I have an unknown AppDetectService using my port 8000 and I am not able to figure out how to close it down or kill any process that seems to be running it. Its being run by System process on PID 4(found that by netstat and searching through task manager). Trying to search for the file running it on task manager leads to ntoskrnl.exe. Also task manager shows it may slightly be using GPU. So my guess is either a system process is holding the port or more probably something is using some kind of system available servers to host a service. Hitting it on the browser shows up this page:
Netstat results:
task manager screenshot showing GPU may also be firing:
Please help me kill this abomination once and for all.
I have used Process Explorer to find out what service was using this port. Since it was impossible to find it even like this, I started to shut down service by service until port 8000 wasn't occupied any more.
In my case, port 8000 was taken over by drivers for Sound BlasterX AE-5 sound card. Process Creative.AudPosService located in C:\Program Files (x86)\Creative\Connection Service has been using this port.
Luckily, it is possible to change this port. Open Creative.AudPosService.exe.config and change line where port number is located <add baseAddress="http://localhost:8000/"/> to <add baseAddress="http://localhost:9999/"/> or anything else that don't interfere with your work. Restart windows and it should be fine.
My problem is that I have two computers in different networks which can "communicate" only over a common file share mounted on both systems (typically Windows SMB server on third-party host). All other ports are blocked! I would like to use this file share for a direct communication between these two machines. I'm root on both machines, it's possible to use Windows or Linux on them. There is also no need to use SSH for the communication, 'netcat' or other command-line oriented tools are available.
What has been done so far to solve it: I started a (long ;-) discussion about tunneling SSH, which is on hold now, SSH: TCP-over-File?, but includes many valuable information (especially from Ch. Duffy et al.). I have understood that SSH is not suitable for that, but the question, if this Windows tunneling tool could by useful, is still open: https://labs.mwrinfosecurity.com/tools/tcp-over-file-tunnel/
How to establish a communication using common tools coming with the operating systems (Ubuntu or Windows 7) in this case?
Your requirement of common tools excludes any possible Windows solutions.
netcat is a great tool, if you have direct TCP/IP connectivity, which is not the case here.
File redirection is not a concern, since you can redirect locally and pickup on remote; I will assume you are looking for a more elegant terminal as your definition of communication.
You are on the right track using tail -f, but attempting to emulate a network connection would require rewriting SSH to use a file for communication.
My improvement to your code as described in "SSH: TCP-over-file" is to simulate an actual terminal. Run the following code on the local machine in single window:
tail -f /mnt/fileshare/my_ssh_out >>/dev/`ps eax | grep $$ |cut -d ' ' -f 2 | tail -n 1` &
cat >> /mnt/fileshare/my_ssh_in
The line: /dev/ps eax | grep $$ |cut -d ' ' -f 2 | tail -n 1 & gets the current terminal, so the output can be redirected there.
Note: you cannot redirect the output locally.
So, if you're root on both machines, I'm assuming there's an intermediate firewall you do not control? Between that and the very vague requirement of "communications", I see a few options that aren't terribly fast but could work.
Create 2 folders, one for each machine to drop 'message' files into. Each node would run an app listening for new files (from the other computer) being queued up, download and process new ones, and delete processed messages.
Have one machine running a server (you said they were networked, so I am assuming internet here) with web sockets, and have the other connect to it as a client. You can then pass messages and trigger actions over the web.
Neither of these will be fast or perfectly reliable, and probably wouldn't provide full control over the other computer. You may be limited to pre-defined actions triggered by specific keywords, or you might be crazy enough to pull in arbitrary commands from the messages and blindly execute them under your user permissions.
If the only segmentation between the computers is IP subnets, for example: no VLANs or physical separation. Try to connect using IPv6 by pinging the link-local addresses.
Use the following Windows command in a cmd window:
ipconfig /all
Look for the "FE80:"... address on the physical adapter.
On the other computer:
ping -6 fe80:...
If this works you may use that IP address to communicate between computers. Each of the VMs will have a different address. In Linux use ifconfig to find the addresses.
If that does not work, you can always use two cheap USB wired ethernet adapters and a crossover cable.
If You have ssh connection from your workstation to both servers - just use putty for tunneling or something like that.
I am trying to reverse engineer a third-party TCP client / server Windows XP, SP 3 app for which I have no source available. My main line of attack is to use WireShark to capture TCP traffic.
When I issue a certain GUI command on the client side, the client creates a TCP connection to the server, sends some data, and tears down the connection. The server port is 1234, and the client port is assigned by the OS and therefore varies.
WireShark is showing that the message corresponding to the GUI command I issued gets sent twice. The two messages bear a different source port, but they have the same destination port (1234, as mentioned previosuly).
The client side actually consists of several processes, and I would like to determine which processes are sending these messages. These processes are long-lived, so their PIDs are stable and known. However, the TCP connections involved are transient, lasting only a few milliseconds or so. Though I've captured the client-side port numbers in WireShark and though I know all of the PIDs involved, the fact the connections are transient makes it difficult to determine which PID opened the port. (If the connections were long-lived, I could use netstat to map port numbers to PIDs.) Does anybody have any suggestions on how I can determine which processes are creating these transient connections?
I can think of two things:
Try sysinternals' tcpview program. It gives a detailed listing of all tcp connections opened by all the processes in the system. If a process creates connections, you will be able to see them flash (both connect and disconnect are flashed) in tcpview and you will know which processes to start looking into.
