Who opens my UPnP ports?

Recently I turned on UPnP (Universal Plug and Play) to play a bit with it and instantly noticed that someone/something opened some ports in my router and forwarded them to my machine. So of course I wanted to know what’s going on on my network. First idea “wireshark” but this only gives you information from which port these UPnP stuff goes, it doesn’t tell you the application that initiated these packages. For the curious here is the filter you can use:

udp.dstport == 1900 && http && ip.addr ==

UPnP uses the SSDP protocol which isn’t implemented by wireshark but you can simply use the http protocol because SSDP is based on HTTPU (yes, HTTPU).

<Imagine a picture that shows you that port 4500 and 5353 are open>

So port 4500 and 5353 (both UDP) are forwarded to my Mac but which software is behind this? Strangely

$ lsof -i :4500
$ lsof -i :5353

Booth show nothing but with a small trick we get around this. In a different terminal we use the ncat command (which you can install with homebrew) with

$ ncat -u 4500

and when we now call again the lsof command we can see which program is causing it

$ lsof -i :4500
ncat    57954 hashier    5u  IPv6 0x9fa0d8326998071f      0t0  UDP localhost:49850->localhost:ipsec-msft

$ lsof -i :5353
ncat    57960 hashier    5u  IPv6 0x9fa0d8326998071f      0t0  UDP localhost:49851->localhost:mdns$

We cann see that ncat is making a connections on UDP to localhost and the programs which are “answering” those requests are: ipsec-msft and mdns. This raised an eye brow because I didn’t do anything with vpn or IPsec so I started googling and found this nice apple page which explained to me which services forward those ports and apparently it’s just “Back to My Mac” and some “Bonjour” stuff.

– Removed a typo, of course I don’t want ncat to listen, so I removed the -l flag
– Why do we do this with ncat anyway? Sometimes the service is not started until a package arrives on the given port number and we create a udp package to that port number and then the service get’s started. If we don’t do this we just won’t see anything running in lsof.
– Typo

This entry was posted in computer and tagged , , , , , , , , , , , , , , . Bookmark the permalink.

4 Responses to Who opens my UPnP ports?

  1. fruitdealer says:

    how about: grep 5353 /etc/services? :)

    • hashier says:

      Good point. I probably didn’t think about that because it was running over 1024 so I thought it’s an application opening a port like skype and you won’t find skype in /services but yes of course valid shortcut (:

  2. stanwu says:

    udp port 4500 and 5353 are for Back to My Mac use
    please refer http://support.apple.com/kb/ht4907

    • hashier says:

      Yes, it’s exactly what the article says, it’s “Back to my Mac” (: But instead of just relaying on a apple support document, you can find out with the described method with application/binary actually is opening the port and find out if the “real” “Back to my Mac” software is opening the port or maybe malware.

Leave a Reply

Your email address will not be published. Required fields are marked *