I added a new machine to my home network last month; a Pentium 4 running
Windows XP Home Edition. It ties in with a Pentium 2 running WIN98SE and a
486 machine running WIN95. All are plugged into a switch which plugs to a
router that connects to a cable modem.

My most used WIN98SE machine (which has a Norton Personal Firewall) has
begun reporting activity attempting to reach that machine. The remote
address given as 0.0.0.0,bootpc(followed by a #) and the local address as
255.255.255.255,bootp(followed by a number).

The report considers the threat High Risk so I continually block it. I've
never experienced such warning and I don't know how to identify the source
to determine if - perhaps - it's my new machine trying to do something on
the local network. There's only me using these three machines.

One thought that makes me suspect this may be an outside attempt is the fact
that the new machine has been connected for about a month. The messages just
began occurring last week. I suppose there is a chance that I may have
inadvertently triggered these by making some adjustment to a setting on the
new machine that I didn't fully understand.

If anyone can point me in the right direction, I'd be very appreciative.

In article <8H%Hb.37641$ms2.34822@fe2.columbus.rr.com>,
"John Gregory" <jaygreg90@hotmail.com> wrote:

Just a guess, could this be a machine somewhere else in the same subnet
as you, trying to boot itself via BOOTP? 255.255.255.255 would be the
broadcast address on the local subnet.

Does this happen continually, or does it only happen every now and then
for a few seconds? If the latter, that could mean that another machine
answered the BOOTP request. You're probably not even supposed to be
seeing this communication happening.

For the first three weeks with the new machine on the network it never
occurred. Now it occurs occasionally. The message appears, I click the box
to block the action, the message goes away and everything seems OK. I'd just
like to understand where the damn thing is coming from.


"Lawrence D¹Oliveiro" <ldo@geek-central.gen.new_zealand> wrote in message
news:ldo-479451.00002601012004@news.wave.co.nz...

"John Gregory" <jaygreg90@hotmail.com> wrote in message news:<8H%Hb.37641$ms2.34822@fe2.columbus.rr.com>.. .
The activity is from a computer that does not yet have an IP address,
and it's using bootp to get one assigned.

If your 98 box does not assign addresses (primary domain controller),
then you are right to block the attempts.

It's my guess that your new machine is the culprit. You can try
disconnecting the net for a few hours and see if the events still
arrive (all machines should be powered up). If the events still
appear, then power down the other two machines one at a time (XP
first) for a few hours and see if the events stop.

N1POP wrote:
Another suggestion is to download ethereal or another network sniffer
and record traffic until you see the error. Then you can view the
capture file and determine the mac address opf the offending pc.