dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1892
share rss forum feed


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

Help: trls32.net and TCP port 61899

For some time now my router/firewall has been blocking connection attempts to

174.137.42.75 (trls32.net), TCP port 61899

This does not seem to be from malware but appears to correspond to browser activity.

Unfortunately I can find nothing meaningful (except for WhoIs below) about trls32.net

OrgName: RagingWire Enterprise Solutions, Inc.
OrgId: RES-35
Address: PO BOX 348060
City: Sacramento
StateProv: CA
PostalCode: 95834
Country: US
RegDate: 2006-12-27
Updated: 2012-07-16
Ref: »whois.arin.net/rest/org/RES-35

or TCP port 61899.

I'm hoping someone has an idea.
--
Don't feed trolls--it only makes them grow!

psloss
Premium
join:2002-02-24
Lebanon, KS

Not sure it definitively identifies the activity, but there is an A record for www.wireshark.org that points to 174.137.42.75.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit
reply to StuartMW

I found that there's a product called Cascade Pilot

Riverbed® Cascade® Pilot software is a robust packet analysis console that enables users to quickly analyze multi-terabyte packet recordings on remote Cascade Shark appliances, Cascade Shark Virtual Edition, and Steelhead® WAN optimization products without having to transfer large packet captures files across the network.

that uses TCP port 61899.

I understand that Cascade Pilot Personal Edition has a client/server architecture but that these two parts must reside on the same system. Which port(s) does the client use and which port(s) does the server use?

The client is not bound to a specific port. The Server uses ports 61898 and 61899, but you can change them to whatever you prefer.

I've never heard of Cascade Pilot but maybe someone (Bob?) is trying to monitor my traffic. It's being blocked but I'd like to identify what is generating it.

BTW I do have and use WireShark but my logs of attempts to trls32.net don't correspond with its usage. That said I have WireShark running now to capture anything sent to TCP port 61899.
--
Don't feed trolls--it only makes them grow!


norwegian
Premium
join:2005-02-15
Outback

Riverbed products are a hardware compression box for helping transmission of user data. We use steelheads on our network.

I can check with our admin on this protocol?

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to StuartMW

»cnet.robtex.com/174.137.42.html

Wireshark....
Pilot 61898/tcp Pilot Probe default control port
SEE BOTTOM PAGE 22
»www.cacetech.com/documents/Filte···2010.pdf

"Bob to Pilot.."

"I'm here Boss.."

"Head over to Galt's Gulch with the two finger probe and see if anyone is bending over today.."

"Roger that.."

"this is Bob not Roger.."

"Roger that Bob..surely you jest.."
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



norwegian
Premium
join:2005-02-15
Outback
reply to StuartMW

Also this seems pertinent to that site:

TRLS32.NET - Domain Information
Domain TRLS32.NET [ Site Info Traceroute RBL/DNSBL lookup ]
Registrar LIME LABS, LLC
Registrar URL »www.limedomains.com
Whois server whois.limedomains.com
Created 14-Sep-2011
Updated 23-Oct-2012
Expires 14-Sep-2012
Time Left 0 days 0 hours 0 minutes
Status redemptionPeriod
DNS servers NS1.GOTONAMES.COM 64.92.114.5
NS2.GOTONAMES.COM 64.90.182.175
TRLS32.NET - Whois Information

Limedomains.com is GotoNames, a free domain host site.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

Well I already posted a WhoIs on trls32.net . Doesn't tell me a lot.

The requests go out, from a PC, between 1 and three times per day but during the time I'm using the machine. Yes that box has Wireshark on it but it has not been running at the time. I don't see any Wireshark related services running.

I do have Wireshark running today to see if I can capture packets directed to TCP port 61899.

FYI I see no port 61898 inbound or outbound stuff (both would be blocked) in my logs.
--
Don't feed trolls--it only makes them grow!



norwegian
Premium
join:2005-02-15
Outback

I doubt a Riverbed steelhead would have local access to a computer unless you were administering the console for it from that box. However you hint at not being aware of a Steelhead on your network.

The only other item for that port initially seems to be:
Xsan is Apple Inc.'s storage area network (SAN) or clustered file system for Mac OS X

Guess Wireshark will at least give you a little more info.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke


redwolfe_98
Premium
join:2001-06-11
kudos:1
reply to StuartMW

i am seeing the same thing that "name game" is seeing:

174.137.42.75 = www.wireshark.org

»ip.robtex.com/174.137.42.75.html



norwegian
Premium
join:2005-02-15
Outback


As psloss See Profile pointed out it is a record for Wireshark. Just type the IP in the address field of your browser, without a DNS lookup, it is a direct link to Wireshark's home page.

I almost thought of Wireshark doing a lookup for updates, but using the home page address seems unusual to say the least.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to norwegian

said by norwegian:

However you hint at not being aware of a Steelhead on your network.

This is my home network. I know everything on it and there's no "Steelhead".

Seems like no-one can find anything other than that I've found myself.

Wireshark hasn't captured anything yet. Guess I'll leave it running...
--
Don't feed trolls--it only makes them grow!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to norwegian

said by norwegian:

I almost thought of Wireshark doing a lookup for updates, but using the home page address seems unusual to say the least.

Well something would have to be running to look for updates. I keep saying, over and over again, Wireshark has not been running during these connection attempts nor can I find any service etc related to Wireshark.
--
Don't feed trolls--it only makes them grow!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit
reply to StuartMW

Ahh ha! Wireshark just captured stuff!

Hmmm, don't like the look of this

d3hmp0045zy3cs.cloudfront.net (port 80)
collector.webtuna.com (port 80)
ipv4.wireshark.org (port 80)
www.wireshark.org (port 61899)



norwegian
Premium
join:2005-02-15
Outback


You don't have the cloud plug-in installed?

I remember a year or so back somewhere there was discussion on this feature - I've not been playing with the product as much lately to be upto date with the software.

It seems the Riverbed steelhead compression hardware we run at work also has big ties to Wireshark - something I've only learnt from your questions in this topic, even though it is plastered all over the main page of Wireshark.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



ashrc4
Premium
join:2009-02-06
australia

1 edit
reply to StuartMW

Do you have the https everywhere add-on.

- s3.amazonaws.com/janrain.quilt/
+ - Equivalent to d3hmp0045zy3cs.cloudfront.net

Been looking at quilts lately?? WTf

»gitweb.torproject.org/https-ever···242ca8f2

WEBTUNA infers https look-ups also.
»www.webtuna.com/faqs/68-when-and···ata-sent

Which are delayed and sent back when available.
--
Paradigm Shift beta test pilot. "Dying to defend one's small piece of suburb...Give me something global...STAT!



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit
reply to norwegian

said by norwegian:

You don't have the cloud plug-in installed?

Nope.
said by ashrc4:

Do you have the https everywhere add-on.

Nope.

Haven't been looking at Quilts either.

I do have the Google Sharing add-on and have the HTTPS option selected.
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to StuartMW

All looks normal to me..what's not to like about it ?
What version/build of wireshark do you have?



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit

said by Name Game:

All looks normal to me..what's not to like about it ?

I don't like the d3hmp0045zy3cs.cloudfront.net name. Most people use a human readable name for hosts. "d3hmp0045zy3cs" looks iffy to me.

collector.webtuna.com looks like its benign but "collector" of what?
said by Name Game:

What version/build of wireshark do you have?

The latest (1.8.3). The 61899 requests only seem (have to confirm) to originate from my Win7 x64 box although the 32-bit bit version of Wireshark 1.8.3 is on my WinXP box.

It would seem, from all the info in this thread, that Wireshark 1.8.3 x64 is "phoning home". I haven't heard of that before but will check into it. It's being blocked anyway.

Seems everyone wants to know your stuff these days
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to StuartMW

The collector...

Website Performance Monitoring - WebTuna provides real user passive website monitoring as a service. Find out what the real end users are doing on your site, and the level of service that your web application is performing to.

»www.webstatsdomain.com/domains/w···una.com/
When and Where is the WebTuna data sent?

