[Dshield] Any ideas?

Mark Rowlands mark.rowlands at minmail.net
Mon May 27 13:52:31 GMT 2002


On Friday 24 May 2002 5:25 pm, van Niekerk Niel wrote:
> Hi,
>
> Here's the rub, I am seeing a fair amount of UDP broadcast traffic directed
> to  port 1900 (SSDP) these originate from many different hosts on our LAN
> (see the packet capture below), all the references I can obtain for SSDP or
> port 1900 points to either WinXP or MSN messenger.
>

i ran a capture for about an hour on a win2k workstation segment, with 
messenger on most machines, without a trace of one of these packets, got lots 
of directed packets.....to 1900 on the local gateway,  which responds with an 
ICMP destination unreachable.

Stopping the "plug and  pray" service silenced these packets.


maybe if you do a less specific capture and see if you can see what prompts 
the traffic or responds to it.....


>
>
> ---------PACKET CAPTURE--------------- (ww.xx.yy.zz = Local LAN ip of WIN2K
> host)
>     Packet Length: 60 bytes
>     Capture Length: 60 bytes
> Ethernet II
>     Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
>     Source: 00:50:8b:6a:0a:1b (00:50:8b:6a:0a:1b)
>     Type: IP (0x0800)
>     Trailer: 0000000000000000000000000000
> Internet Protocol, Src Addr: ww.xx.yy.zz (ww.xx.yy.zz), Dst Addr:
> 255.255.255.255 (255.255.255.255)
>     Version: 4
>     Header length: 20 bytes
>     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>         0000 00.. = Differentiated Services Codepoint: Default (0x00)
>         .... ..0. = ECN-Capable Transport (ECT): 0
>         .... ...0 = ECN-CE: 0
>     Total Length: 32
>     Identification: 0xaaa2
>     Flags: 0x00
>         .0.. = Don't fragment: Not set
>         ..0. = More fragments: Not set
>     Fragment offset: 0
>     Time to live: 128
>     Protocol: UDP (0x11)
>     Header checksum: 0x8027 (correct)
>     Source: ww.xx.yy.zz (ww.xx.yy.zz)
>     Destination: 255.255.255.255 (255.255.255.255)
> User Datagram Protocol, Src Port: 1030 (1030), Dst Port: 1900 (1900)
>     Source port: 1030 (1030)
>     Destination port: 1900 (1900)
>     Length: 12
>     Checksum: 0x3483 (correct)
> Hypertext Transfer Protocol
>     Data (4 bytes)
>
> 0000  ff ff ff ff ff ff 00 50 8b 6a 0a 1b 08 00 45 00   .......P.j....E.
>
> 0010  00 20 aa a2 00 00 80 11 80 27 ww xx yy zz ff ff   . .......'......
>
> 0020  ff ff 04 06 07 6c 00 0c 34 83 49 6e 66 6f 00 00   .....l..4.Info..
>
> 0030  00 00 00 00 00 00 00 00 00 00 00 00               ............
>
> ----------------------------------------------------------------------
>
>
> ///
> *******************************************************************
>
> The contents of this message and any attachments are
> intended solely for the addressee's use and may be legally
> privileged and/or confidential. If you are not the
> addressee indicated in this message, any retention,
> distribution, copying or use of this message is strictly
> prohibited. If you received this message in error, kindly
> notify the sender immediately by reply e-mail and then
> destroy the message and any copies thereof.
>
> Opinions, conclusions and other information in this
> message must be understood as neither given nor
> endorsed by Old Mutual Banking Services and may be
> personal to the sender. Since e-mail communication
> cannot be guaranteed to be secure, Old Mutual Banking
> Services does not make any representation or give any
> guarantee concerning the confidentiality, security,
> accuracy or completeness of any e-mail. Any liability for
> viruses is excluded to the fullest extent permitted by law.
>
> *******************************************************************
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list