Hi all thank you for the reply on the IGMP and NBNS question. Indeed it is an amazing experience to look through real time network traffic. the reason i am looking through the traffic is that my computers are suffering from sever trojan attacks…:( recently i realised that the setting of my router have been changed … for example the UPnP setting form the default (disabled) was enabled. then..., at the wireshark traffic analysis: source: 192.168.2.1 destination: 239.255.255.250 protocol: SSDP Info: NOTIFY* HTTP/1.1 Host: 239.255.255.250rn NT:urn:schemas-wifialliance-org:service:WFAWLANConfig:1rn NTS:ssdp:alivern Location:http://192.168.2.1:80/igd.xmlrn USN:uuid:00000000-0000-0001-1000-9444529c85c4::urn:schemas-wifialliance-org:service:WFWAWLANConfigg:1rn Server:F7D1401-v1/1.0 UPnP/1.0rn Cache-control:max-age=60rn rn I disabled the UPnP at the router interface, and the next traffic capture from the wireshark was only with http packets. During both of the SSDP and http - TCP captures I only opened the internet explorer...nothing else Does that mean that someone is attacking my router somehow? any advice? asked 16 Feb '11, 12:52  Stefi |
One Answer:
SSDP (Simple Service Discovery protocol) is a part of UPnP (Universal Plug and Play). It is normal traffic for all UPnP enabled devices in your LAN. Each device will send out a group of NOTIFY packets every 15 minutes or so while UPnP is enabled. Many devices will also periodically send out M-SEARCH packets, which are usually followed by response HTTP packets. If you want to see them in WireShark, the best filter I have found to see just SSDP is this: The hex is looking for the strings "ST:" and "NT:" at the beginning of a line. -jesse answered 11 Feb '14, 13:21  JesseChisholm edited 11 Feb '14, 13:22 |
