MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Software
Register FAQ Members List Calendar Casino Mark Forums Read

Software Software such as operating systems like Windows XP, Windows Vista, Windows 7 etc., or specific programs.


Reply
 
Thread Tools Display Modes
  #1  
Old 10-22-08, 12:16
Unbanable Unbanable is offline
Specialist
 
Join Date: Jun 2005
Posts: 341
Thanks: 3
Thanked 16 Times in 16 Posts
Default icslap

Trying to find info on icslap... Wikipedia has nothing, google has rumors. Anyone know what this is used for? I saw some ICSLAP communication on my local network. I can't seem to find the communication on my computer anywhere(I was using monitoring software, but I can't seem to find the communication saved anywhere), so I can't see what was in them anymore, but from what I remember, I couldn't tell much from the packets. Anyone know anything about it?
Reply With Quote
Sponsored links
  #2  
Old 10-22-08, 13:35
DavidGP's Avatar
DavidGP DavidGP is offline
MajorGeeks Forum Administrator - Grand Pooh-Bah
 
Join Date: Jan 2002
Location: UK
Posts: 38,263
Thanks: 2,628
Thanked 2,934 Times in 2,677 Posts
Default Re: icslap

Hi

Did this monitoring software tell you also what port this was coming from as iirc this is off port 2869 SSDP and guessing could be from Internet Connection Sharing, Windows Firewall or Local Network Sharing as SSDP is what detects network clients (PCs)

What software you using to monitor this? Read that Esets Firewall pops up with this too.

What Windows version and SP?


List of Services and what they do, maybe of use to you http://support.microsoft.com/default...b;en-us;832017
__________________
Microsoft® MVP - Windows Expert ~ Consumer


Support Majorgeeks on Facebook:

Majorgeeks Shop
Reply With Quote
  #3  
Old 10-22-08, 21:20
Unbanable Unbanable is offline
Specialist
 
Join Date: Jun 2005
Posts: 341
Thanks: 3
Thanked 16 Times in 16 Posts
Default Re: icslap

Thanks, I don't know why I didn't give more info...

I was using Wireshark(I was actually trying to diagnose something else at the time, I believe, but noticed some other things that raised questions).

Vista Home Premium (32 bit) SP1

Ummm port number.. port number.. Well, I think it was 2869, but I can't be sure unless I find the saved log somewhere.


Looking through some more google results, I came across this:
"About 2869 (which is IANA registered as MS ICSLAP), Microsoft says starting with Windows XP SP2, SSDP event notification service will rely on TCP port 2869. Currently this is only a speculative risk."

Anyway, I don't use ICS so I don't see why that would be doing anything, and I don't use Windows Firewall so I don't know why that would be doing anything, but I suppose it could be something related to SSDP. I see a LOT of SSDP traffic on my network. Actually, I wish I new a good way to reduce it. But, when I see SSDP traffic, it usually shows the protocol as SSDP, so I wonder why those particular packets showed as ICSLAP. I'm almost certain that it showed icslap in the protocol column, but I guess it's possible I could just be going crazy. Going through lots of long logs that, instead of answering your questions, produce more can get to you after a while. I wish I could find the stupid log but apparently I didn't save it. Thanks for the help though. I guess I'll just assume that it was something related to SSDP.

Now that I think about it, I think when I looked in the packets, there seemed to be information regarding the two computers communicating, so that makes it sound even more like SSDP. I wish I knew of a way to reduce the huge amounts of SSDP traffic. Most of it seems to be coming from the router.


Before posting this post, I decided to run wireshark again.. After waiting a while, ICSLAP did turn up again. It was not listed in the protocol column like I thought it was before, but showed up in the info section. It was the destination port (2869) on a packet from my computer to another computer on the network. Interestingly, it's the first that seems to be using that port(so I'd assume it's the first packet for that particular communication) but it has the RST and ACK flags set. Why would the RST flag be set if it's the first communication, wouldn't that flag only be used for a current communication? How can you reset something that hasn't yet been established, or hasn't even been attempted to establish? I wish I knew what to look for and how to understand what I'm looking at. Oh well. I'm sure I'll learn eventually so long as I keep learning and researching
Reply With Quote
  #4  
Old 10-22-08, 21:31
Unbanable Unbanable is offline
Specialist
 
Join Date: Jun 2005
Posts: 341
Thanks: 3
Thanked 16 Times in 16 Posts
Default Re: icslap

Can't edit after 10 minutes... Well... It showed up some more in some traffic between my computer & router.

And what did I tell you? Looking through the logs for answers produces more questions. Now I'm trying to figure out what these https connections to severs with no reverse dns were for... reverse dns isn't working.. pisses me off.

Edit: One was to Microsoft.. understandable, I suppose. Another, to a google server??? Not sure why on that one..

Last edited by Unbanable; 10-22-08 at 21:37..
Reply With Quote
  #5  
Old 10-23-08, 18:56
plodr's Avatar
plodr plodr is offline
Major Geek Extraordinaire
 
Join Date: Sep 2007
Location: at my computer
Posts: 13,823
Thanks: 179
Thanked 2,471 Times in 2,292 Posts
Default Re: icslap

If you ever downloaded google chrome to try out the browser, it is set to automatically check google for updates.
__________________
7" ASUS eeepc with linux
Aspire V5 7 HomePremium
Reply With Quote
Sponsored links
  #6  
Old 01-20-12, 18:59
RememberThis RememberThis is offline
Private E-2
 
Join Date: Jul 2008
Location: Denver
Posts: 5
Thanks: 0
Thanked 1 Time in 1 Post
Default Re: icslap

Evenin' friends
I just noticed this particular little item you are talking about pop up on me suddenly in the middle of watching a DVD

It was enough to freeze up the Vid just enough to raise my curiosity

System 4.... icslap...I was unable to query properties or kill it.
I did not get the same port number(s) as the OP....but I am running Outpost Firewall and it likes assigning the higher port numbers.

I do believe it is a service that is built into WMP

Is It Nefarious? Im not sure....it closed the exact same moment I closed WMP.
Im working a little hunch here, as I have never seen icslap before and I do not have ICS on. This IS monitoring in some fashion as it attempted to send packets.
If my hunch is correct and I can ferret this out, I am under the impression this has something to do with viewing a particular companys webpage concerning a recent nuclear disaster.

Im running WIN7 Pro
Caught it using TcpView and PrcView
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 21:16.


MajorGeeks.Com Home Page
| Admin Tools | All In One | Anti-Spyware | Anti-Virus | Appearance | Backup | Benchmarking | BIOS | Browsers | Covert Ops |
Data Recovery | Diagnostics | Drive Cleaners | Drive Utilities | Drivers | Driver Tools Ergonomics | Firewalls | Games | Game Tweaks | Graphics | Input Devices | Internet Tools | Macintosh | Mail Utilities | Memory | Messaging | Monitoring | Microsoft | Multimedia | Networking | Office Tools | Process Management | Processor | Registry | Security | System Info | Toys | Video | Miscellaneous
|
Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger