.
> >
> > GR.
> >
> >
> >
>
>
-us/netstat.mspx?mfr=true>
>
>
> You might find tcpview useful a GUI with same info
>
>
>
>
> John

Re: Why is MS listening

NoSpam wrote:
> John,
>
> Thanks for your reply and the links.
>
> As far as the links are concerned:
>
> I had looked at TCPView for Windows v2.4 in link
> http://www.microsoft.com/technet/sysinternals/Networking/Tcp View.mspx
> but found no location for a download of the program. Where can I find one?
>
> Unfortunately many of the useful features of netstat are not accessible to
> me
> because they are available only in WinXP and in Winserver 2003. My system
> in Win2000.
>
> I still dont know why and what MS is listening to.
>
> Thank you
> GR.



You can download the entire suite

It isn't "Microsoft" listening it is your computer listening on port 445

You might want to put your followup after the relevent section, as
"topposting" makes it harder for folks to follow the thread if they miss
a part or have done a search via google.

John



>
>
> "John Mason Jr" wrote in message
> news:139kmmhjg4idaf2@news.supernews.com...
>> NoSpam wrote:
>>> Dear Group,
>>>
>>> I am wondering about several lines in the return to a
>>> netstat -a
>>> command on my pc!
>>>
>>> They show that microsoft is listening. Is this legitimate and which
>>> program is served by these connections?
>>>
>>> TCP x-xxxxxxxxxxx:microsoft-ds g-xxxxxxxxxxx:0 LISTENING
>>> UDP x-xxxxxxxxxxx:microsoft-ds *:*
>>>
>>> There are two more lines which I do not know what they could refer to
>>> UDP x-almjf4iscdqrx:isakmp *:*
>>> UDP x-almjf4iscdqrx::4500 *:*
>>>
>>> What do they refer to?
>>>
>>> I dont know whether it is worth is, but I changed by PC name to all xs.
>>>
>>> Is there a document which explains the meaning of these lines?
>>>
>>> Thanks for any helpful replies.
>>>
>>> GR.
>>>
>>>
>>>
>>
>>
> > -us/netstat.mspx?mfr=true>
>>
>>
>> You might find tcpview useful a GUI with same info
>>
>>
>>
>>
>> John
>
>

Re: Why is MS listening

Ansgar -59cobalt- Wiechers wrote:


> Nope. microsoft-ds is short for Microsoft DirectSMB (port 445), which is
> an alternative method to access shares. NetBIOS uses different ports:
>
> 135/tcp RPC portmapper


NetBIOS doesn't use DCE-RPC at all.

> 137/udp NetBIOS name service
> 138/udp netbios datagram service
> 139/tcp NetBIOS session service


137/tcp and 139/udp might be used as well.

Re: Why is MS listening

Dear Helpers,

Thank you all for your help. Some of it is above my head and some
is very helpful.

There is one additonal question which came up in the meantime.
When I do a
netstat -e 10
I get a large amount of bytes tarnsferred each ten seconds for received
and sent. This number keeps increasing even though I lock the firewall
and there can't be any in- or ourflow of data. Same happens when I pull
the phone plug. Any explanation???

Thanks
GR.

Re: Why is MS listening

"NoSpam" wrote in message
news:3axmi.4543$BI5.3759@trnddc07...
> Dear Helpers,
>
> Thank you all for your help. Some of it is above my head and some
> is very helpful.
>
> There is one additonal question which came up in the meantime.
> When I do a
> netstat -e 10
> I get a large amount of bytes tarnsferred each ten seconds for received
> and sent. This number keeps increasing even though I lock the firewall
> and there can't be any in- or ourflow of data. Same happens when I pull
> the phone plug. Any explanation???
>

The FW/packet filter running locally on the machine stops traffic between
machines or programs running on the machine like a host program running
locally on the machine that's communicating with its client program running
on a remote machine or a client program running locally on the machine with
its communications to its host program running on a remote machine, whether
that be the LAN or WAN.

IE browser program the client machine in commutations with the Web server
program the server on the WAN.

A Remote Desktop client program in commutations and controlling the remote
host/server program running on the remote machine on the LAN.

That's traffic that's going to be stopped by the FW/packet filter running
locally on the machine.

Re: Why is MS listening

NoSpam wrote:
> There is one additonal question which came up in the meantime.
> When I do a
> netstat -e 10
> I get a large amount of bytes tarnsferred each ten seconds for received
> and sent.

Ummm... "netstat -e 10" shows you network statistics every ten seconds.
It should not generate traffic by itself. At least AFAICS.

Anyway, if you want to know what that traffic is, netstat is not the
appropriate tool. You need a protocol analyzer (e.g. Wireshark [1]) and
some understanding of network protocols for that.

