What's all this TR064 stuff
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- My Router
- :
- What's all this TR064 stuff
What's all this TR064 stuff
30-04-2017 9:09 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
A couple of days ago, I started seeing stuff in my PlusNet Hub One firewall logfile which I've never seen before. As you can see from the following logfile extract, it repeats itself approximately every 30 seconds:
08:51:02, 30 Apr. (1385562.210000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any->64208, internal ports: 64208, internal client: 192.168.1.65 08:50:27, 30 Apr. (1385527.580000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any->64208, internal ports: 64208, internal client: 192.168.1.65 08:49:47, 30 Apr. (1385487.580000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any->64208, internal ports: 64208, internal client: 192.168.1.65 08:49:14, 30 Apr. (1385454.800000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any->64208, internal ports: 64208, internal client: 192.168.1.65 08:48:33, 30 Apr. (1385413.620000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any->64208, internal ports: 64208, internal client: 192.168.1.65 08:47:53, 30 Apr. (1385373.350000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any->64208, internal ports: 64208, internal client: 192.168.1.65 08:47:16, 30 Apr. (1385336.430000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any->64208, internal ports: 64208, internal client: 192.168.1.65 08:46:38, 30 Apr. (1385297.970000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any->64208, internal ports: 64208, internal client: 192.168.1.65 08:46:03, 30 Apr. (1385263.190000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any->64208, internal ports: 64208, internal client: 192.168.1.65
Anyone know what's going on here ?
Re: What's all this TR064 stuff
30-04-2017 9:56 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@MartyPop, are you or anyone else in the house running games consoles or similar? This TR064 protocol is LAN sided so these entries are coming from inside your network specifically 192.168.1.65), so to start with what device has this address?
Re: What's all this TR064 stuff
30-04-2017 12:45 PM - edited 30-04-2017 12:47 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Nope, no games consoles or similar here.
The device with that IP is my Win7 PC.
However, a strange thing happened within 10 minutes of posting my original post --> the TR064 stuff stopped!?
Re: What's all this TR064 stuff
30-04-2017 12:58 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
That's weird, best to keep an eye on the logs to see if returns, it might give you an idea as to what or why it is being done.
Re: What's all this TR064 stuff
01-05-2017 9:57 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
The last thing I did before switching off my Win7 PC yesterday was to check my Hub One firewall logfile and it definitely hadn't started again. The first thing I did after booting my Win7 PC this morning was to have a look at the Hub One firewall logfile and there it was again. All this went on for just over an hour and then stopped but the last entry in the logfile was slightly different to all the others:
09:26:09, 01 May. (1474067.640000) Port forwarding rule deleted via UPnP/TR064. Protocol: UDP, external ports: any->64208, internal ports: 64208, internal client: 192.168.1.65
Whatever it is that's trying to create a port forwarding rule is then trying to delete the rule but as this is all in the firewall logfile, it shows that the firewall is doing its job. All I need to do now is to figure out what's attempting to create the port forwarding rule but how I do that eludes me at the moment. For starters, I ran a full AV scan yesterday afternoon which found nothing.
Re: What's all this TR064 stuff
01-05-2017 10:56 AM - edited 01-05-2017 10:58 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@MartyPop - One option is to run netstat on the Windows machine. Start my running the Task Manager, then open a DOS command prompt and execute :
netstat -ano | more
This should give you the PID of the application making the request, but you may need to run it several time to capture what you need.
Or you can use currports from NirSoft this may be easier to use as it has a GUI and due to the timed nature of the requests. Once you know the PID or you have the name of the application making these requests you'll be able to decide as to what the next step should be.
Re: What's all this TR064 stuff
01-05-2017 11:08 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I find the Resource Monitor/Network usefull as well as netstat for looking at dubious stuff in windows.
Re: What's all this TR064 stuff
01-05-2017 1:47 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Having just rebooted the Win7 PC and then looking in the Resource Monitor/Network, it's svchost.exe(netsvcs) that's doing it. Not sure what that actually does?
Re: What's all this TR064 stuff
01-05-2017 2:01 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Well at least you know it's not malicious which is always a good thing.
Re: What's all this TR064 stuff
01-05-2017 2:02 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Very possibly it's Teredo , https://answers.microsoft.com/en-us/windows/forum/windows_8-networking/teredo-and-upnp/5657f953-b493...
Although why it would stop after an hour I'm not sure ...
Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page