Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange Upnp Traffic


  • Please log in to reply
4 replies to this topic

#1 stlolth

stlolth

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 30 August 2008 - 06:20 AM

I've been getting strange uPnP traffic between my computer and the router when the computer is idle. The computer initiates it and then it goes on for a while. I've launched packet monitor and it's apparent it's some sort of uPnP requests. When i turn off uPnP support in the router the traffic stops.

Here's a screenshot
Posted Image

and here's the content of a few packages

3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31  <?xml version="12E 30 22 3F 3E 0D 0A 3C 65 3A 70 72 6F 70 65 72  .0"?>..<e:proper74 79 73 65 74 20 78 6D 6C 6E 73 3A 65 3D 22 75  tyset xmlns:e="u72 6E 3A 73 63 68 65 6D 61 73 2D 75 70 6E 70 2D  rn:schemas-upnp-6F 72 67 3A 65 76 65 6E 74 2D 31 2D 30 22 20 78  org:event-1-0" x6D 6C 6E 73 3A 73 3D 22 75 72 6E 3A 73 63 68 65  mlns:s="urn:sche6D 61 73 2D 75 70 6E 70 2D 6F 72 67 3A 73 65 72  mas-upnp-org:ser76 69 63 65 3A 57 41 4E 50 50 50 43 6F 6E 6E 65  vice:WANPPPConne63 74 69 6F 6E 3A 31 22 3E 0D 0A 20 3C 65 3A 70  ction:1">.. <e:p72 6F 70 65 72 74 79 3E 3C 73 3A 50 6F 73 73 69  roperty><s:Possi62 6C 65 43 6F 6E 6E 65 63 74 69 6F 6E 54 79 70  bleConnectionTyp65 73 3E 49 50 5F 52 6F 75 74 65 64 3C 2F 73 3A  es>IP_Routed</s:50 6F 73 73 69 62 6C 65 43 6F 6E 6E 65 63 74 69  PossibleConnecti6F 6E 54 79 70 65 73 3E 3C 2F 65 3A 70 72 6F 70  onTypes></e:prop65 72 74 79 3E 0D 0A 20 3C 65 3A 70 72 6F 70 65  erty>.. <e:prope72 74 79 3E 3C 73 3A 43 6F 6E 6E 65 63 74 69 6F  rty><s:Connectio6E 53 74 61 74 75 73 3E 43 6F 6E 6E 65 63 74 65  nStatus>Connecte64 3C 2F 73 3A 43 6F 6E 6E 65 63 74 69 6F 6E 53  d</s:ConnectionS74 61 74 75 73 3E 3C 2F 65 3A 70 72 6F 70 65 72  tatus></e:proper74 79 3E 0D 0A 20 3C 65 3A 70 72 6F 70 65 72 74  ty>.. <e:propert79 3E 3C 73 3A 45 78 74 65 72 6E 61 6C 49 50 41  y><s:ExternalIPA64 64 72 65 73 73 3E 38 39 2E 31 36 34 2E 33 32  ddress>89.164.322E 38 36 3C 2F 73 3A 45 78 74 65 72 6E 61 6C 49  .86</s:ExternalI50 41 64 64 72 65 73 73 3E 3C 2F 65 3A 70 72 6F  PAddress></e:pro70 65 72 74 79 3E 0D 0A 20 3C 65 3A 70 72 6F 70  perty>.. <e:prop65 72 74 79 3E 3C 73 3A 50 6F 72 74 4D 61 70 70  erty><s:PortMapp69 6E 67 4E 75 6D 62 65 72 4F 66 45 6E 74 72 69  ingNumberOfEntri65 73 3E 31 39 38 36 33 35 38 39 30 30 3C 2F 73  es>1986358900</s3A 50 6F 72 74 4D 61 70 70 69 6E 67 4E 75 6D 62  :PortMappingNumb65 72 4F 66 45 6E 74 72 69 65 73 3E 3C 2F 65 3A  erOfEntries></e:70 72 6F 70 65 72 74 79 3E 0D 0A 3C 2F 65 3A 70  property>..</e:p72 6F 70 65 72 74 79 73 65 74 3E 0D 0A 0D 0A     ropertyset>....

