Hi. On Thu, Feb 21, 2019 at 11:42:58AM +0100, Hans wrote: > Am Donnerstag, 21. Februar 2019, 11:19:08 CET schrieb Reco: > Hi Reco (and all others), > > sure, I attached the wireshark pcap. Thre is nothing secret in it.
That's interesting. Aforementioned pcap does not contain udp:69, but it does contain broadcast udp:161 (src: 192.168.2.117 dst: 255.255.255.255), requesting three OIDs via SNMP v2c: $ snmptranslate -mALL .1.3.6.1.2.1.1.1.0 RFC1213-MIB::sysDescr.0 $ snmptranslate -mALL .1.3.6.1.2.1.1.2.0 RFC1213-MIB::sysObjectID.0 $ snmptranslate -mALL .1.3.6.1.2.1.2.2.1.6.1 RFC1213-MIB::ifPhysAddress.1 A hint. One should not (ab)use SNMP this way. Even if you're doing device discovery - you're doing it wrong by sending SNMP to broadcast. Explains why your other hosts see this though. > However, I know, what the ports are for, but it is not understandable for me, > why there are networking protocols are started, when I just put a stick into > the required slot. And these devices are still not mounted! There is no sense > IMO, why the computer is scanning the network at all. There can be an explanation, though, but Wireshark/tcpdump in not suitable to get it. Install auditd. Invoke "auditctl -a always,exit -S connect". Insert any usb stick Invoke "auditctl -D" to clear the rules. All the answers should wait one at /var/log/audit/audit.log Reco