Try running the binary under a debugger. Windbg supports multi-process debugging (so does visual studio I think). You may have only export symbols to work with but that should still work for calls made to system dlls. Try breaking on any suspected windows APIs you know will be called by the process to create the connections. MSDN should have the relevant dlls for most system APIs documented.
Start here... post a follow-up if you get stuck again.
I ended up creating a batch file that runs netstat in a tight loop and appends its output to a text file. I ran this batch file while running the system, and by combing through all of the netstat dumps, I was able to find a dump that contained the PIDs associated with the ports.
What firewall settings must be used on the remote machine for a remote kernel connection to work?
In particular I'm interested in connecting from Windows (front end) to a Linux machine (kernel).
I don't know the exact ports, but this is a generic way to solve most such firewall issues: (at least with connections using TCP)
Try to use the 'netstat -n' command and see which remote ports do the connections that are being blocked by the firewall use. They should be in the SYN_SENT state or something similar. Then on the remote machine open those ports and try to repeat this process until it works.
I often run into problems where I can't get something to connect to something else. I usually forget to check something obvious. Can you help with:
A tip/technique for diagnosing a connection issue
The name of a tool or application that can help (and the situation in which it's useful)
I know the question is a little non-specific, but hopefully the answers can form a useful starting point for anybody who's stuck trying to get computers/programs talking to each other.
Please can you give one answer per answer so the best ones can be voted up.
Simple checks to run when debugging network problems:
Has each machine got an IP address, Go to command prompt and run ipconfig. Key things to check here are the interfaces and ensuring the appropriate ones have IP addresses.
Check both machines IP addresses are in the same range and subnet if you are running it on an internal or Virtual network.
Try pinging each machine from the other to see if they can communicate with each other. Note that some firewalls will block ping requests.
If Pinging fails then check to see if firewalls are active. If the communication is within a 'safe' internal network then try disabling the firewalls and re-pinging.
If the connections are over a wireless network then check signal strength.
If pinging fails and you are connecting through several networks then try running a tracert to see at which will may show you where on the network the connection is failing.
If you are able to ping but not connect then check firewall settings and network connection settings. Windows 2000+ has the capability of setting port an ip access on a connection properties.
Try drawing a network diagram of the connections to help in visualising the problem.
If you are connecting through routers, firewalls and loadbalancers then check that all devices are not tied to any specific ip addresses and that the IP address redirection (if in place) is correct. Also check any NAT logs to see if connections are being received and properly re-directed.
Wireshark
Latest versions of ProcMon
netstat
Wireshark www.wireshark.org
Wireshark is a network protocol analyzer for Unix and Windows.
Features:
Deep inspection of hundreds of protocols, with more being added all the time
Live capture and offline analysis
Standard three-pane packet browser
Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
The most powerful display filters in the industry
Rich VoIP analysis
Read/write many different capture file formats: tcpdump (libpcap), Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
Capture files compressed with gzip can be decompressed on the fly
Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
Coloring rules can be applied to the packet list for quick, intuitive analysis
Output can be exported to XML, PostScript®, CSV, or plain text.
work the OSI model from the bottom up
Physical (Do you have a network adapter/connection)
Link layer (arp, ethernet port blocked by network team (I've seen this where locked down environments see two MAC addresses coming from one workstation port and shut down the port)
Network layer (ipconfig, tracert, ping,)
Do you have a network address (DHCP, fixed)
Are you on a proper subnet/have routing between subnets
Is something in the middle blocking you
firewalls, routing tables
When in doubt, check to see if the windows firewall is messing with your communications. 8 times out of 10, it's at fault.
Using tracert is a good start to see how far along the chain you are getting.
For virtual machines it's usally a good idea to make sure you have the loopback adapter set correctly in the Host os.
Most frequently used tool is the ping. It can be used both to test your connection and the availability of a target
Second tool is the tracert if you want to see where the packets get lost.
For more advanced debugging I use the following tools: nmap, wireshark, etc.
Windows has a netstat utility which is pretty similar to the Unix netstat and can do a number of different things that might help you solve network issues.
Random example:
netstat -r displays routing information
netstat /? for usage information
Since you said you're using 2 virtual machines I would hazard a guess that both machines are setup in a NAT configuration (rather than a unique network device) -- In the NAT configuration, neither machine would (typically) be able to ping the other.
If you're familiar with the command line, you can try the "netstat" command.
You can also try "arp -a" to list all the IP/MAC addresses known to your PC.
The "tracert [ip address]" command will show you how many gateways/routers your packets jump through on their way to their destination. (This is probably not helpful if both machines are on the same network, though.)
And don't forget to check your Windows firewall settings.
Otherwise, if you want to get down and dirty, you can try the packet sniffer known as Wireshark: http://www.wireshark.org/ (aka. Ethereal)
Pull the network cable out
If you can get some communications to a device (eg a ping), but can't get your program to talk to a service on the computer. Then, try pulling the network cable out and see if the ping stops. This will verify you're communicating with the computer you really think you are.
On windows i user PortQueryUI : http://www.microsoft.com/en-us/download/details.aspx?id=24009
DNS activity: Portable DNS Cache and Firewall;
General network activity: Wireshark, Network Monitor;
Windows utilities: ping, netstat, nslookup.
You need to be use the process of elimination, for example if you can ping the ip address but not the hostname then there's DNS issues. If you can ping the system but not connect to a share etc.
DNS out of sync
If you're using a virtual machine and you perform a roll-back on it, then it could become out of sync with the DNS (Domain name server). Try to remove and re-add the machine to the domain, or if you've got access to the DNS machine, then get it to flush its cache.