11-07-2012 18:10 - edited 11-07-2012 18:23
I just spent about a half hour researching why some hosts on my network were sending packets to a private address that is near, but not within, a subnet that is live for hosts.
The site's hosts are: 192.168.99.0/24, 192.168.100.0/24, and 192.168.101.0/24.
I see traffic from several hosts on 192.168.100.0/24 hitting sending traffic from a port which skype has opened on those hosts to the same address on 192.168.98.0/24. In fact, it is always 192.168.98.5.
The port is the same port that Skype is assigned to use for incoming connections. Note that there is no host at 192.168.98.5, and I see no packets from that IP anywhere on my network.
I'm aware that Skype randomly chooses a port to establish incoming connections with upon first run, and this is the port of question in my instance.
It is worth noting that I block outgoing connections on this port (most ports) and UPnP on my network, so I'm curious what Skype is trying to do. I'm used to it tunneling over http and https.
This is inexplicable to me. Does anyone have any idea what Skype is doing?
11-07-2012 18:17 - edited 11-07-2012 18:21
I have "Accept skype browser cookies" enabled.
I have disabled this, cleared the skype browser cookies, and restarted skype.
skype.exe still binds to the port in question.
Why do you believe this is relevant?
In fact, when I restart, I see the packets again, destined for that address.
11-07-2012 18:31 - edited 11-07-2012 18:43
I already did this, and it seems that the packet contents are encrypted. I am solely concerned with why it's hitting a random local address. That, in itself, is what has me interested.
I was able to redirect the traffic from the random port to 80 and 443 by setting the following registry keys (manually on a test machine).
I currently see that the activity on the port is limited to a local host who I was communicating with previously:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype\Phone REG_DWORD ListenPort=1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype\Phone REG_DWORD ListenHTTPPorts=0
This will force Skype clients to not use a randomized port for communication, but only tunnel over 80 and 443.
I still see some TCP connections to the mystery host (192.168.98.5), but now limited to three TCP packets and on another random port, not multiple UDP packets that I saw before I implemented those policies.