cancel
Showing results for 
Search instead for 
Did you mean: 

What's all this TR064 stuff

MartyPop
Rising Star
Posts: 137
Thanks: 13
Registered: 01-10-2014

What's all this TR064 stuff

A couple of days ago, I started seeing stuff in my PlusNet Hub One firewall logfile which I've never seen before. As you can see from the following logfile extract, it repeats itself approximately every 30 seconds:

08:51:02, 30 Apr.	(1385562.210000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>64208, internal ports: 64208, internal client: 192.168.1.65
08:50:27, 30 Apr.	(1385527.580000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>64208, internal ports: 64208, internal client: 192.168.1.65
08:49:47, 30 Apr.	(1385487.580000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>64208, internal ports: 64208, internal client: 192.168.1.65
08:49:14, 30 Apr.	(1385454.800000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>64208, internal ports: 64208, internal client: 192.168.1.65
08:48:33, 30 Apr.	(1385413.620000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>64208, internal ports: 64208, internal client: 192.168.1.65
08:47:53, 30 Apr.	(1385373.350000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>64208, internal ports: 64208, internal client: 192.168.1.65
08:47:16, 30 Apr.	(1385336.430000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>64208, internal ports: 64208, internal client: 192.168.1.65
08:46:38, 30 Apr.	(1385297.970000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>64208, internal ports: 64208, internal client: 192.168.1.65
08:46:03, 30 Apr.	(1385263.190000) Port forwarding rule added via UPnP/TR064. Protocol: UDP, external ports: any-​>64208, internal ports: 64208, internal client: 192.168.1.65

Anyone know what's going on here ?

 

9 REPLIES
Community Veteran
Posts: 4,769
Thanks: 1,052
Fixes: 27
Registered: 16-10-2014

Re: What's all this TR064 stuff

@MartyPop, are you or anyone else in the house running games consoles or similar? This TR064 protocol is LAN sided so these entries are coming from inside your network specifically 192.168.1.65), so to start with what device has this address?

MartyPop
Rising Star
Posts: 137
Thanks: 13
Registered: 01-10-2014

Re: What's all this TR064 stuff

Nope, no games consoles or similar here.

The device with that IP is my Win7 PC.

However, a strange thing happened within 10 minutes of posting my original post --> the TR064 stuff stopped!?

 

Community Veteran
Posts: 4,769
Thanks: 1,052
Fixes: 27
Registered: 16-10-2014

Re: What's all this TR064 stuff

That's weird, best to keep an eye on the logs to see if returns, it might give you an idea as to what or why it is being done.

MartyPop
Rising Star
Posts: 137
Thanks: 13
Registered: 01-10-2014

Re: What's all this TR064 stuff

The last thing I did before switching off my Win7 PC yesterday was to check my Hub One firewall logfile and it definitely hadn't started again. The first thing I did after booting my Win7 PC this morning was to have a look at the Hub One firewall logfile and there it was again. All this went on for just over an hour and then stopped but the last entry in the logfile was slightly different to all the others:

09:26:09, 01 May.	(1474067.640000) Port forwarding rule deleted via UPnP/TR064. Protocol: UDP, external ports: any-​>64208, internal ports: 64208, internal client: 192.168.1.65

Whatever it is that's trying to create a port forwarding rule is then trying to delete the rule but as this is all in the firewall logfile, it shows that the firewall is doing its job. All I need to do now is to figure out what's attempting to create the port forwarding rule but how I do that eludes me at the moment. For starters, I ran a full AV scan yesterday afternoon which found nothing.

Community Veteran
Posts: 4,769
Thanks: 1,052
Fixes: 27
Registered: 16-10-2014

Re: What's all this TR064 stuff

@MartyPop - One option is to run netstat on the Windows machine. Start my running the Task Manager, then open a DOS command prompt and execute :

netstat -ano | more

This should give you the PID of the application making the request, but you may need to run it several time to capture what you need.

Or you can use currports from NirSoft this may be easier to use as it has a GUI and due to the timed nature of the requests. Once you know the PID or you have the name of the application making these requests you'll be able to decide as to what the next step should be.

Community Veteran
Posts: 2,211
Thanks: 95
Fixes: 4
Registered: 18-02-2013

Re: What's all this TR064 stuff

I find the Resource Monitor/Network usefull as well as netstat for looking at dubious stuff in windows.

MartyPop
Rising Star
Posts: 137
Thanks: 13
Registered: 01-10-2014

Re: What's all this TR064 stuff

Having just rebooted the Win7 PC and then looking in the Resource Monitor/Network, it's svchost.exe(netsvcs) that's doing it. Not sure what that actually does?

Community Veteran
Posts: 4,769
Thanks: 1,052
Fixes: 27
Registered: 16-10-2014

Re: What's all this TR064 stuff

Well at least you know it's not malicious which is always a good thing.

Community Veteran
Posts: 6,286
Thanks: 446
Fixes: 40
Registered: 30-07-2007

Re: What's all this TR064 stuff

Very possibly it's Teredo , https://answers.microsoft.com/en-us/windows/forum/windows_8-networking/teredo-and-upnp/5657f953-b493...

Although why it would stop after an hour I'm not sure ...