Several metrics are collected from the DOM (Document Object Model) of the users browser when the window.onload event fires. This is after the page has already loaded so it will not slow down the speed of the page load. A few bytes of information is sent asynchronously back to via an HTTP(S) GET request to collector.webtuna.com where the data is processed and stored securely.

»www.webtuna.com/faqs/68-when-and···ata-sent
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



norwegian
Premium
join:2005-02-15
Outback

said by Name Game:

Several metrics are collected from the DOM (Document Object Model) of the users browser when the window.onload event fires.

I remember being told to turn DOM storage off in browsers. I wonder if that would suggest any change in behavior? At least for IE and/or the default browser too as 2 tests?


norwegian
Premium
join:2005-02-15
Outback
reply to StuartMW

I'm not seeing the traffic off a newly downloaded x64 bit version.

I am seeing my bob2 broadcast all over the place and google chrome do the same.....I do not see the communications you see.

I have not rebooted nor allowed the option to "start at bootup" either, maybe a reboot and the startup option allowed may see traffic; I have my doubts it would make any difference though.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by norwegian:

I do not see the communications you see.

The traffic is not constant. Only happens 1-3 times per day.
quote:
The requests go out, from a PC, between 1 and three times per day but during the time I'm using the machine.

»Re: Help: trls32.net and TCP port 61899
--
Don't feed trolls--it only makes them grow!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

reply to StuartMW

SOLVED!

It's Javascript on the Wireshark homepage!

<script> var EPISODES = EPISODES || {};EPISODES.q = [];EPISODES.marks = {};EPISODES.newcookieVal = "3cf73358"; EPISODES.oldcookieVal = "e9d6ef01"; EPISODES.beaconUrl = "http://www.wireshark.org:61899/beacon/1x1.gif"; EPISODES.mark = function(mn, mt) { EPISODES.marks[mn] = mt || new Date().getTime()};EPISODES.measure = function(en, st, en) { EPISODES.q.push( ["measure", en, st, en || new Date().getTime()] ); };EPISODES.mark("firstbyte");EPISODES.domContentLoaded = function(e) {   EPISODES.mark("domcontentloaded");};if ( "undefined" != typeof(window.attachEvent) ) {     window.attachEvent("onDOMContentLoaded", EPISODES.domContentLoaded);   }else if ( window.addEventListener ){     window.addEventListener("DOMContentLoaded", EPISODES.domContentLoaded, false);   }(function() {                 var epjs = document.createElement("script"); epjs.type = "text/javascript"; epjs.async = true;                 epjs.src = "http://dmru24w46caus.cloudfront.net/episodes.v0.32.min.js";    var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(epjs, s);})();</script>
 

»www.wireshark.org:61899/beacon/1x1.gif"

--
Don't feed trolls--it only makes them grow!


norwegian
Premium
join:2005-02-15
Outback

looks like you owe Name Game See Profile a beer then.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to StuartMW

Tarnations Bullwinkle ! That Rocky Java Episode is so big I am sure it's where Mr Pee "Bobby" pulls a rabbit out of a hat.

»www.youtube.com/watch?NR=1&v=kRW7pITY5Cg&



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

reply to norwegian

I do? Well I don't mind buying him a virtual beer In fact free beers all round It's past 5pm somewhere in the world!

Just made a firewall rule to drop that crap so my email box doesn't fill with warnings.

(Yes I have my router tell me when suspicious stuff happens)
--
Don't feed trolls--it only makes them grow!



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

The web bug beacon...1x1

»serverfault.com/questions/57747/···le-serve



norwegian
Premium
join:2005-02-15
Outback
reply to StuartMW

The info on "The collector and DOM" it's a new story with Obama and the CIA".
Pssstt: this isn't Twitter is it?

-----

Seriously though.
Glad you got it sorted.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to StuartMW

said by StuartMW:

I do? Well I don't mind buying him a virtual beer In fact free beers all round It's past 5pm somewhere in the world!

Just made a firewall rule to drop that crap so my email box doesn't fill with warnings.

(Yes I have my router tell me when suspicious stuff happens)

Illegitimi non carborundum
--
Gladiator Security Forum
»www.gladiator-antivirus.com/