RE: Strange SNMP probes suddenly appearing

From: Graeme Fowler (
Date: 12/11/03

  • Next message: Harlan Carvey: "Re: Strange services.exe file"
    Date: Thu, 11 Dec 2003 13:59:58 -0000
    To: "Jeff Kell" <>


    On 03 December 2003 02:23, Jeff Kell wrote:
    > After finally getting an ethereal trace of traffic from the faulty
    > address (a machine using an Apple Airport) I found the following:
    > Almost immediately afterward is a UDP packet from that machine to the
    > router on port udp/192. It contains 4 bytes of text, 0x08 0x01 0x03
    > 0x10.
    > So, "something" is amiss here. I'm just not sure I understand it all.
    > But we have the symptoms nailed down, we'll have to see about the
    > cure. Does this ring any bells with anyone that is AirPort
    > knowledgeable? Since these were "rogue installs" by the department,
    > they look like they would be great clay pigeons for skeet shooting,
    > but perhaps they can be more productive.

    A quick scout of Apple's tech info library gave up the following
    "This document lists TCP and UDP ports used by Apple software products
    UDP Port Service
    192 AirPort Base Station PPP status or discovery (certain

    Interesting. So the Airport Base Station can toddle off and do some sort
    of discovery - in my experience (with other discovery devices), it'll
    start with its' default router to see what it can find and will then
    poll the local LAN, or followup anything interesting it might find via
    the initial probe. Presumably, in these cases, the AirPort base station
    is configured to get an IP address via DHCP and then do local NAT for
    wireless devices which connect through it.
    Decribes how to turn off SNMP on the "WAN" port of a dual ethernet base
    station. I'd surmise that the use of the word "WAN" here means "Wired
    LAN" :)

    ...and then I go a-googling, and find:
    describing the discovery modes of the base station itself using port

    Having read around the subject over the last half hour or so, I'd say
    that the base stations in their default, plug'n'go state, are trying to
    discover a management station from which they can download their
    configuration. The AirPort management software does its' magic via SNMP
    (so it seems!) so it wouldn't surprise me, with Apple's move towards
    automagic configuration of desktops and servers from the OSX Server
    environment, that this is not nefarious activity - it's by design, and
    (like many other scenarios) it's default behaviour which should be
    switched off before plugging the devices into a LAN.

    Hope that helps, at least a little.


    Graeme Fowler

    Technical Services
    Host Europe PLC

  • Next message: Harlan Carvey: "Re: Strange services.exe file"