Laptop to router traffic?

[Geezer]

Curious, i am on my laptop and the connection is busy even though i'm not doing anything. I fire up ethereal and see multiple similar packets going back and forth to my router. I look at port explorer and nothing seems to be going through? I have attached one for you to check out, i've not seen this before so any pointers would be great.

[Tiger Shark]

It looks like a SOAP stream but we'd need to see w ahole lot more packets to conform that and see whats going on. Specifically the initial packets after startup that make the connection and the first request, (this is an ACK/PSH packet meaing it is somewhere in the middle of the stream).

Can you dump some more and does your firewall advertize SOAP as a feature?

[thehorse13]

Looking at this traffic I'm almost willing to bet you have a D-Link router. They support this type of SOAP traffic. Specifically, it has to do with Universal Plug-n-Play setup on the firewall. Once UPnP is enabled, the router becomes an IGD and sends discovery
messages to control points on the network. Control points use the information supplied during the description phase to invoke actions on services using the Simple Object Access Protocol (SOAP).The traffic you posted is just that.


For more on this, see here: http://www.alliedtelesyn.co.nz/docum...1/pdf/upnp.pdf

--TH13

[Geezer]

I disabled the connection then enabled and ethereal picked up from the word go.
This is just a few seconds worth, obviously i'd like to disable this.

edit- Yep bang on, UPnP is enabled but i don't have that traffic on anything else on the network, it is a new router and this is a wireless laptop. I'll read up on this a bit more cheers.

[Tiger Shark]

Yep. From the rest of the capture it looks like Hoss has it. There, is a TI DSL router out there somewhere that seems to be being reported back.

I think the solution will be found in the configuration of the router.

[sec_ware]

Hi

I consider such communcation extracts just beautiful
After making myself clear about what is happening, I give
a suggestion for a reconfiguration of the laptop, which (also)
might solve the problem at hand.


Summary - nothing new, Soap2.txt

Your laptop (.1.4) sends a discovery request (Frame 4) at multicast
(239.255.255.250), which is specified by the UPnP architecture[1].
Your router nicely answers at Frame 5, announcing itself as IGD and
saying, hey, if you want to know more, get my xml-description at
Port 52869, file gatedesc.xml. Your laptop of course thinks, that's a
great idea, so it initiates a TCP-handshake Frame 12-14, ending with the
request of the xml file at Frame 15. etc.etc. After having the description,
control messages can be send. These are expressed in XML using the SOAP -
and we are back at soap.txt.


a suggestion

Of course, as suggested, you should disable UPnP on your router. Furthermore,
make sure to disable the "UPnP Device Host" and the "SSDP Discovery Service"
services on your Laptop (use "services.msc", assuming some Windows XP,2k).

You also can check

Code:

->Add/Remove Software -> Windows Components -> Networking Services ->

and uncheck the boxes there (if some are checked).


Would be great if you could update us about this issue.

Cheers.


[1] http://www.upnp.org/download/UPnPDA10_20000613.htm