Google Answers Logo
View Question
 
Q: annoying http requests originating from my system to default gateway ( No Answer,   5 Comments )
Question  
Subject: annoying http requests originating from my system to default gateway
Category: Computers
Asked by: yakker-ga
List Price: $10.00		 Posted: 12 Aug 2003 17:12 PDT
Expires: 11 Sep 2003 17:12 PDT
Question ID: 244018 
my windows xp home system is perenially making http connections to its
default router (which happens to be a netgear wireless router with an
embedded http server: "Server: Embedded HTTPD v1.00, 1999(c) Delta
Networks Inc.").  many connections per minute are made and its
very annoying to know this unneeded traffic is being generated.  using
tcpview from sysinternals shows that it is process id 0 which is
firing off these http requests.  what service or component is causing
this and how do i disable it?
Request for Question Clarification by joseleon-ga on 12 Aug 2003 22:58 PDT 
Hello:
   Could you post a bit (headers and payload) of that traffic here?

Regards.
Clarification of Question by yakker-ga on 12 Aug 2003 23:52 PDT 
according to my ethereal capture, generally the router sends a fin and
my system acks the fin.  same sequence number is repeated over and
over for the connection.  there are many such connections.  here is a
little bit of one such connection captured with ethereal:

Frame 35 (60 bytes on wire, 60 bytes captured)
    Arrival Time: Aug 13, 2003 01:37:48.942310000
    Time delta from previous packet: 0.016310000 seconds
    Time relative to first packet: 0.016310000 seconds
    Frame Number: 35
    Packet Length: 60 bytes
    Capture Length: 60 bytes
Ethernet II, Src: 00:09:5b:35:2f:32, Dst: 00:02:2d:67:5d:b3
    Destination: 00:02:2d:67:5d:b3 (Agere_67:5d:b3)
    Source: 00:09:5b:35:2f:32 (Netgear_35:2f:32)
    Type: IP (0x0800)
    Trailer: 502F312E310D
Internet Protocol, Src Addr: 192.168.0.1 (192.168.0.1), Dst Addr:
192.168.0.4 (192.168.0.4)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0x2723 (10019)
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 254
    Protocol: TCP (0x06)
    Header checksum: 0x1457 (correct)
    Source: 192.168.0.1 (192.168.0.1)
    Destination: 192.168.0.4 (192.168.0.4)
Transmission Control Protocol, Src Port: http (80), Dst Port: 48611
(48611), Seq: 358, Ack: 1992190720, Len: 0
    Source port: http (80)
    Destination port: 48611 (48611)
    Sequence number: 358
    Acknowledgement number: 1992190720
    Header length: 20 bytes
    Flags: 0x0011 (FIN, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...1 = Fin: Set
    Window size: 2048
    Checksum: 0x8525 (correct)

0000  00 02 2d 67 5d b3 00 09 5b 35 2f 32 08 00 45 00  
..-g]...[5/2..E.
0010  00 28 27 23 00 00 fe 06 14 57 c0 a8 00 01 c0 a8  
.('#.....W......
0020  00 04 00 50 bd e3 00 00 01 66 76 be 6b 00 50 11  
...P.....fv.k.P.
0030  08 00 85 25 00 00 50 2f 31 2e 31 0d               ...%..P/1.1.

Frame 36 (54 bytes on wire, 54 bytes captured)
    Arrival Time: Aug 13, 2003 01:37:48.942339000
    Time delta from previous packet: 0.000029000 seconds
    Time relative to first packet: 0.016339000 seconds
    Frame Number: 36
    Packet Length: 54 bytes
    Capture Length: 54 bytes
Ethernet II, Src: 00:02:2d:67:5d:b3, Dst: 00:09:5b:35:2f:32
    Destination: 00:09:5b:35:2f:32 (Netgear_35:2f:32)
    Source: 00:02:2d:67:5d:b3 (Agere_67:5d:b3)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.0.4 (192.168.0.4), Dst Addr:
192.168.0.1 (192.168.0.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0xe052 (57426)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x9927 (correct)
    Source: 192.168.0.4 (192.168.0.4)
    Destination: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: 48611 (48611), Dst Port: http
(80), Seq: 1992190721, Ack: 359, Len: 0
    Source port: 48611 (48611)
    Destination port: http (80)
    Sequence number: 1992190721
    Acknowledgement number: 359
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 16443
    Checksum: 0x4ce9 (correct)

0000  00 09 5b 35 2f 32 00 02 2d 67 5d b3 08 00 45 00  
..[5/2..-g]...E.
0010  00 28 e0 52 40 00 80 06 99 27 c0 a8 00 04 c0 a8  
.(.R@....'......
0020  00 01 bd e3 00 50 76 be 6b 01 00 00 01 67 50 10  
.....Pv.k....gP.
0030  40 3b 4c e9 00 00                                 @;L...

