 StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2
 ·CenturyLink
| Help: trls32.net and TCP port 61899 For some time now my router/firewall has been blocking connection attempts to
174.137.42.75 (trls32.net), TCP port 61899
This does not seem to be from malware but appears to correspond to browser activity.
Unfortunately I can find nothing meaningful (except for WhoIs below) about trls32.net
OrgName: RagingWire Enterprise Solutions, Inc.
OrgId: RES-35
Address: PO BOX 348060
City: Sacramento
StateProv: CA
PostalCode: 95834
Country: US
RegDate: 2006-12-27
Updated: 2012-07-16
Ref: »whois.arin.net/rest/org/RES-35
I'm hoping someone has an idea.
--
Don't feed trolls--it only makes them grow! |
|
|
|
pslossPremium
join:2002-02-24
Alpharetta, GA | Not sure it definitively identifies the activity, but there is an A record for www.wireshark.org that points to 174.137.42.75. |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
1 edit | reply to StuartMW
I found that there's a product called Cascade Pilot
Riverbed® Cascade® Pilot software is a robust packet analysis console that enables users to quickly analyze multi-terabyte packet recordings on remote Cascade Shark appliances, Cascade Shark Virtual Edition, and Steelhead® WAN optimization products without having to transfer large packet captures files across the network.
I understand that Cascade Pilot Personal Edition has a client/server architecture but that these two parts must reside on the same system. Which port(s) does the client use and which port(s) does the server use?
The client is not bound to a specific port. The Server uses ports 61898 and 61899, but you can change them to whatever you prefer.
BTW I do have and use WireShark but my logs of attempts to trls32.net don't correspond with its usage. That said I have WireShark running now to capture anything sent to TCP port 61899.
--
Don't feed trolls--it only makes them grow! |
|
Reviews:
·WestNet Broadband
| Riverbed products are a hardware compression box for helping transmission of user data. We use steelheads on our network.
I can check with our admin on this protocol?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to StuartMW
»cnet.robtex.com/174.137.42.html
Wireshark....
Pilot 61898/tcp Pilot Probe default control port
SEE BOTTOM PAGE 22
»www.cacetech.com/documents/Filte···2010.pdf
"Bob to Pilot.."
"I'm here Boss.."
"Head over to Galt's Gulch with the two finger probe and see if anyone is bending over today.."
"Roger that.."
"this is Bob not Roger.."
"Roger that Bob..surely you jest.."
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
Reviews:
·WestNet Broadband
| reply to StuartMW
Also this seems pertinent to that site: TRLS32.NET - Domain Information
Domain TRLS32.NET [ Site Info Traceroute RBL/DNSBL lookup ]
Registrar LIME LABS, LLC
Registrar URL »www.limedomains.com
Whois server whois.limedomains.com
Created 14-Sep-2011
Updated 23-Oct-2012
Expires 14-Sep-2012
Time Left 0 days 0 hours 0 minutes
Status redemptionPeriod
DNS servers NS1.GOTONAMES.COM 64.92.114.5
NS2.GOTONAMES.COM 64.90.182.175
TRLS32.NET - Whois Information Limedomains.com is GotoNames, a free domain host site. --
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| Well I already posted a WhoIs on trls32.net . Doesn't tell me a lot.
The requests go out, from a PC, between 1 and three times per day but during the time I'm using the machine. Yes that box has Wireshark on it but it has not been running at the time. I don't see any Wireshark related services running.
I do have Wireshark running today to see if I can capture packets directed to TCP port 61899.
FYI I see no port 61898 inbound or outbound stuff (both would be blocked) in my logs.
--
Don't feed trolls--it only makes them grow! |
|
Reviews:
·WestNet Broadband
| I doubt a Riverbed steelhead would have local access to a computer unless you were administering the console for it from that box. However you hint at not being aware of a Steelhead on your network.
The only other item for that port initially seems to be:
Xsan is Apple Inc.'s storage area network (SAN) or clustered file system for Mac OS X
Guess Wireshark will at least give you a little more info.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
| reply to StuartMW
i am seeing the same thing that "name game" is seeing:
174.137.42.75 = www.wireshark.org
»ip.robtex.com/174.137.42.75.html |
|
Reviews:
·WestNet Broadband
|
As psloss  pointed out it is a record for Wireshark. Just type the IP in the address field of your browser, without a DNS lookup, it is a direct link to Wireshark's home page.
