This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

UDP Broadcasts to ports 2007 and 2008

2
1

One client on my network is continually broadcasting to UDP ports 2007 and 2008 I have not seen the computer yet. I think its a Macbook.

1   2016-01-25 11:08:54.238890  10.23.10.108    255.255.255.255 UDP 71  54419 → 2008  Len=29
2   2016-01-25 11:08:54.240109  10.23.10.108    255.255.255.255 UDP 71  54419 → 2007  Len=29

any ideas what this might be?

asked 25 Jan '16, 11:34

Choate's gravatar image

Choate
66127
accept rate: 0%

edited 25 Jan '16, 12:06

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

2

I'll answer my own question. This behavior is caused by an Apple app called Remote Mouse (http://www.remotemouse.net/) When installed on a MAC, it apparently is announcing itself dozens of times per second by sending UDP broadcasts with a destination port of 2007 and 2008. Not very nice! There is a companion app for the ipad or iphone that finds this "server" and allows you to use your iphone/ipad as a remote mouse for your computer. I didn't see any bad behavior from the iphone/ipad app, just the app that sits on the Macbook. I see there is a Windows version of this software too, but I didn't bother testing it. I would guess sit behaves the same way because it needs to announce itself to the mobil device.

answered 26 Jan '16, 07:57

Choate's gravatar image

Choate
66127
accept rate: 0%

1

Very well, now the last point is to press the checkmark icon next to the "thumbs up" and "thumbs down" for the answer, to mark the answer as the correct one for the other folks here. This makes the number of answers for the question appear on green background in the question list, highlighting the question as usefully answered.

Just for the case you have switched it off by mistake, you may switch on MAC address vendor resolution in Edit -> Preferences -> Appearance -> Name Resolution -> Resolve MAC addresses. With this setting, Wireshark shows you the beginning of vendor name for all MAC addresses (except locally administered ones marked as such), so you can see at once that the MAC address is an Apple one.

(26 Jan '16, 11:11) sindy

According to the FAQ they (now?) use port 1978 (UDP and TCP). But I just ran into the very same situation as Choate: Saw about 10 packets per second for minutes on wifi with UDP destination port 2008 and the name of a MacBook in cleartext inside the payload. These packets clearly stuck out of all the other traffic even just by looking at the list of packets.

(06 Apr '17, 05:38) XTaran