Educause Security Discussion mailing list archives
Macs sending udp/80 traffic to the reverse of their gateways
From: Michael Costello <costellm () LAFAYETTE EDU>
Date: Mon, 5 Apr 2010 12:01:21 -0400
There are a number of Macs on campus sending udp/80 traffic to the reverse of their gateways. For example, host 10.11.12.13 with gateway 10.11.12.1 sends these packets to 1.12.11.10 once every five seconds: foo:~ admin$ sudo tcpdump -i en1 -s1500 udp dst port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on en1, link-type EN10MB (Ethernet), capture size 1500 bytes 11:16:17.709184 IP 10.11.12.13.49997 > 1.12.11.10.http: UDP, length 1 11:16:22.708738 IP 10.11.12.13.49999 > 1.12.11.10.http: UDP, length 1 11:16:27.701156 IP 10.11.12.13.50001 > 1.12.11.10.http: UDP, length 1 11:16:32.704173 IP 10.11.12.13.50003 > 1.12.11.10.http: UDP, length 1 11:16:37.705295 IP 10.11.12.13.50005 > 1.12.11.10.http: UDP, length 1 My familiarity with Apple's implementation of BSD utilities is definitely a hindrance in tracking down the process (no sockstat). Google isn't turning up anything. I've started killing network-related processes (Kerberos, mDNS, etc), but I haven't yet hit the right one. Does anyone know what is sending these packets? -Michael
Current thread:
- Macs sending udp/80 traffic to the reverse of their gateways Michael Costello (Apr 05)
- <Possible follow-ups>
- Re: Macs sending udp/80 traffic to the reverse of their gateways Michael Costello (Apr 05)
- Re: Macs sending udp/80 traffic to the reverse of their gateways Drews, Adam (Apr 05)
- Re: Macs sending udp/80 traffic to the reverse of their gateways Gutholm, James (Apr 06)