This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSDP traffic

0

Hi all

thank you for the reply on the IGMP and NBNS question.

Indeed it is an amazing experience to look through real time network traffic. the reason i am looking through the traffic is that my computers are suffering from sever trojan attacks…:(

recently i realised that the setting of my router have been changed … for example the UPnP setting form the default (disabled) was enabled. then..., at the wireshark traffic analysis:

source: 192.168.2.1 destination: 239.255.255.250 protocol: SSDP Info: NOTIFY* HTTP/1.1 Host: 239.255.255.250rn NT:urn:schemas-wifialliance-org:service:WFAWLANConfig:1rn NTS:ssdp:alivern Location:http://192.168.2.1:80/igd.xmlrn USN:uuid:00000000-0000-0001-1000-9444529c85c4::urn:schemas-wifialliance-org:service:WFWAWLANConfigg:1rn Server:F7D1401-v1/1.0 UPnP/1.0rn Cache-control:max-age=60rn rn

I disabled the UPnP at the router interface, and the next traffic capture from the wireshark was only with http packets. During both of the SSDP and http - TCP captures I only opened the internet explorer...nothing else

Does that mean that someone is attacking my router somehow? any advice?

asked 16 Feb '11, 12:52

Stefi's gravatar image

Stefi
1222
accept rate: 0%


One Answer:

0

SSDP (Simple Service Discovery protocol) is a part of UPnP (Universal Plug and Play).

It is normal traffic for all UPnP enabled devices in your LAN.

Each device will send out a group of NOTIFY packets every 15 minutes or so while UPnP is enabled.

Many devices will also periodically send out M-SEARCH packets, which are usually followed by response HTTP packets.

If you want to see them in WireShark, the best filter I have found to see just SSDP is this:

(udp contains "HTTP/1.1") and ((udp contains 0a:53:54:3a) or (udp contains 0a:59:54:3a))

The hex is looking for the strings "ST:" and "NT:" at the beginning of a line.

-jesse

answered 11 Feb '14, 13:21

JesseChisholm's gravatar image

JesseChisholm
112
accept rate: 0%

edited 11 Feb '14, 13:22