Educause Security Discussion mailing list archives
Re: Macs sending udp/80 traffic to the reverse of their gateways
From: "Gutholm, James" <gutholmj () EVERGREEN EDU>
Date: Tue, 6 Apr 2010 05:53:43 -0700
I saw that you already found your immediate answer so perhaps only for the benefit of the archives: sudo lsof -Pni UDP -James -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Costello Sent: Monday, April 05, 2010 9:01 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Macs sending udp/80 traffic to the reverse of their gateways There are a number of Macs on campus sending udp/80 traffic to the reverse of their gateways. For example, host 10.11.12.13 with gateway 10.11.12.1 sends these packets to 1.12.11.10 once every five seconds: foo:~ admin$ sudo tcpdump -i en1 -s1500 udp dst port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on en1, link-type EN10MB (Ethernet), capture size 1500 bytes 11:16:17.709184 IP 10.11.12.13.49997 > 1.12.11.10.http: UDP, length 1 11:16:22.708738 IP 10.11.12.13.49999 > 1.12.11.10.http: UDP, length 1 11:16:27.701156 IP 10.11.12.13.50001 > 1.12.11.10.http: UDP, length 1 11:16:32.704173 IP 10.11.12.13.50003 > 1.12.11.10.http: UDP, length 1 11:16:37.705295 IP 10.11.12.13.50005 > 1.12.11.10.http: UDP, length 1 My familiarity with Apple's implementation of BSD utilities is definitely a hindrance in tracking down the process (no sockstat). Google isn't turning up anything. I've started killing network-related processes (Kerberos, mDNS, etc), but I haven't yet hit the right one. Does anyone know what is sending these packets? -Michael
Current thread:
- Macs sending udp/80 traffic to the reverse of their gateways Michael Costello (Apr 05)
- <Possible follow-ups>
- Re: Macs sending udp/80 traffic to the reverse of their gateways Michael Costello (Apr 05)
- Re: Macs sending udp/80 traffic to the reverse of their gateways Drews, Adam (Apr 05)
- Re: Macs sending udp/80 traffic to the reverse of their gateways Gutholm, James (Apr 06)