what does port 2313 do?

we handle support for 30+ hotels broadband connection.  we have installed the hardware for accessing the internet for those hotels either wired or wirelessly.  a little over 1/2 of the hotels are hooked up wireless using multiple access points, mostly 3com access points (8000 or 8200).  they all show minor traffic on 10.0.0.255 using port 2313, which i think it some sort of cross talk between the aps, kind of like handshaking.

recently, we had a hardware failure in one hotel and replaced the 2 APs in use there.  since just before replacing them and after replacing them we are getting much more traffic than normal on that port from both APs.  i am concerned it is signifying something still wrong there but we are not getting complaints about access so i am not sure of my guess.

i recently sent this excerpt from our servers DAT log showing some traffic this a.m.  it lists over 20 calls to the ports all in a brief period.  i have seen as many as a couple hundred all together at other times.  none of the other APs come close to this many entries all at once.

any ideas what may be going on?  should i be concerned?

(540) 10.0.0.124/1207 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1334 ---> 10.0.0.255/2313 UDP MAPPED to=1671
(541) 10.0.0.124/1208 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1335 ---> 10.0.0.255/2313 UDP MAPPED to=1667
(542) 10.0.0.124/1209 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1336 ---> 10.0.0.255/2313 UDP MAPPED to=1654
(543) 10.0.0.73/3509 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1337 ---> 10.0.0.255/2313 UDP MAPPED to=1650
(544) 10.0.0.124/1210 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1338 ---> 10.0.0.255/2313 UDP MAPPED to=1648
(545) 10.0.0.73/3510 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1339 ---> 10.0.0.255/2313 UDP MAPPED to=1618
(546) 10.0.0.124/1211 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1340 ---> 10.0.0.255/2313 UDP MAPPED to=1610
(547) 10.0.0.73/3511 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1341 ---> 10.0.0.255/2313 UDP MAPPED to=1604
(548) 10.0.0.124/1212 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1342 ---> 10.0.0.255/2313 UDP MAPPED to=1599
(549) 10.0.0.124/1213 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1343 ---> 10.0.0.255/2313 UDP MAPPED to=1599
(550) 10.0.0.73/3512 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1344 ---> 10.0.0.255/2313 UDP MAPPED to=1552
(551) 10.0.0.124/1214 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1345 ---> 10.0.0.255/2313 UDP MAPPED to=1549
(552) 10.0.0.73/3513 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1346 ---> 10.0.0.255/2313 UDP MAPPED to=1527
(553) 10.0.0.124/1215 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1348 ---> 10.0.0.255/2313 UDP MAPPED to=1526
(554) 10.0.0.23/9370 (00:0f:66:2f:1e:c0) <-> xxx.yyy.zzz.131/1349 ---> 193.64.205.202/370 UDP MAPPED to=1489
(555) 10.0.0.73/3514 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1350 ---> 10.0.0.255/2313 UDP MAPPED to=1396
(556) 10.0.0.124/1216 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1351 ---> 10.0.0.255/2313 UDP MAPPED to=1392
(557) 10.0.0.73/3515 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1352 ---> 10.0.0.255/2313 UDP MAPPED to=1379
(558) 10.0.0.124/1217 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1353 ---> 10.0.0.255/2313 UDP MAPPED to=1373
(559) 10.0.0.73/3516 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1354 ---> 10.0.0.255/2313 UDP MAPPED to=1371
(560) 10.0.0.124/1218 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1355 ---> 10.0.0.255/2313 UDP MAPPED to=1342
(561) 10.0.0.73/3517 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1356 ---> 10.0.0.255/2313 UDP MAPPED to=1334
(562) 10.0.0.124/1219 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1357 ---> 10.0.0.255/2313 UDP MAPPED to=1331
(563) 10.0.0.73/3518 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1358 ---> 10.0.0.255/2313 UDP MAPPED to=1321
(564) 10.0.0.124/1220 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1359 ---> 10.0.0.255/2313 UDP MAPPED to=1304
(565) 10.0.0.73/3519 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1360 ---> 10.0.0.255/2313 UDP MAPPED to=1296
(566) 10.0.0.124/1221 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1361 ---> 10.0.0.255/2313 UDP MAPPED to=1295
(567) 10.0.0.73/3520 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1362 ---> 10.0.0.255/2313 UDP MAPPED to=1291
(568) 10.0.0.124/1222 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1363 ---> 10.0.0.255/2313 UDP MAPPED to=1290
(569) 10.0.0.73/3521 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1364 ---> 10.0.0.255/2313 UDP MAPPED to=1279
(570) 10.0.0.73/3522 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1365 ---> 10.0.0.255/2313 UDP MAPPED to=1277
(571) 10.0.0.124/1223 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1366 ---> 10.0.0.255/2313 UDP MAPPED to=1269
(572) 10.0.0.124/1224 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1367 ---> 10.0.0.255/2313 UDP MAPPED to=1267
(573) 10.0.0.124/1225 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1368 ---> 10.0.0.255/2313 UDP MAPPED to=1254
(574) 10.0.0.73/3523 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1369 ---> 10.0.0.255/2313 UDP MAPPED to=1217
(575) 10.0.0.124/1226 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1370 ---> 10.0.0.255/2313 UDP MAPPED to=1203
(576) 10.0.0.73/3524 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1371 ---> 10.0.0.255/2313 UDP MAPPED to=1201
(577) 10.0.0.124/1227 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1372 ---> 10.0.0.255/2313 UDP MAPPED to=1196
(578) 10.0.0.73/3525 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1373 ---> 10.0.0.255/2313 UDP MAPPED to=1176
(579) 10.0.0.124/1228 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1374 ---> 10.0.0.255/2313 UDP MAPPED to=1158
(580) 10.0.0.124/1229 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1375 ---> 10.0.0.255/2313 UDP MAPPED to=1157

