[Dshield] Multicast traffic on my Linksys router
lsaplai at telus.net
Mon Jun 16 08:17:56 GMT 2003
I am turning to the Dshield common knowledge to try to shed some light on a
problem I am meeting:
I have noticed some traffic going on on my local network (192.168.1.x) that simply
shouldn't be there.
My network is behind a Linksys BEFSR41 that have recently upgreaded to the latest
firmware (Dec 2002).
Basically, what I am seeing is TCP packets (HTTP1.1) going from the Linksys
internal adapter (192.168.1.1) to the multicast address: 126.96.36.199:1900. The
type of packet is SSDP
(I can post packets to the list if you want)
This traffic only appears with a packet sniffer (ethereal). It does not appear in the
It goes by bunch of 10 packets or so, then stops for a short while (30s?) and does it
There is noone participating in a multicast on my network.
Upon reading a bit around, it seems it could be related to the UPnP fantaisy from
Microsoft, but I am not using that facility.
My systems are a mix of Win 98SE, ME and 2000 worstations with (almost) up-to-
date patches + the occasional Linux (Mandrake 9.1). No WinXP.
The only thing on my network that mentions UPnP is the Linksys itself.
More strangely, I have just seen exactly the same traffic on a friend's network who
only runs Win2K.
Do you guys have any explanation? Do you know how to stop this useless traffic?
By the way, is SQL Slammer using a multicast address to propagate? I got real
strange traffic the other day (I blocked it at my firewall but it brought down my ISP!)
and Snort claimed it was SQLSlammer. I will try to get the logs and post more details
Thanks in advance for your input.
Sacha Guitry (1895 - 1957)
Le cTlibat, on s'ennuie. Le mariage, on a des ennuis.
More information about the list