Recently I turned on UPnP (Universal Plug and Play) to play a bit with it and instantly noticed that someone/something opened some ports in my router and forwarded them to my machine. So of course I wanted to know what’s going on on my network. First idea “wireshark” but this only gives you information from which port these UPnP stuff goes, it doesn’t tell you the application that initiated these packages. For the curious here is the filter you can use:
udp.dstport == 1900 && http && ip.addr == 192.168.1.100
UPnP uses the SSDP protocol which isn’t implemented by wireshark but you can simply use the http protocol because SSDP is based on HTTPU (yes, HTTPU).
<Imagine a picture that shows you that port 4500 and 5353 are open>
So port 4500 and 5353 (both UDP) are forwarded to my Mac but which software is behind this? Strangely
$ lsof -i :4500 $ lsof -i :5353
Booth show nothing but with a small trick we get around this. In a different terminal we use the ncat command (which you can install with homebrew) with
$ ncat -u 4500
and when we now call again the lsof command we can see which program is causing it
$ lsof -i :4500 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ncat 57954 hashier 5u IPv6 0x9fa0d8326998071f 0t0 UDP localhost:49850->localhost:ipsec-msft $ lsof -i :5353 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ncat 57960 hashier 5u IPv6 0x9fa0d8326998071f 0t0 UDP localhost:49851->localhost:mdns$
We cann see that ncat is making a connections on UDP to localhost and the programs which are “answering” those requests are: ipsec-msft and mdns. This raised an eye brow because I didn’t do anything with vpn or IPsec so I started googling and found this nice apple page which explained to me which services forward those ports and apparently it’s just “Back to My Mac” and some “Bonjour” stuff.
Update:
– Removed a typo, of course I don’t want ncat to listen, so I removed the -l flag
– Why do we do this with ncat anyway? Sometimes the service is not started until a package arrives on the given port number and we create a udp package to that port number and then the service get’s started. If we don’t do this we just won’t see anything running in lsof.
– Typo
how about: grep 5353 /etc/services? :)
Good point. I probably didn’t think about that because it was running over 1024 so I thought it’s an application opening a port like skype and you won’t find skype in /services but yes of course valid shortcut (:
udp port 4500 and 5353 are for Back to My Mac use
please refer http://support.apple.com/kb/ht4907
Yes, it’s exactly what the article says, it’s “Back to my Mac” (: But instead of just relaying on a apple support document, you can find out with the described method with application/binary actually is opening the port and find out if the “real” “Back to my Mac” software is opening the port or maybe malware.