I almost thought of Wireshark doing a lookup for updates, but using the home page address seems unusual to say the least.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| reply to norwegian
said by norwegian:However you hint at not being aware of a Steelhead on your network. This is my home network. I know everything on it and there's no "Steelhead".
Seems like no-one can find anything other than that I've found myself.
Wireshark hasn't captured anything yet. Guess I'll leave it running...
--
Don't feed trolls--it only makes them grow! |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| reply to norwegian
said by norwegian:I almost thought of Wireshark doing a lookup for updates, but using the home page address seems unusual to say the least.
Well something would have to be running to look for updates. I keep saying, over and over again, Wireshark has not been running during these connection attempts nor can I find any service etc related to Wireshark.
--
Don't feed trolls--it only makes them grow! |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2
1 edit | reply to StuartMW
Ahh ha! Wireshark just captured stuff!
Hmmm, don't like the look of this
d3hmp0045zy3cs.cloudfront.net (port 80)
collector.webtuna.com (port 80)
ipv4.wireshark.org (port 80)
www.wireshark.org (port 61899) |
|
Reviews:
·WestNet Broadband
|
You don't have the cloud plug-in installed?
I remember a year or so back somewhere there was discussion on this feature - I've not been playing with the product as much lately to be upto date with the software.
It seems the Riverbed steelhead compression hardware we run at work also has big ties to Wireshark - something I've only learnt from your questions in this topic, even though it is plastered all over the main page of Wireshark.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
 ashrc4Premium
join:2009-02-06
australia
1 edit | reply to StuartMW
Do you have the https everywhere add-on.
- s3.amazonaws.com/janrain.quilt/
+ - Equivalent to d3hmp0045zy3cs.cloudfront.net
Been looking at quilts lately?? WTf
»gitweb.torproject.org/https-ever···242ca8f2
WEBTUNA infers https look-ups also.
»www.webtuna.com/faqs/68-when-and···ata-sent
Which are delayed and sent back when available.
--
Paradigm Shift beta test pilot. "Dying to defend one's small piece of suburb...Give me something global...STAT! |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
1 edit | reply to norwegian
said by norwegian:You don't have the cloud plug-in installed?
Nope.
said by ashrc4:Do you have the https everywhere add-on.
Nope.
Haven't been looking at Quilts either.
I do have the Google Sharing add-on and have the HTTPS option selected.
--
Don't feed trolls--it only makes them grow! |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7
1 edit | reply to StuartMW
All looks normal to me..what's not to like about it ?
What version/build of wireshark do you have? |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
1 edit | said by Name Game:All looks normal to me..what's not to like about it ?
I don't like the d3hmp0045zy3cs.cloudfront.net name. Most people use a human readable name for hosts. "d3hmp0045zy3cs" looks iffy to me.
collector.webtuna.com looks like its benign but "collector" of what?
said by Name Game:What version/build of wireshark do you have?
The latest (1.8.3). The 61899 requests only seem (have to confirm) to originate from my Win7 x64 box although the 32-bit bit version of Wireshark 1.8.3 is on my WinXP box.
It would seem, from all the info in this thread, that Wireshark 1.8.3 x64 is "phoning home". I haven't heard of that before but will check into it. It's being blocked anyway.
Seems everyone wants to know your stuff these days 
--
Don't feed trolls--it only makes them grow! |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to StuartMW
The collector... Website Performance Monitoring - WebTuna provides real user passive website monitoring as a service. Find out what the real end users are doing on your site, and the level of service that your web application is performing to. » www.webstatsdomain.com/domains/w···una.com/When and Where is the WebTuna data sent? Several metrics are collected from the DOM (Document Object Model) of the users browser when the window.onload event fires. This is after the page has already loaded so it will not slow down the speed of the page load. A few bytes of information is sent asynchronously back to via an HTTP(S) GET request to collector.webtuna.com where the data is processed and stored securely. » www.webtuna.com/faqs/68-when-and···ata-sent--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
