[Dshield] RE: Strange SNMP probes suddenly appearing

Graeme Fowler graeme.fowler at hosteurope.com
Thu Dec 11 13:59:58 GMT 2003


On 03 December 2003 02:23, Jeff Kell wrote:
> After finally getting an ethereal trace of traffic from the faulty
> address (a machine using an Apple Airport) I found the following:
> Almost immediately afterward is a UDP packet from that machine to the
> router on port udp/192.  It contains 4 bytes of text, 0x08 0x01 0x03
> 0x10. 
> So, "something" is amiss here.  I'm just not sure I understand it all.
> But we have the symptoms nailed down, we'll have to see about the
> cure. Does this ring any bells with anyone that is AirPort
> knowledgeable? Since these were "rogue installs" by the department,
> they look like they would be great clay pigeons for skeet shooting,
> but perhaps they can be more productive.

A quick scout of Apple's tech info library gave up the following

"This document lists TCP and UDP ports used by Apple software products
UDP Port  Service
192       AirPort Base Station PPP status or discovery (certain

Interesting. So the Airport Base Station can toddle off and do some sort
of discovery - in my experience (with other discovery devices), it'll
start with its' default router to see what it can find and will then
poll the local LAN, or followup anything interesting it might find via
the initial probe. Presumably, in these cases, the AirPort base station
is configured to get an IP address via DHCP and then do local NAT for
wireless devices which connect through it.

Decribes how to turn off SNMP on the "WAN" port of a dual ethernet base
station. I'd surmise that the use of the word "WAN" here means "Wired
LAN" :)

...and then I go a-googling, and find:

describing the discovery modes of the base station itself using port

Having read around the subject over the last half hour or so, I'd say
that the base stations in their default, plug'n'go state, are trying to
discover a management station from which they can download their
configuration. The AirPort management software does its' magic via SNMP
(so it seems!) so it wouldn't surprise me, with Apple's move towards
automagic configuration of desktops and servers from the OSX Server
environment, that this is not nefarious activity - it's by design, and
(like many other scenarios) it's default behaviour which should be
switched off before plugging the devices into a LAN.

Hope that helps, at least a little.


Graeme Fowler
Technical Services
Host Europe PLC

More information about the list mailing list