Hi all

thank you for the reply on the IGMP and NBNS question.

Indeed it is an amazing experience to look through real time network traffic. the reason i am looking through the traffic is that my computers are suffering from sever trojan attacks…:(

recently i realised that the setting of my router have been changed … for example the UPnP setting form the default (disabled) was enabled. then..., at the wireshark traffic analysis:

source: destination: protocol: SSDP Info: NOTIFY* HTTP/1.1 Host: NT:urn:schemas-wifialliance-org:service:WFAWLANConfig:1rn NTS:ssdp:alivern Location: USN:uuid:00000000-0000-0001-1000-9444529c85c4::urn:schemas-wifialliance-org:service:WFWAWLANConfigg:1rn Server:F7D1401-v1/1.0 UPnP/1.0rn Cache-control:max-age=60rn rn

I disabled the UPnP at the router interface, and the next traffic capture from the wireshark was only with http packets. During both of the SSDP and http - TCP captures I only opened the internet explorer...nothing else

Does that mean that someone is attacking my router somehow? any advice?

asked 16 Feb '11, 12:52

Stefi's gravatar image

accept rate: 0%

SSDP (Simple Service Discovery protocol) is a part of UPnP (Universal Plug and Play).

It is normal traffic for all UPnP enabled devices in your LAN.

Each device will send out a group of NOTIFY packets every 15 minutes or so while UPnP is enabled.

Many devices will also periodically send out M-SEARCH packets, which are usually followed by response HTTP packets.

If you want to see them in WireShark, the best filter I have found to see just SSDP is this:

(udp contains "HTTP/1.1") and ((udp contains 0a:53:54:3a) or (udp contains 0a:59:54:3a))

The hex is looking for the strings "ST:" and "NT:" at the beginning of a line.



answered 11 Feb '14, 13:21

JesseChisholm's gravatar image

accept rate: 0%

edited 11 Feb '14, 13:22

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 16 Feb '11, 12:52

Seen: 15,747 times

Last updated: 11 Feb '14, 13:22

p​o​w​e​r​e​d by O​S​Q​A