?
Solved

what does port 2313 do?

Posted on 2004-08-15
14
Medium Priority
?
586 Views
Last Modified: 2007-12-19
we handle support for 30+ hotels broadband connection.  we have installed the hardware for accessing the internet for those hotels either wired or wirelessly.  a little over 1/2 of the hotels are hooked up wireless using multiple access points, mostly 3com access points (8000 or 8200).  they all show minor traffic on 10.0.0.255 using port 2313, which i think it some sort of cross talk between the aps, kind of like handshaking.

recently, we had a hardware failure in one hotel and replaced the 2 APs in use there.  since just before replacing them and after replacing them we are getting much more traffic than normal on that port from both APs.  i am concerned it is signifying something still wrong there but we are not getting complaints about access so i am not sure of my guess.

i recently sent this excerpt from our servers DAT log showing some traffic this a.m.  it lists over 20 calls to the ports all in a brief period.  i have seen as many as a couple hundred all together at other times.  none of the other APs come close to this many entries all at once.

any ideas what may be going on?  should i be concerned?

(540) 10.0.0.124/1207 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1334 ---> 10.0.0.255/2313 UDP MAPPED to=1671
(541) 10.0.0.124/1208 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1335 ---> 10.0.0.255/2313 UDP MAPPED to=1667
(542) 10.0.0.124/1209 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1336 ---> 10.0.0.255/2313 UDP MAPPED to=1654
(543) 10.0.0.73/3509 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1337 ---> 10.0.0.255/2313 UDP MAPPED to=1650
(544) 10.0.0.124/1210 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1338 ---> 10.0.0.255/2313 UDP MAPPED to=1648
(545) 10.0.0.73/3510 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1339 ---> 10.0.0.255/2313 UDP MAPPED to=1618
(546) 10.0.0.124/1211 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1340 ---> 10.0.0.255/2313 UDP MAPPED to=1610
(547) 10.0.0.73/3511 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1341 ---> 10.0.0.255/2313 UDP MAPPED to=1604
(548) 10.0.0.124/1212 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1342 ---> 10.0.0.255/2313 UDP MAPPED to=1599
(549) 10.0.0.124/1213 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1343 ---> 10.0.0.255/2313 UDP MAPPED to=1599
(550) 10.0.0.73/3512 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1344 ---> 10.0.0.255/2313 UDP MAPPED to=1552
(551) 10.0.0.124/1214 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1345 ---> 10.0.0.255/2313 UDP MAPPED to=1549
(552) 10.0.0.73/3513 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1346 ---> 10.0.0.255/2313 UDP MAPPED to=1527
(553) 10.0.0.124/1215 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1348 ---> 10.0.0.255/2313 UDP MAPPED to=1526
(554) 10.0.0.23/9370 (00:0f:66:2f:1e:c0) <-> xxx.yyy.zzz.131/1349 ---> 193.64.205.202/370 UDP MAPPED to=1489
(555) 10.0.0.73/3514 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1350 ---> 10.0.0.255/2313 UDP MAPPED to=1396
(556) 10.0.0.124/1216 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1351 ---> 10.0.0.255/2313 UDP MAPPED to=1392
(557) 10.0.0.73/3515 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1352 ---> 10.0.0.255/2313 UDP MAPPED to=1379
(558) 10.0.0.124/1217 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1353 ---> 10.0.0.255/2313 UDP MAPPED to=1373
(559) 10.0.0.73/3516 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1354 ---> 10.0.0.255/2313 UDP MAPPED to=1371
(560) 10.0.0.124/1218 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1355 ---> 10.0.0.255/2313 UDP MAPPED to=1342
(561) 10.0.0.73/3517 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1356 ---> 10.0.0.255/2313 UDP MAPPED to=1334
(562) 10.0.0.124/1219 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1357 ---> 10.0.0.255/2313 UDP MAPPED to=1331
(563) 10.0.0.73/3518 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1358 ---> 10.0.0.255/2313 UDP MAPPED to=1321
(564) 10.0.0.124/1220 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1359 ---> 10.0.0.255/2313 UDP MAPPED to=1304
(565) 10.0.0.73/3519 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1360 ---> 10.0.0.255/2313 UDP MAPPED to=1296
(566) 10.0.0.124/1221 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1361 ---> 10.0.0.255/2313 UDP MAPPED to=1295
(567) 10.0.0.73/3520 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1362 ---> 10.0.0.255/2313 UDP MAPPED to=1291
(568) 10.0.0.124/1222 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1363 ---> 10.0.0.255/2313 UDP MAPPED to=1290
(569) 10.0.0.73/3521 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1364 ---> 10.0.0.255/2313 UDP MAPPED to=1279
(570) 10.0.0.73/3522 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1365 ---> 10.0.0.255/2313 UDP MAPPED to=1277
(571) 10.0.0.124/1223 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1366 ---> 10.0.0.255/2313 UDP MAPPED to=1269
(572) 10.0.0.124/1224 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1367 ---> 10.0.0.255/2313 UDP MAPPED to=1267
(573) 10.0.0.124/1225 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1368 ---> 10.0.0.255/2313 UDP MAPPED to=1254
(574) 10.0.0.73/3523 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1369 ---> 10.0.0.255/2313 UDP MAPPED to=1217
(575) 10.0.0.124/1226 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1370 ---> 10.0.0.255/2313 UDP MAPPED to=1203
(576) 10.0.0.73/3524 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1371 ---> 10.0.0.255/2313 UDP MAPPED to=1201
(577) 10.0.0.124/1227 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1372 ---> 10.0.0.255/2313 UDP MAPPED to=1196
(578) 10.0.0.73/3525 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1373 ---> 10.0.0.255/2313 UDP MAPPED to=1176
(579) 10.0.0.124/1228 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1374 ---> 10.0.0.255/2313 UDP MAPPED to=1158
(580) 10.0.0.124/1229 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1375 ---> 10.0.0.255/2313 UDP MAPPED to=1157