[1] http://www.wireshark.org/

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Why is MS listening

Am Sun, 15 Jul 2007 20:35:43 +0200 schrieb Ansgar -59cobalt- Wiechers:

> Nope. microsoft-ds is short for Microsoft DirectSMB (port 445), which is
> an alternative method to access shares. NetBIOS uses different ports:
>
> 135/tcp RPC portmapper
> 137/udp NetBIOS name service
> 138/udp netbios datagram service
> 139/tcp NetBIOS session service

Yes I know what you mean, M$ calls that microsoft data share (AFAIK).

Re: Why is MS listening

Burkhard Ott wrote:
> Am Sun, 15 Jul 2007 20:35:43 +0200 schrieb Ansgar -59cobalt- Wiechers:
>> Nope. microsoft-ds is short for Microsoft DirectSMB (port 445), which is
^^^^^^^^^
>> an alternative method to access shares. NetBIOS uses different ports:
>>
>> 135/tcp RPC portmapper
>> 137/udp NetBIOS name service
>> 138/udp netbios datagram service
>> 139/tcp NetBIOS session service
>
> Yes I know what you mean, M$ calls that microsoft data share (AFAIK).

Read again.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Why is MS listening

Am Mon, 16 Jul 2007 18:45:46 +0200 schrieb Ansgar -59cobalt- Wiechers:

> Burkhard Ott wrote:
>> Am Sun, 15 Jul 2007 20:35:43 +0200 schrieb Ansgar -59cobalt- Wiechers:
>>> Nope. microsoft-ds is short for Microsoft DirectSMB (port 445), which is
> ^^^^^^^^^
>>> an alternative method to access shares. NetBIOS uses different ports:
>>>
>>> 135/tcp RPC portmapper
>>> 137/udp NetBIOS name service
>>> 138/udp netbios datagram service
>>> 139/tcp NetBIOS session service
>>
>> Yes I know what you mean, M$ calls that microsoft data share (AFAIK).
>
> Read again.
>
> cu
> 59cobalt

yup, I've found it on microsofts sites, I was pretty sure its called
data-share, but you're right.

Re: Why is MS listening

Microsoft is not spying on you.

Nice observation; but they have better things to do with their time
....honestly, they do.

"microsoft-ds" is the recent(ish) name given to the new rendition of the
old Server Message Blocks (SMB), which is Common Internet File System
(CIFS).

What runs on UDP port 4500? I have no idea.

What runs on UDP port 500(isakmp)? Well, it's the ISAKMP service which
is run by IPSec on your Windows machine.



NoSpam wrote:
> Dear Group,
>
> I am wondering about several lines in the return to a
> netstat -a
> command on my pc!
>
> They show that microsoft is listening. Is this legitimate and which
> program is served by these connections?
>
> TCP x-xxxxxxxxxxx:microsoft-ds g-xxxxxxxxxxx:0 LISTENING
> UDP x-xxxxxxxxxxx:microsoft-ds *:*
>
> There are two more lines which I do not know what they could refer to
> UDP x-almjf4iscdqrx:isakmp *:*
> UDP x-almjf4iscdqrx::4500 *:*
>
> What do they refer to?
>
> I dont know whether it is worth is, but I changed by PC name to all xs.
>
> Is there a document which explains the meaning of these lines?
>
> Thanks for any helpful replies.
>
> GR.
>
>
>

Re: Why is MS listening

Intuitive wrote:
> Microsoft is not spying on you.
>
> Nice observation; but they have better things to do with their time
> ...honestly, they do.
>
> "microsoft-ds" is the recent(ish) name given to the new rendition of the
> old Server Message Blocks (SMB), which is Common Internet File System
> (CIFS).
>
> What runs on UDP port 4500? I have no idea.

That's also for IPsec. Port 4500/udp is used for passing trough NAT devices.
The data packets will not be encapsulated in ESP but in udp packets ofer
that port.

More info in:
RFC 3715 IPsec-Network Address Translation (NAT) Compatibility Requirements
RFC 3947 Negotiation of NAT-Traversal in IKE
RFC 3948 UDP Encapsulation of IPsec ESP Packets

> What runs on UDP port 500(isakmp)? Well, it's the ISAKMP service which
> is run by IPSec on your Windows machine.
>
>
>
> NoSpam wrote:
>> Dear Group,
>>
>> I am wondering about several lines in the return to a
>> netstat -a
>> command on my pc!
>>
>> They show that microsoft is listening. Is this legitimate and which
>> program is served by these connections?
>>
>> TCP x-xxxxxxxxxxx:microsoft-ds g-xxxxxxxxxxx:0 LISTENING
>> UDP x-xxxxxxxxxxx:microsoft-ds *:*
>>
>> There are two more lines which I do not know what they could refer to
>> UDP x-almjf4iscdqrx:isakmp *:*
>> UDP x-almjf4iscdqrx::4500 *:*
>>
>> What do they refer to?
>>
>> I dont know whether it is worth is, but I changed by PC name to all xs.
>>
>> Is there a document which explains the meaning of these lines?
>>
>> Thanks for any helpful replies.
>>
>> GR.
>>
>>
>>


--
mailto:christophe@vandeplas.com
http://christophe.vandeplas.com