4E 4F 54 49 46 59 20 2F 75 70 6E 70 2F 65 76 65  NOTIFY /upnp/eve6E 74 69 6E 67 2F 6A 69 6E 66 64 74 6E 79 63 64  nting/jinfdtnycd20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A   HTTP/1.1..Host:20 31 39 32 2E 31 36 38 2E 31 2E 32 3A 32 38 36   192.168.1.2:28639 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A  9..Content-Type:20 74 65 78 74 2F 78 6D 6C 0D 0A 43 6F 6E 74 65   text/xml..Conte6E 74 2D 4C 65 6E 67 74 68 3A 20 32 35 39 0D 0A  nt-Length: 259..4E 54 3A 20 75 70 6E 70 3A 65 76 65 6E 74 0D 0A  NT: upnp:event..4E 54 53 3A 20 75 70 6E 70 3A 70 72 6F 70 63 68  NTS: upnp:propch61 6E 67 65 0D 0A 53 49 44 3A 20 75 75 69 64 3A  ange..SID: uuid:30 37 37 64 31 66 30 30 2D 30 64 32 34 2D 31 30  077d1f00-0d24-1030 30 2D 38 32 33 66 2D 30 30 31 64 36 38 62 38  00-823f-001d68b831 36 61 37 0D 0A 53 45 51 3A 20 31 0D 0A 43 6F  16a7..SEQ: 1..Co6E 6E 65 63 74 69 6F 6E 3A 20 43 6C 6F 73 65 0D  nnection: Close.0A 50 72 61 67 6D 61 3A 20 6E 6F 2D 63 61 63 68  .Pragma: no-cach65 0D 0A 0D 0A                                   e....

3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31  <?xml version="12E 30 22 3F 3E 0D 0A 3C 65 3A 70 72 6F 70 65 72  .0"?>..<e:proper74 79 73 65 74 20 78 6D 6C 6E 73 3A 65 3D 22 75  tyset xmlns:e="u72 6E 3A 73 63 68 65 6D 61 73 2D 75 70 6E 70 2D  rn:schemas-upnp-6F 72 67 3A 65 76 65 6E 74 2D 31 2D 30 22 20 78  org:event-1-0" x6D 6C 6E 73 3A 73 3D 22 75 72 6E 3A 73 63 68 65  mlns:s="urn:sche6D 61 73 2D 75 70 6E 70 2D 6F 72 67 3A 73 65 72  mas-upnp-org:ser76 69 63 65 3A 57 41 4E 50 50 50 43 6F 6E 6E 65  vice:WANPPPConne63 74 69 6F 6E 3A 31 22 3E 0D 0A 20 3C 65 3A 70  ction:1">.. <e:p72 6F 70 65 72 74 79 3E 3C 73 3A 50 6F 72 74 4D  roperty><s:PortM61 70 70 69 6E 67 4E 75 6D 62 65 72 4F 66 45 6E  appingNumberOfEn74 72 69 65 73 3E 2D 32 31 33 37 37 31 34 34 30  tries>-21377144038 3C 2F 73 3A 50 6F 72 74 4D 61 70 70 69 6E 67  8</s:PortMapping4E 75 6D 62 65 72 4F 66 45 6E 74 72 69 65 73 3E  NumberOfEntries>3C 2F 65 3A 70 72 6F 70 65 72 74 79 3E 0D 0A 3C  </e:property>..<2F 65 3A 70 72 6F 70 65 72 74 79 73 65 74 3E 0D  /e:propertyset>.0A 0D 0A                                         ...


Anyone know what's going on?

Edited by stlolth, 30 August 2008 - 06:27 AM.


BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:03:38 PM

Posted 30 August 2008 - 06:32 AM

It's likely to be the Universal Plug & Play service (based on the info that you've posted and the ports that it's using).

Link here: http://www.theeldergeek.com/ssdp_discovery_service.htm

Try disabling that service on your system to see if the traffic stops.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 stlolth

stlolth
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 30 August 2008 - 07:52 AM

You were totally right. I stopped the service and the traffic stopped. I think i'll disable it all together because i don't have any uPnP devices on my network. Thanks!

#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:03:38 PM

Posted 30 August 2008 - 07:59 AM

Thanks for letting us know. Glad that you fixed it!
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#5 hamluis

hamluis

    Moderator


  • Moderator
  • 55,400 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:38 PM

Posted 30 August 2008 - 12:30 PM

FWIW: http://www.updatexp.com/upnp.html

I guess that I've never really understood what UPnP was supposed to be, only remember when it was declared to be a security risk, http://www.updatexp.com/upnp_security.html

These links may help others like me.

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users