Frame 93 (60 bytes on wire, 60 bytes captured)
    Arrival Time: Aug 13, 2003 01:37:49.044383000
    Time delta from previous packet: 0.102044000 seconds
    Time relative to first packet: 0.118383000 seconds
    Frame Number: 93
    Packet Length: 60 bytes
    Capture Length: 60 bytes
Ethernet II, Src: 00:09:5b:35:2f:32, Dst: 00:02:2d:67:5d:b3
    Destination: 00:02:2d:67:5d:b3 (Agere_67:5d:b3)
    Source: 00:09:5b:35:2f:32 (Netgear_35:2f:32)
    Type: IP (0x0800)
    Trailer: 485454502F31
Internet Protocol, Src Addr: 192.168.0.1 (192.168.0.1), Dst Addr:
192.168.0.4 (192.168.0.4)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0x2743 (10051)
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 254
    Protocol: TCP (0x06)
    Header checksum: 0x1437 (correct)
    Source: 192.168.0.1 (192.168.0.1)
    Destination: 192.168.0.4 (192.168.0.4)
Transmission Control Protocol, Src Port: http (80), Dst Port: 48611
(48611), Seq: 358, Ack: 1992190720, Len: 0
    Source port: http (80)
    Destination port: 48611 (48611)
    Sequence number: 358
    Acknowledgement number: 1992190720
    Header length: 20 bytes
    Flags: 0x0011 (FIN, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...1 = Fin: Set
    Window size: 2048
    Checksum: 0x8525 (correct)

0000  00 02 2d 67 5d b3 00 09 5b 35 2f 32 08 00 45 00  
..-g]...[5/2..E.
0010  00 28 27 43 00 00 fe 06 14 37 c0 a8 00 01 c0 a8  
.('C.....7......
0020  00 04 00 50 bd e3 00 00 01 66 76 be 6b 00 50 11  
...P.....fv.k.P.
0030  08 00 85 25 00 00 48 54 54 50 2f 31               ...%..HTTP/1

Frame 94 (54 bytes on wire, 54 bytes captured)
    Arrival Time: Aug 13, 2003 01:37:49.044392000
    Time delta from previous packet: 0.000009000 seconds
    Time relative to first packet: 0.118392000 seconds
    Frame Number: 94
    Packet Length: 54 bytes
    Capture Length: 54 bytes
Ethernet II, Src: 00:02:2d:67:5d:b3, Dst: 00:09:5b:35:2f:32
    Destination: 00:09:5b:35:2f:32 (Netgear_35:2f:32)
    Source: 00:02:2d:67:5d:b3 (Agere_67:5d:b3)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.0.4 (192.168.0.4), Dst Addr:
192.168.0.1 (192.168.0.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0xe06f (57455)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x990a (correct)
    Source: 192.168.0.4 (192.168.0.4)
    Destination: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: 48611 (48611), Dst Port: http
(80), Seq: 1992190721, Ack: 359, Len: 0
    Source port: 48611 (48611)
    Destination port: http (80)
    Sequence number: 1992190721
    Acknowledgement number: 359
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 16443
    Checksum: 0x4ce9 (correct)

0000  00 09 5b 35 2f 32 00 02 2d 67 5d b3 08 00 45 00  
..[5/2..-g]...E.
0010  00 28 e0 6f 40 00 80 06 99 0a c0 a8 00 04 c0 a8  
.(.o@...........
0020  00 01 bd e3 00 50 76 be 6b 01 00 00 01 67 50 10  
.....Pv.k....gP.
0030  40 3b 4c e9 00 00                                 @;L...

Frame 157 (60 bytes on wire, 60 bytes captured)
    Arrival Time: Aug 13, 2003 01:37:49.151983000
    Time delta from previous packet: 0.107591000 seconds
    Time relative to first packet: 0.225983000 seconds
    Frame Number: 157
    Packet Length: 60 bytes
    Capture Length: 60 bytes
Ethernet II, Src: 00:09:5b:35:2f:32, Dst: 00:02:2d:67:5d:b3
    Destination: 00:02:2d:67:5d:b3 (Agere_67:5d:b3)
    Source: 00:09:5b:35:2f:32 (Netgear_35:2f:32)
    Type: IP (0x0800)
    Trailer: 000000000000
Internet Protocol, Src Addr: 192.168.0.1 (192.168.0.1), Dst Addr:
192.168.0.4 (192.168.0.4)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0x2764 (10084)
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 254
    Protocol: TCP (0x06)
    Header checksum: 0x1416 (correct)
    Source: 192.168.0.1 (192.168.0.1)
    Destination: 192.168.0.4 (192.168.0.4)
Transmission Control Protocol, Src Port: http (80), Dst Port: 48611
(48611), Seq: 358, Ack: 1992190720, Len: 0
    Source port: http (80)
    Destination port: 48611 (48611)
    Sequence number: 358
    Acknowledgement number: 1992190720
    Header length: 20 bytes
    Flags: 0x0011 (FIN, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...1 = Fin: Set
    Window size: 2048
    Checksum: 0x8525 (correct)

0000  00 02 2d 67 5d b3 00 09 5b 35 2f 32 08 00 45 00  
..-g]...[5/2..E.
0010  00 28 27 64 00 00 fe 06 14 16 c0 a8 00 01 c0 a8  
.('d............
0020  00 04 00 50 bd e3 00 00 01 66 76 be 6b 00 50 11  
...P.....fv.k.P.
0030  08 00 85 25 00 00 00 00 00 00 00 00               ...%........

