What's up with port 445?

Published: 2009-03-05
Last Updated: 2009-03-06 23:06:49 UTC
by Mark Hofman (Version: 1)
5 comment(s)

Looking at the DSHIELD data for the port 445 Shows an interesting little trend.   Reports showing 445 as the target port is down.  Something that is also observed by some readers in their various darknets. 

Ports showing 445 as the source however is way up.  If you are seeing this or have some packets, please send them through.  For the packets, I'm interested especially in the source port 445 traffic. 

Mark H

Update

Quite  number of people have reported a similar drop in their stats for 445 as the target port, but no real explanations just yet.  Likely to be confiker related, but that's speculation at the moment. 


 

Keywords: 445 tcp
5 comment(s)

Comments

Hello World!

TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system.


Useful Links:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

http://download.sysinternals.com/Files/TcpView.zip
Looks like the same rise in port 445 sources happened almost exactly a year ago. I'd check for previous years, but I don't want to taunt the poor little app.
Not seeing the same thing last year, but willing to be wrong. Which dates did you use?
Hmm.. All I did was change the start year to 2008, and hit submit (start/end dates become Feb 5 2008 - Mar 7 2009). It shows a similar ramp-up and sudden drop.
Looking at it again, and playing around with the dates a bit more, the ramp disappears. Probably an artifact of the sample rate. Sorry for the false alarm.
my #1 destination port across all my firewalls (multiple class C's) is by FAR tcp 445. i have yet to capture some of traffic, but the sources appear to be coming from all over. i have been waiting for someone else to see this spike. :)

Diary Archives