Ports 3978 and 2222

[Matt.Follett]

I opened up Microsoft Word X recently and was playing around on the
console trying to get a program I was writing to work. While I was
playing around I ran `lsof -i` and found some odd output:
Microsoft 362 user 25u IPv4 0x0274c538 0t0 TCP *:3978 (LISTEN)
Microsoft 362 user 26u IPv4 0x01f22150 0t0 UDP *:rockwell-csp2
I never noticed this before. Does anyone know if it is normal for
Microsoft Word to open up two ports, 3978 and 2222? If it isn't
supposed to do that then why is it doing it and how do I make it stop?

thanks a lot,
Matt

 

[claudel]

I opened up Microsoft Word X recently and was playing around on the
console trying to get a program I was writing to work. While I was
playing around I ran `lsof -i` and found some odd output:
Microsoft 362 user 25u IPv4 0x0274c538 0t0 TCP *:3978 (LISTEN)
Microsoft 362 user 26u IPv4 0x01f22150 0t0 UDP *:rockwell-csp2
I never noticed this before. Does anyone know if it is normal for
Microsoft Word to open up two ports, 3978 and 2222? If it isn't
supposed to do that then why is it doing it and how do I make it stop?

thanks a lot,
Matt

I wouldn't necessarily call it "normal" but it is by design.

I believe that Word broadcasts an internal ID every 10 minutes or so
on 2222 and listens for these broadcasts on a different port. I'm uncertain
if it always listens on 3978, but it may. If an identical ID is recieved then
all the copies on the localnet will pop a message and shut down...

I block port 2222 via the default deny rule on my firewall and
the Office X suite programs all seem to function without any problems
that I can trace to the denial ot that traffic


Claude

 

[Matt.Follett]

Huh, that is quite interesting. Thanks a lot for the info.

 

[Corentin Cras-Méneur]

I wouldn't necessarily call it "normal" but it is by design.

I believe that Word broadcasts an internal ID every 10 minutes or so
on 2222 and listens for these broadcasts on a different port. I'm uncertain
if it always listens on 3978, but it may. If an identical ID is recieved then
all the copies on the localnet will pop a message and shut down...

I block port 2222 via the default deny rule on my firewall and
the Office X suite programs all seem to function without any problems
that I can trace to the denial ot that traffic

I think I remember that with one of the updates, it starting using a
range of ports instead of just 2222.

Corentin

 

[claudel]

I think I remember that with one of the updates, it starting using a
range of ports instead of just 2222.

Office 2004, maybe?

Both Word and Excel X send to 255.255.255.255:2222 on my machine
when they are running and I have the latest X update. I was wrong
about the 10 minute interval. The broadcasts are at startup and
seem to be at random intervals. A year or so ago I captured one
of the broadcasts with Ethereal, but I don't remember noticing
anything that I thought was significant at the time.


Claude

 

[claudel]

Office 2004, maybe?

Both Word and Excel X send to 255.255.255.255:2222 on my machine
when they are running and I have the latest X update. I was wrong
about the 10 minute interval. The broadcasts are at startup and
seem to be at random intervals. A year or so ago I captured one
of the broadcasts with Ethereal, but I don't remember noticing
anything that I thought was significant at the time.


Claude

Following up myself...

I just started Entourage and it sends *from* my IP on an escalating range of
ports around 492xx *to* 255.255.255.255:2222...

Word, Excel, and Powerpoint also send a similar broadcast

grep 2222 /var/log/system.log

Apr 22 11:14:57 kernel: ipfw: 3200 Deny UDP 192.168.1.101:49285 255.255.255.255:2222 out via en1
Apr 22 11:15:08 kernel: ipfw: 3200 Deny UDP 192.168.1.101:49286 255.255.255.255:2222 out via en1
Apr 22 14:23:21 kernel: ipfw: 3200 Deny UDP 192.168.1.101:49290 255.255.255.255:2222 out via en1
Apr 22 14:23:57 kernel: ipfw: 3200 Deny UDP 192.168.1.101:49292 255.255.255.255:2222 out via en1
Apr 22 14:35:21 kernel: ipfw: 3200 Deny UDP 192.168.1.101:49293 255.255.255.255:2222 out via en1
Apr 22 14:46:59 kernel: ipfw: 3200 Deny UDP 192.168.1.101:49294 255.255.255.255:2222 out via en1
Apr 22 14:47:06 kernel: ipfw: 3200 Deny UDP 192.168.1.101:49295 255.255.255.255:2222 out via en1
Apr 22 14:49:22 kernel: ipfw: 3200 Deny UDP 192.168.1.101:49296 255.255.255.255:2222 out via en1
Apr 22 14:49:54 kernel: ipfw: 3200 Deny UDP 192.168.1.101:49297 255.255.255.255:2222 out via en1
Apr 22 14:50:41 kernel: ipfw: 3200 Deny UDP 192.168.1.101:49298 255.255.255.255:2222 out via en1
Apr 22 14:50:49 kernel: ipfw: 3200 Deny UDP 192.168.1.101:49299 255.255.255.255:2222 out via en1
Apr 22 14:51:13 kernel: ipfw: 3200 Deny UDP 192.168.1.101:49300 255.255.255.255:2222 out via en1



Claude