Frame 158 (54 bytes on wire, 54 bytes captured)
    Arrival Time: Aug 13, 2003 01:37:49.151992000
    Time delta from previous packet: 0.000009000 seconds
    Time relative to first packet: 0.225992000 seconds
    Frame Number: 158
    Packet Length: 54 bytes
    Capture Length: 54 bytes
Ethernet II, Src: 00:02:2d:67:5d:b3, Dst: 00:09:5b:35:2f:32
    Destination: 00:09:5b:35:2f:32 (Netgear_35:2f:32)
    Source: 00:02:2d:67:5d:b3 (Agere_67:5d:b3)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.0.4 (192.168.0.4), Dst Addr:
192.168.0.1 (192.168.0.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0xe08f (57487)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x98ea (correct)
    Source: 192.168.0.4 (192.168.0.4)
    Destination: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: 48611 (48611), Dst Port: http
(80), Seq: 1992190721, Ack: 359, Len: 0
    Source port: 48611 (48611)
    Destination port: http (80)
    Sequence number: 1992190721
    Acknowledgement number: 359
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 16443
    Checksum: 0x4ce9 (correct)

0000  00 09 5b 35 2f 32 00 02 2d 67 5d b3 08 00 45 00  
..[5/2..-g]...E.
0010  00 28 e0 8f 40 00 80 06 98 ea c0 a8 00 04 c0 a8  
.(..@...........
0020  00 01 bd e3 00 50 76 be 6b 01 00 00 01 67 50 10  
.....Pv.k....gP.
0030  40 3b 4c e9 00 00                                 @;L...
Clarification of Question by yakker-ga on 13 Aug 2003 10:04 PDT 
i tried capturing on system startup and the symptom doesn't appear to
be there at the beginning.  now that i'm not swimming in a flood of
capture data, i can see that in the first 5 minute interval, my system
makes calls http requests of the following nature:

(1) SUBSCRIBE /WANIPConnection HTTP/1.1
server responds with a SID attribute and identifies itself as
"Nucleus/1.13.20 UPnP/1.0 MR814/4.11" and in this interval, i can see
the server send the packet with seq=1 four times.  this particular
request does not go to port 80 on the gateway which is where the
symptom normally occurs.

(2) GET /upnp/igdrootdesc.xml HTTP/1.1 (a few instances of this
request)
port 80.

(3) POST /WANIPConnection HTTP/1.1 (several)
port 80.

(4) GET /upnp/Layer3Forwarding.xml HTTP/1.0
port 80.

(5) GET /upnp/WANCmmonIFConfig.xml HTTP/1.0
port 80.

so, i still haven't been able to give you a problem connection from
the beginning.  perhaps i should just leave my system unattended for a
while with ethereal on.
Answer  
There is no answer at this time.

Comments  
Subject: Re: annoying http requests originating from my system to default gateway
From: jefffromgreen-ga on 12 Aug 2003 20:53 PDT		  
If this just started in the last 24 hours it could be the
W32.Blaster.Worm (LovSan) virus.  Look for msblast.exe on your C
drive.
Subject: Re: annoying http requests originating from my system to default gateway
From: yakker-ga on 12 Aug 2003 21:55 PDT		  
no, this has been happening for a long time.  thanks.
Subject: Re: annoying http requests originating from my system to default gateway
From: rickt-ga on 13 Aug 2003 21:09 PDT		  
Universal plug'n'play I think. Does
http://www.hometoys.com/htinews/aug03/articles/flickinger/upnp.htm
describe the traffic?
Subject: Re: annoying http requests originating from my system to default gateway
From: yakker-ga on 14 Aug 2003 12:41 PDT		  
i'm sure it is, but i'm particularly looking for a response in regards
to how/if i should disable it: how do i disable it and if i can, will
i be adversely affected by disabling it..
Subject: Re: annoying http requests originating from my system to default gateway
From: djrisk-ga on 15 Aug 2003 23:25 PDT		  
> how do i disable it and if i can, will i be adversely affected by
disabling it..

Have you tried turning off the Universal Plug n Play service?

* Right-click on "My Computer" and go to "Manage".

* Click on "Services and Applications"

* Double-click on "Services" (in the window on the right)

* Scroll down to "Universal Plug and Play Device Host" and right-click

* If it's on, you'll have the option in the right-click menu that says
"Stop" will be black, if it's not on, "Start" will be black.

Try turning this off and doing your normal business. If everything
works out, right-click this again, go to "Properties". In the "Startup
type" drop-down, select "Manual" or "Disabled".

Hope that helps.
Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  

Google Home - Answers FAQ - Terms of Service - Privacy Policy