Re: Macs sending udp/80 traffic to the reverse of their gateways

["Gutholm, James" <gutholmj () EVERGREEN EDU>]

I saw that you already found your immediate answer so perhaps only for
the benefit of the archives:

sudo lsof -Pni UDP 

-James

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Costello
Sent: Monday, April 05, 2010 9:01 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Macs sending udp/80 traffic to the reverse of their
gateways

There are a number of Macs on campus sending udp/80 traffic to the 
reverse of their gateways.  For example, host 10.11.12.13 with gateway 
10.11.12.1 sends these packets to 1.12.11.10 once every five seconds:

foo:~ admin$ sudo tcpdump -i en1 -s1500 udp dst port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on en1, link-type EN10MB (Ethernet), capture size 1500 bytes
11:16:17.709184 IP 10.11.12.13.49997 > 1.12.11.10.http: UDP, length 1
11:16:22.708738 IP 10.11.12.13.49999 > 1.12.11.10.http: UDP, length 1
11:16:27.701156 IP 10.11.12.13.50001 > 1.12.11.10.http: UDP, length 1
11:16:32.704173 IP 10.11.12.13.50003 > 1.12.11.10.http: UDP, length 1
11:16:37.705295 IP 10.11.12.13.50005 > 1.12.11.10.http: UDP, length 1

My familiarity with Apple's implementation of BSD utilities is 
definitely a hindrance in tracking down the process (no sockstat). 
Google isn't turning up anything.  I've started killing network-related 
processes (Kerberos, mDNS, etc), but I haven't yet hit the right one.

Does anyone know what is sending these packets?

-Michael