thanks.

jim

0
Comment
Question by:jsturtz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
14 Comments
 
LVL 10

Accepted Solution

by:
Nukfror earned 500 total points
ID: 11804005
0
 
LVL 2

Expert Comment

by:kpmas
ID: 11804015
This is broadcast traffic so it appears that the access points (presuming those source IP's are access points) are looking for something network wide that they do not know how to find.

As long as this traffic isn't leaking it's probably not a big deal, however from a security perspective I'd look at getting rid of it if possible.  Depends on your view of security as it would take some considerable work to exploit but if these are management packets for a centralized access point system (just for example) then it's a perfect way to hi-jack a wireless LAN....

Do you have a management system that can talk to all AP's at the same time?  What kind of security/firewalling do you use internally?

Can you take a packet capture of this stuff so we can see the contents of these packets?  That's probably the fastest way to answer your question...

Thanks,

Paul
0
 
LVL 2

Expert Comment

by:kpmas
ID: 11804032
Sorry.. let's try this again...

IAPP (Inter Access Point Protocol) is port 2313/UDP

Wish I have of read your entire posting before making the last comments...heheehe...

IAPP allows for roaming between access points without the client losing their connection.  So, if you have clients moving around your hotel they will continue to have a connection even though they are possibly changing access points.

A lot of this is "cutting edge" and if you want a reference take a look at IEEE 802.11F standards...

Paul
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:jsturtz
ID: 11805801
so you think this is related to someone walking around with a wireless link?  i suppose it is possible, might be a tad unusual.  but i am not even close to the hotel to check.  

but it definately isnt any kind of diagnostic or 'check-in' type traffic the access points themselves are using that is suddenly spurting lots of stuff.  that is what i was concerned about.

thanks.

jim
0
 
LVL 2

Expert Comment

by:kpmas
ID: 11806043
It could be "roaming" or it could be someone at the hotel who is picking up more than one access point and "flip-flopping" back and forth.  You could pose this question to 3com support and/or look at the configurations to see what kind of IAPP support they have.

Perhaps on newer AP's, they have someone turned on by default?  Don't know the 3com AP's very well to be honest...

Do you see any other weird traffic on the network that stands out?  A sniff of these packets would tell you more possibly...

Take care,

Paul
0
 
LVL 1

Author Comment

by:jsturtz
ID: 11808706
nope, nothing else suspicious.  each hotels net pretty much has problems keeping viruses off it.  primarily this affects only that user.  however, the hotel-wide bandwidth suffers some so we watch and kill those users off, till they run a scan a clean up.  the other offensive behaviour is filesharing software which can slow things up alot.  they too get stopped and asked to quit using it while at the hotel.

the other hotels show some activitiy of the 10.0.0.255/2313 traffic but nowhere near as much or often as the one particular hotel we are looking at here.  which is why i was concerned.

jim
0
 
LVL 2

Expert Comment

by:kpmas
ID: 11808793
I'm honestly not 100% sure on this one... however because it's a registered port to IAPP I would think it's legit... that doesn't answer your question as to why more traffic in this particular case.

My best educated guess is that because these were recently replaced, perhaps they have either an option turned on that the rest don't... a configuration that's slightly different, or different firmware that may behave slightly different.

Paul
0
 
LVL 1

Author Comment

by:jsturtz
ID: 11809526
will try little harder getting info from 3com i guess.  so far they havent replied to questions to well.  NOT
0
 
LVL 2

Assisted Solution

by:kpmas
kpmas earned 500 total points
ID: 11809624
Yeh, their support sucks... sorry to be blunt but we used to use (well, still have one) their RAS gear for providing dial-up internet access.  Best support we could get was from 3rd parties at a price....

Paul
0
 
LVL 10

Expert Comment

by:Nukfror
ID: 12370066
Ummm ... split plez
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question