thank you for the reply on the IGMP and NBNS question.
Indeed it is an amazing experience to look through real time network traffic. the reason i am looking through the traffic is that my computers are suffering from sever trojan attacks…:(
recently i realised that the setting of my router have been changed … for example the UPnP setting form the default (disabled) was enabled. then..., at the wireshark traffic analysis:
source: 192.168.2.1 destination: 220.127.116.11 protocol: SSDP Info: NOTIFY* HTTP/1.1 Host: 18.104.22.168rn NT:urn:schemas-wifialliance-org:service:WFAWLANConfig:1rn NTS:ssdp:alivern Location:http://192.168.2.1:80/igd.xmlrn USN:uuid:00000000-0000-0001-1000-9444529c85c4::urn:schemas-wifialliance-org:service:WFWAWLANConfigg:1rn Server:F7D1401-v1/1.0 UPnP/1.0rn Cache-control:max-age=60rn rn
I disabled the UPnP at the router interface, and the next traffic capture from the wireshark was only with http packets. During both of the SSDP and http - TCP captures I only opened the internet explorer...nothing else
Does that mean that someone is attacking my router somehow? any advice?
asked 16 Feb '11, 12:52
SSDP (Simple Service Discovery protocol) is a part of UPnP (Universal Plug and Play).
It is normal traffic for all UPnP enabled devices in your LAN.
Each device will send out a group of NOTIFY packets every 15 minutes or so while UPnP is enabled.
Many devices will also periodically send out M-SEARCH packets, which are usually followed by response HTTP packets.
If you want to see them in WireShark, the best filter I have found to see just SSDP is this:
The hex is looking for the strings "ST:" and "NT:" at the beginning of a line.