thanks.

jim

LVL 1
jsturtzAsked:
Who is Participating?
 
NukfrorConnect With a Mentor Commented:
0
 
kpmasCommented:
This is broadcast traffic so it appears that the access points (presuming those source IP's are access points) are looking for something network wide that they do not know how to find.

As long as this traffic isn't leaking it's probably not a big deal, however from a security perspective I'd look at getting rid of it if possible.  Depends on your view of security as it would take some considerable work to exploit but if these are management packets for a centralized access point system (just for example) then it's a perfect way to hi-jack a wireless LAN....

Do you have a management system that can talk to all AP's at the same time?  What kind of security/firewalling do you use internally?

Can you take a packet capture of this stuff so we can see the contents of these packets?  That's probably the fastest way to answer your question...

Thanks,

Paul
0
 
kpmasCommented:
Sorry.. let's try this again...

IAPP (Inter Access Point Protocol) is port 2313/UDP

Wish I have of read your entire posting before making the last comments...heheehe...

IAPP allows for roaming between access points without the client losing their connection.  So, if you have clients moving around your hotel they will continue to have a connection even though they are possibly changing access points.

A lot of this is "cutting edge" and if you want a reference take a look at IEEE 802.11F standards...

Paul
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
jsturtzAuthor Commented:
so you think this is related to someone walking around with a wireless link?  i suppose it is possible, might be a tad unusual.  but i am not even close to the hotel to check.  

but it definately isnt any kind of diagnostic or 'check-in' type traffic the access points themselves are using that is suddenly spurting lots of stuff.  that is what i was concerned about.

thanks.

jim
0
 
kpmasCommented:
It could be "roaming" or it could be someone at the hotel who is picking up more than one access point and "flip-flopping" back and forth.  You could pose this question to 3com support and/or look at the configurations to see what kind of IAPP support they have.

Perhaps on newer AP's, they have someone turned on by default?  Don't know the 3com AP's very well to be honest...

Do you see any other weird traffic on the network that stands out?  A sniff of these packets would tell you more possibly...

Take care,

Paul
0
 
jsturtzAuthor Commented:
nope, nothing else suspicious.  each hotels net pretty much has problems keeping viruses off it.  primarily this affects only that user.  however, the hotel-wide bandwidth suffers some so we watch and kill those users off, till they run a scan a clean up.  the other offensive behaviour is filesharing software which can slow things up alot.  they too get stopped and asked to quit using it while at the hotel.

the other hotels show some activitiy of the 10.0.0.255/2313 traffic but nowhere near as much or often as the one particular hotel we are looking at here.  which is why i was concerned.

jim
0
 
kpmasCommented:
I'm honestly not 100% sure on this one... however because it's a registered port to IAPP I would think it's legit... that doesn't answer your question as to why more traffic in this particular case.

My best educated guess is that because these were recently replaced, perhaps they have either an option turned on that the rest don't... a configuration that's slightly different, or different firmware that may behave slightly different.

Paul
0
 
jsturtzAuthor Commented:
will try little harder getting info from 3com i guess.  so far they havent replied to questions to well.  NOT
0
 
kpmasConnect With a Mentor Commented:
Yeh, their support sucks... sorry to be blunt but we used to use (well, still have one) their RAS gear for providing dial-up internet access.  Best support we could get was from 3rd parties at a price....

Paul
0
 
NukfrorCommented:
Ummm ... split plez
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.