This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why am I getting AppleTalk Packets (Zone Information Protocol) in my scan

0

Hello, I am on a LAN that has no Apple equipment I ran a 15 min. Baseline scan on my LAN and found some ZIP (AppleTalk) stuff. There are no Apple devices on my network so why am I getting this protocol on my network?

alt text

asked 12 Sep '14, 11:24

Beldum's gravatar image

Beldum
49111116
accept rate: 0%


One Answer:

2

Those frames usually originate from print servers, mostly embedded devices that are part of networked printers theses days. You should check all printers to see if they have AppleTalk enabled and disable it.

answered 12 Sep '14, 11:26

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks Jasper, how did you know those kind of messages are usually associated with and originate from print servers? I think you are right though. Thanks once again!

(12 Sep '14, 11:36) Beldum
1

well, nobody is using AppleTalk anymore, and those printers are always the reason why that protocol shows up every once in a while. So it wasn't from your screenshot but from 10 years of experience in network analysis that I diagnosed (well, guessed) that cause.

BTW if my answer helped, you might want accept it with the check mark button on the left ;-)

(12 Sep '14, 11:40) Jasper ♦♦

Jasper, I'm a noob to this forum, I thumbed up your answer, but I have no idea how to mark it as the correct answer.

(12 Sep '14, 11:54) Beldum

Jasper, just a quick question, is port 1900 safe? It seems that I am getting SSDP traffic on my LAN.

(12 Sep '14, 12:00) Beldum
1

No worries, it's not a problem, and we were all noobs at one point in time ;-)

Port 1900 is often used by service discovery protocols to see what kind of services a node offers. This is also often seen with print servers.

(12 Sep '14, 12:06) Jasper ♦♦

Thank you Jasper you are very understanding lol. Based on my LAN baseline scan, with the ZIP and SSDP protocol messages coming from my print server, does that mean my network is at risk? I know that 192.168.10.1 source IP address is sending a multicast message to 239.255.255.250. That is the SSDP protocol on port 1900. Is that something I should be worried about?

(12 Sep '14, 12:14) Beldum

Normally not, no, since that is a private LAN and not accessible from the outside. Plus, there should be a firewall protecting the network from external access.

(12 Sep '14, 14:46) Jasper ♦♦
showing 5 of 7 show 2 more comments