Re: Strange network activity after updates

To: Paul Zimmerman <aiwanar@yahoo.com>
Cc: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: Re: Strange network activity after updates
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Sat, 4 Aug 2012 17:47:30 -0300
Message-id: <[🔎] 20120804204730.GB13433@khazad-dum.debian.net>
In-reply-to: <[🔎] 1344107703.59978.YahooMailNeo@web126101.mail.ne1.yahoo.com>
References: <[🔎] 1344107703.59978.YahooMailNeo@web126101.mail.ne1.yahoo.com>

On Sat, 04 Aug 2012, Paul Zimmerman wrote:
> JulHer <julher@escomposlinux.org> writes:
> 
> >239.255.255.250 maybe is SSDP >http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol >The other stuff I don't know, 
> That's a possibility, I guess. But it's not an intermittent 
> or occasional thing. And it doesn't run for a bit and then 
> stop. This is a constant 10-14k stream of data coming from 
> somewhere. What I don't understand is why the multicast IP 
> address would be the source, and the router IP would be the
> destination, and yet it shows up streaming into MY computer. 
> (I don't control the AP.) Why would data streaming from an
> abstract address TO the router/AP be incoming to my system?
> 
> If I boot Windows XP on the same machine (it's dual boot) 
> and connect to the same AP I don't see this. And before these
> latest updates I didn't see it in Linux either. So WHAT
> changed in those updates? And why does it make the AP send
> this continuous stream at me?

Install package wireshark.  Add to it a filter "host 239.255.255.250" and
capture ~5s worth of traffic to a file.  Gzip it, and send it attached.  You
may send it to the debian-security list [WARNING: debian-security IS a
public list] instead of debian-user.  If you send it to debian-security,
please send it attached to a email where you summarize this thread, so that
people there will know what you're talking about.

Alternatively you may use 'tcpdump' instead of wireshark.  Run "tcpdump -s
1600 -i any -w /tmp/output.tcpdump.bin host 239.255.255.250", and stop it
with ^C after 5-10s.  It will save the packet dump to
/tmp/output.tcpdump.bin, which you should gzip or xz'ip before attaching.

While you're doing the capture, just in case, DO NOT engage in any other
activities, do not have your browser, mail user agent, or any other programs
open that could send credentials over the wire (such as email logins, etc)
just in case the wireshark filter is not correct and it ends up capturing
packets with data you'd rather keep private.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

References:
- Re: Strange network activity after updates
  - From: Paul Zimmerman <aiwanar@yahoo.com>

Prev by Date: Re: Strange network activity after updates
Next by Date: Re: Help with KVM/libvirt/win2008r2. Guest loosing time.
Previous by thread: Re: Strange network activity after updates
Next by thread: Re: Strange network activity after updates
Index(es):
- Date
- Thread