This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can someone help me interpret these SSDP packets?

0

Hi all,

I use a VPN so a lot of what Wireshark shows me on my network is encrypted.

I'm a total n00b to network analysis and Wireshark but was hoping someone could explain what's happening with SSDP Packets?

The SSDP packets are not encrypted (I can clearly read the text contained in the packet along the right-hand side of the 'Packet Bytes' window). They mention my Router's MAC address and another MAC address of unknown origin.

Since the packets aren't encrypted and this communication is occurring with a MAC not on my network, should I be suspicious? Does this represent remote Router Configuration access (i.e. hacking or remote manipulation)?

Essentially, what's the explanation for this? Can I disable this functionality without compromising internet useability?

Thanks a ton for all this help! I'll start helping others as soon as I'm up-to-speed with the program!

asked 03 Dec '16, 08:22

Arianax's gravatar image

Arianax
6113
accept rate: 0%

edited 03 Dec '16, 08:23


One Answer:

1

There is a description of SSDP on the Wireshark wiki: https://wiki.wireshark.org/SSDP

That "other unknown MAC address" is likely the multicast address (see also the picture linked above). If your host is part of a multicast group, then it will receive this traffic.

SSDP is normally used for device discovery in the network (think of media devices to which you can stream data). If you do not need this functionality (I do not), then you could just disable it without any bad side-effects.

answered 03 Dec '16, 14:09

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%