MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Software
Register FAQ Members List Calendar Mark Forums Read

Software Software such as operating systems like Windows XP, Windows Vista, Windows 7 etc., or specific programs.

Closed Thread
Thread Tools Display Modes
Old 10-22-08, 12:16
Unbanable Unbanable is offline
Join Date: Jun 2005
Posts: 341
Thanks: 3
Thanked 16 Times in 16 Posts
Default icslap

Trying to find info on icslap... Wikipedia has nothing, google has rumors. Anyone know what this is used for? I saw some ICSLAP communication on my local network. I can't seem to find the communication on my computer anywhere(I was using monitoring software, but I can't seem to find the communication saved anywhere), so I can't see what was in them anymore, but from what I remember, I couldn't tell much from the packets. Anyone know anything about it?
Sponsored links
Old 10-22-08, 13:35
DavidGP's Avatar
DavidGP DavidGP is offline
MajorGeeks Forum Administrator - Grand Pooh-Bah
Join Date: Jan 2002
Location: UK
Posts: 40,021
Thanks: 3,528
Thanked 3,325 Times in 3,022 Posts
Default Re: icslap


Did this monitoring software tell you also what port this was coming from as iirc this is off port 2869 SSDP and guessing could be from Internet Connection Sharing, Windows Firewall or Local Network Sharing as SSDP is what detects network clients (PCs)

What software you using to monitor this? Read that Esets Firewall pops up with this too.

What Windows version and SP?

List of Services and what they do, maybe of use to you;en-us;832017
Old 10-22-08, 21:20
Unbanable Unbanable is offline
Join Date: Jun 2005
Posts: 341
Thanks: 3
Thanked 16 Times in 16 Posts
Default Re: icslap

Thanks, I don't know why I didn't give more info...

I was using Wireshark(I was actually trying to diagnose something else at the time, I believe, but noticed some other things that raised questions).

Vista Home Premium (32 bit) SP1

Ummm port number.. port number.. Well, I think it was 2869, but I can't be sure unless I find the saved log somewhere.

Looking through some more google results, I came across this:
"About 2869 (which is IANA registered as MS ICSLAP), Microsoft says starting with Windows XP SP2, SSDP event notification service will rely on TCP port 2869. Currently this is only a speculative risk."

Anyway, I don't use ICS so I don't see why that would be doing anything, and I don't use Windows Firewall so I don't know why that would be doing anything, but I suppose it could be something related to SSDP. I see a LOT of SSDP traffic on my network. Actually, I wish I new a good way to reduce it. But, when I see SSDP traffic, it usually shows the protocol as SSDP, so I wonder why those particular packets showed as ICSLAP. I'm almost certain that it showed icslap in the protocol column, but I guess it's possible I could just be going crazy. Going through lots of long logs that, instead of answering your questions, produce more can get to you after a while. I wish I could find the stupid log but apparently I didn't save it. Thanks for the help though. I guess I'll just assume that it was something related to SSDP.

Now that I think about it, I think when I looked in the packets, there seemed to be information regarding the two computers communicating, so that makes it sound even more like SSDP. I wish I knew of a way to reduce the huge amounts of SSDP traffic. Most of it seems to be coming from the router.

Before posting this post, I decided to run wireshark again.. After waiting a while, ICSLAP did turn up again. It was not listed in the protocol column like I thought it was before, but showed up in the info section. It was the destination port (2869) on a packet from my computer to another computer on the network. Interestingly, it's the first that seems to be using that port(so I'd assume it's the first packet for that particular communication) but it has the RST and ACK flags set. Why would the RST flag be set if it's the first communication, wouldn't that flag only be used for a current communication? How can you reset something that hasn't yet been established, or hasn't even been attempted to establish? I wish I knew what to look for and how to understand what I'm looking at. Oh well. I'm sure I'll learn eventually so long as I keep learning and researching
Old 10-22-08, 21:31
Unbanable Unbanable is offline
Join Date: Jun 2005
Posts: 341
Thanks: 3
Thanked 16 Times in 16 Posts
Default Re: icslap

Can't edit after 10 minutes... Well... It showed up some more in some traffic between my computer & router.

And what did I tell you? Looking through the logs for answers produces more questions. Now I'm trying to figure out what these https connections to severs with no reverse dns were for... reverse dns isn't working.. pisses me off.

Edit: One was to Microsoft.. understandable, I suppose. Another, to a google server??? Not sure why on that one..

Last edited by Unbanable; 10-22-08 at 21:37..
Old 10-23-08, 18:56
plodr's Avatar
plodr plodr is offline
Major Geek Extraordinaire
Join Date: Sep 2007
Location: at my computer
Posts: 15,432
Thanks: 227
Thanked 2,886 Times in 2,670 Posts
Default Re: icslap

If you ever downloaded google chrome to try out the browser, it is set to automatically check google for updates.
7" ASUS eeepc LXLE Desktop
Aspire V5 7 HomePremium
Sponsored links
Old 01-20-12, 19:59
RememberThis RememberThis is offline
Private E-2
Join Date: Jul 2008
Location: Denver
Posts: 5
Thanks: 0
Thanked 1 Time in 1 Post
Default Re: icslap

Evenin' friends
I just noticed this particular little item you are talking about pop up on me suddenly in the middle of watching a DVD

It was enough to freeze up the Vid just enough to raise my curiosity

System 4.... icslap...I was unable to query properties or kill it.
I did not get the same port number(s) as the OP....but I am running Outpost Firewall and it likes assigning the higher port numbers.

I do believe it is a service that is built into WMP

Is It Nefarious? Im not closed the exact same moment I closed WMP.
Im working a little hunch here, as I have never seen icslap before and I do not have ICS on. This IS monitoring in some fashion as it attempted to send packets.
If my hunch is correct and I can ferret this out, I am under the impression this has something to do with viewing a particular companys webpage concerning a recent nuclear disaster.

Im running WIN7 Pro
Caught it using TcpView and PrcView
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT -5. The time now is 19:32.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds

All content Copyright source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger