Hi all I post to the Security forum - maybe Vista Networking might have been better? Anyway - here's the issue: I see a Vista machine sending SNMP requests (udp/161) with a default community "public" regulary to two (2) IP-addresses that do not belong to any known network. I would like to find out what process sends these requests. The computer has never been a member of a domain, and the SNMP feature is not installed. I have used Sysinternal's TCPView and netstat but I was unable to find any application sending udp/161 traffic. Yet on the wire I clearly see the traffic: 18:37:28.718784 PortC, IN: IP 192.168.1.70.57210 > 192.168.0.3.161: GetRequest(63) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2[|snmp] Any ideas? Suggestions appreciated. Best Maurice

Hi, Thanks for posting in Microsoft TechNet forums. SNMP provides security by using community names and SNMP authentication traps. An SNMP trap is an event notification message sent by the SNMP Trap service running on an SNMP host. The SNMP trap is sent to other SNMP hosts or to an SNMP management system, which are known as trap destinations. Please refer to http://technet.microsoft.com/en-us/library/cc754924.aspx Best Regards Magon Liu TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tnmff@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Thanks for posting in Microsoft TechNet forums. SNMP provides security by using community names and SNMP authentication traps. An SNMP trap is an event notification message sent by the SNMP Trap service running on an SNMP host. The SNMP trap is sent to other SNMP hosts or to an SNMP management system, which are known as trap destinations. Please refer to http://technet.microsoft.com/en-us/library/cc754924.aspx Best Regards Magon Liu TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tnmff@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hello Magon Liu Thanks for reading and answering. According to the TechNet article you referenced the system would need to be configured to send a trap. But the SNMP Feature is not installed on this Vista machine, and on the wire I don't see a trap but a SNMP get Request. So I assume it's not Windows sending the traffic. Do you have any other suggestion on how to find the sending application? /Maurice

Hello Magon Liu Thanks for reading and answering. According to the TechNet article you referenced the system would need to be configured to send a trap. But the SNMP Feature is not installed on this Vista machine, and on the wire I don't see a trap but a SNMP get Request. So I assume it's not Windows sending the traffic. Do you have any other suggestion on how to find the sending application? /Maurice

Hi, Thanks for posting in Microsoft TechNet forums. SNMP provides security by using community names and SNMP authentication traps. An SNMP trap is an event notification message sent by the SNMP Trap service running on an SNMP host. The SNMP trap is sent to other SNMP hosts or to an SNMP management system, which are known as trap destinations. Please refer to http://technet.microsoft.com/en-us/library/cc754924.aspx Best Regards Magon Liu TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tnmff@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hello Magon Liu Thanks for reading and answering. According to the TechNet article you referenced the system would need to be configured to send a trap. But the SNMP Feature is not installed on this Vista machine, and on the wire I don't see a trap but a SNMP get Request. So I assume it's not Windows sending the traffic. Do you have any other suggestion on how to find the sending application? /Maurice

Hi Maurice, you said.. and the SNMP feature is not installed. I'd suggest double-check in 'Turn Windows features on or off' from Programs and Features - perhaps you've been toying with a Mail program or similar and the feature has been turned on without you realizing. I don't really know that much about it as yet though, sorry.. Regards, pkn2011

Hello I just verified Windows Features and SNMP is still unchecked ... /Maurice

Hello I just verified Windows Features and SNMP is still unchecked ... /Maurice

Hi Again, is it to do somehow with the conversion ip4 to ip6 - I've snmp.exe process running. and can see Local Port - snmp using UDP on same PID (2688) as Local Port 161 using UDPv6 -- (in TCPview); No idea what it means tho.. pkn2011

Hi Again, is it to do somehow with the conversion ip4 to ip6 - I've snmp.exe process running. and can see Local Port - snmp using UDP on same PID (2688) as Local Port 161 using UDPv6 -- (in TCPview); No idea what it means tho.. pkn2011

Hi, Please Listen to port 161, if it is open, that means your router has snmp service builded-in and set it to enabled. Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Please Listen to port 161, if it is open, that means your router has snmp service builded-in and set it to enabled. Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hello I just verified Windows Features and SNMP is still unchecked ... /Maurice

Hi Again, is it to do somehow with the conversion ip4 to ip6 - I've snmp.exe process running. and can see Local Port - snmp using UDP on same PID (2688) as Local Port 161 using UDPv6 -- (in TCPview); No idea what it means tho.. pkn2011

Hi, Please Listen to port 161, if it is open, that means your router has snmp service builded-in and set it to enabled. Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Is there any update? Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Is there any update? Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Is there any update? Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Magon - I cannot see how the router comes into the picture. I see the Vista computer sending SNMP packets, and I can capture them on the wire. When running netstat with different arguments I cannot see any process listening on udp/161, and TCPView does not show nay process listening/sending on UDP 161 either. /Maurice

Magon - I cannot see how the router comes into the picture. I see the Vista computer sending SNMP packets, and I can capture them on the wire. When running netstat with different arguments I cannot see any process listening on udp/161, and TCPView does not show nay process listening/sending on UDP 161 either. /Maurice

Magon - I cannot see how the router comes into the picture. I see the Vista computer sending SNMP packets, and I can capture them on the wire. When running netstat with different arguments I cannot see any process listening on udp/161, and TCPView does not show nay process listening/sending on UDP 161 either. /Maurice

