Avast WEBforum

Other => General Topics => Topic started by: polonus on July 02, 2006, 05:46:02 PM

Title: Why packets to 239.255.255.250: 1900
Post by: polonus on July 02, 2006, 05:46:02 PM
Hi malware fighters,

If sniffing my traffic I see packets sent to 239.255.255.250
SSDP Method = M-SEARCH SSDP Uniform Resource Identifier =
' SSDP HTTP Prot Version = HTTP/1.1. SSDP Host = 239.255.255.250:1900 UDP
SSDP Search Target -um: schemas-upnp-org : device : Internet-GatewaysDevice
SSDP Maximam wait = 3
Is this going to iana reserved, protowall from bluetack protects you, and also the blocklist manager from here:
http://www.bluetack.co.uk/modules.php?name=Content&pa=showpage&pid=14

Why this excessive traffic for upnp. Is this a leech service with svchost to track people's illegal downloads, or just like MS says because it has no other way to establish the device?

Who knows more, and who has it blocked?  We knowl svchost is an essential part of the system & without it your computer won't run? svchost in other places than it should be is malware, but does the normal svchost also "legally" misbehave, that is "spy on ye"?. "What one does not know, does not hurt one, is the policy of to-day!".

polonus

Title: Re: Why packets to 239.255.255.250: 1900
Post by: DavidR on July 02, 2006, 06:32:12 PM
Windows Messenger Broadcast port 1900, see this http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/RegistryTips/Network/DisableWindowsMessengerbroadcastsonUDPport1900.html
Quote
In XP, the Simple Service Discovery Protocol (SSDP) discovery service searches for Universal Plug and Play devices on your home network. SSDP searches for upstream Internet gateways using UDP port 1900 - a potential security risk many organizations will want to block. OK, you decide to block SSDP services but to your surprise, your firewall and network sniffers continue to see the UDP port 1900 packets. You have disabled XP's SSDP and even Universal Plug and Play Device Host. Whats going on? This is Universal Plug and Play Network Address Translation (NAT) traversal discovery used by Messenger. If you run a sniffer trace, the following information is displayed in the data section of the packet:

For the average user you don't need the uPnP service enabled unless you intend to share devices over a network/internet, it has nothing to do with the standard PnP (Plug & Play) function.
Title: Re: Why packets to 239.255.255.250: 1900
Post by: polonus on July 02, 2006, 08:17:11 PM
Hi David,

Thank you for the response. As everything is stealth, I think I leave it as it is.
I think the requests are in connection to a four port external plug & play hub.

polonus
Title: Re: Why packets to 239.255.255.250: 1900
Post by: rdsu on July 02, 2006, 09:58:57 PM
You can always know what a port is for, here: http://www.grc.com/port_1900.htm ;)