Hi Maurice, you said.. 18:37:28.718784 PortC, IN: IP 192.168.1.70.57210 > 192.168.0.3.161: GetRequest(63) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2[|snmp] I'd also suspect it's the router as the IP 192. I've seen in other threads when people are referring to their routers. Wait a sec - see if I can find a relevant comment.. yes here.. " and reset the router to factory defaults. Now I'm using the 192.168.1.1 net" also you said: "and the SNMP feature is not installed." Check services too; perhaps the service is running - but it's not showing up in Programs and features? Just trying to be helpful, Regards. pkn2011

Hi everybody, in my opinion Maurice is talking about the "Print Spooler" service of windows that sends these snmp packages. Just try the following Maurice: - Stop "Print Spooler" service in Microsoft Management mmc. You will see that no more snmp packages are being sent. Cheers, Chris

C_hris: great suggestion. I wil try this just over the weekend, thanks for following up!

C_hris: great suggestion. I wil try this just over the weekend, thanks for following up!

C_hris: great suggestion. I wil try this just over the weekend, thanks for following up!

You´re welcome. :) I hope I could help you out!

You´re welcome. :) I hope I could help you out!

You´re welcome. :) I hope I could help you out!

Hi, Good to see you've resolved it. :) Regards, pknWiki Discussion forum: http://social.technet.microsoft.com/Forums/en-US/tnwiki/threads

Hi, Good to see you've resolved it. :) Regards, pknWiki Discussion forum: http://social.technet.microsoft.com/Forums/en-US/tnwiki/threads

C_hris: you were right on spot and put me on the right track. (Due to vacation the computer owner was away, so it took me a while to get access again.) It turns out the system was once set up with wireless printers, and these were polled regularly with SNMP. Mistery solved. As a last resort, I might have installed Network Monitor and checked how I can record what EXE is sending the traffic. Thanks everybody for their time and suggestions!

Hi, Good to see you've resolved it. :) Regards, pknWiki Discussion forum: http://social.technet.microsoft.com/Forums/en-US/tnwiki/threads

Maurice, I've had this exact problem on a desktop computer for well over a year and my interim solution had been to disable the print spooler service until i needed it. Not much of a solution, I know. Mine, also, was sending SNMP GET requests to an IP address not on my network, and it was not the router as previously suggested here. Seeing your post here made me dig a little deeper just now and I discovered the problem. The machine has (now had) a printer installed which was part of the other network, and was where the desktop resided in another life. I think Windows was trying to get the status of the device to determine whether it was online or something similar. Upon looking at the printer properties there was a "port" installed for the mystery IP address. I couldn't remove it ('in use'), but by deleting the non-existent printer the SNMP noise stopped immediately. I think activating the LPT port and then removing the network address might have achieved a similar end if I wanted the printer still installed. Colin

Maurice, I've had this exact problem on a desktop computer for well over a year and my interim solution had been to disable the print spooler service until i needed it. Not much of a solution, I know. Mine, also, was sending SNMP GET requests to an IP address not on my network, and it was not the router as previously suggested here. Seeing your post here made me dig a little deeper just now and I discovered the problem. The machine has (now had) a printer installed which was part of the other network, and was where the desktop resided in another life. I think Windows was trying to get the status of the device to determine whether it was online or something similar. Upon looking at the printer properties there was a "port" installed for the mystery IP address. I couldn't remove it ('in use'), but by deleting the non-existent printer the SNMP noise stopped immediately. I think activating the LPT port and then removing the network address might have achieved a similar end if I wanted the printer still installed. Colin

Maurice, I've had this exact problem on a desktop computer for well over a year and my interim solution had been to disable the print spooler service until i needed it. Not much of a solution, I know. Mine, also, was sending SNMP GET requests to an IP address not on my network, and it was not the router as previously suggested here. Seeing your post here made me dig a little deeper just now and I discovered the problem. The machine has (now had) a printer installed which was part of the other network, and was where the desktop resided in another life. I think Windows was trying to get the status of the device to determine whether it was online or something similar. Upon looking at the printer properties there was a "port" installed for the mystery IP address. I couldn't remove it ('in use'), but by deleting the non-existent printer the SNMP noise stopped immediately. I think activating the LPT port and then removing the network address might have achieved a similar end if I wanted the printer still installed. Colin

I had the same problem and indeed the source seemed to be a printer using the IP address on another network. However there is no need to uninstall the printer, at least on my system I found I just needed to go to the printer properties page, then the Ports TAB, and then press the Configure Port... and untick the SNMP status Enabled ! Hope this helps for next time. Willie

I had the same problem and indeed the source seemed to be a printer using the IP address on another network. However there is no need to uninstall the printer, at least on my system I found I just needed to go to the printer properties page, then the Ports TAB, and then press the Configure Port... and untick the SNMP status Enabled ! Hope this helps for next time. Willie

I had the same problem and indeed the source seemed to be a printer using the IP address on another network. However there is no need to uninstall the printer, at least on my system I found I just needed to go to the printer properties page, then the Ports TAB, and then press the Configure Port... and untick the SNMP status Enabled ! Hope this helps for next time. Willie