Solved

what does port 2313 do?

Posted on 2004-08-15
14
543 Views
Last Modified: 2007-12-19
we handle support for 30+ hotels broadband connection.  we have installed the hardware for accessing the internet for those hotels either wired or wirelessly.  a little over 1/2 of the hotels are hooked up wireless using multiple access points, mostly 3com access points (8000 or 8200).  they all show minor traffic on 10.0.0.255 using port 2313, which i think it some sort of cross talk between the aps, kind of like handshaking.

recently, we had a hardware failure in one hotel and replaced the 2 APs in use there.  since just before replacing them and after replacing them we are getting much more traffic than normal on that port from both APs.  i am concerned it is signifying something still wrong there but we are not getting complaints about access so i am not sure of my guess.

i recently sent this excerpt from our servers DAT log showing some traffic this a.m.  it lists over 20 calls to the ports all in a brief period.  i have seen as many as a couple hundred all together at other times.  none of the other APs come close to this many entries all at once.

any ideas what may be going on?  should i be concerned?

(540) 10.0.0.124/1207 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1334 ---> 10.0.0.255/2313 UDP MAPPED to=1671
(541) 10.0.0.124/1208 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1335 ---> 10.0.0.255/2313 UDP MAPPED to=1667
(542) 10.0.0.124/1209 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1336 ---> 10.0.0.255/2313 UDP MAPPED to=1654
(543) 10.0.0.73/3509 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1337 ---> 10.0.0.255/2313 UDP MAPPED to=1650
(544) 10.0.0.124/1210 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1338 ---> 10.0.0.255/2313 UDP MAPPED to=1648
(545) 10.0.0.73/3510 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1339 ---> 10.0.0.255/2313 UDP MAPPED to=1618
(546) 10.0.0.124/1211 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1340 ---> 10.0.0.255/2313 UDP MAPPED to=1610
(547) 10.0.0.73/3511 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1341 ---> 10.0.0.255/2313 UDP MAPPED to=1604
(548) 10.0.0.124/1212 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1342 ---> 10.0.0.255/2313 UDP MAPPED to=1599
(549) 10.0.0.124/1213 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1343 ---> 10.0.0.255/2313 UDP MAPPED to=1599
(550) 10.0.0.73/3512 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1344 ---> 10.0.0.255/2313 UDP MAPPED to=1552
(551) 10.0.0.124/1214 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1345 ---> 10.0.0.255/2313 UDP MAPPED to=1549
(552) 10.0.0.73/3513 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1346 ---> 10.0.0.255/2313 UDP MAPPED to=1527
(553) 10.0.0.124/1215 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1348 ---> 10.0.0.255/2313 UDP MAPPED to=1526
(554) 10.0.0.23/9370 (00:0f:66:2f:1e:c0) <-> xxx.yyy.zzz.131/1349 ---> 193.64.205.202/370 UDP MAPPED to=1489
(555) 10.0.0.73/3514 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1350 ---> 10.0.0.255/2313 UDP MAPPED to=1396
(556) 10.0.0.124/1216 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1351 ---> 10.0.0.255/2313 UDP MAPPED to=1392
(557) 10.0.0.73/3515 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1352 ---> 10.0.0.255/2313 UDP MAPPED to=1379
(558) 10.0.0.124/1217 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1353 ---> 10.0.0.255/2313 UDP MAPPED to=1373
(559) 10.0.0.73/3516 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1354 ---> 10.0.0.255/2313 UDP MAPPED to=1371
(560) 10.0.0.124/1218 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1355 ---> 10.0.0.255/2313 UDP MAPPED to=1342
(561) 10.0.0.73/3517 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1356 ---> 10.0.0.255/2313 UDP MAPPED to=1334
(562) 10.0.0.124/1219 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1357 ---> 10.0.0.255/2313 UDP MAPPED to=1331
(563) 10.0.0.73/3518 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1358 ---> 10.0.0.255/2313 UDP MAPPED to=1321
(564) 10.0.0.124/1220 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1359 ---> 10.0.0.255/2313 UDP MAPPED to=1304
(565) 10.0.0.73/3519 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1360 ---> 10.0.0.255/2313 UDP MAPPED to=1296
(566) 10.0.0.124/1221 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1361 ---> 10.0.0.255/2313 UDP MAPPED to=1295
(567) 10.0.0.73/3520 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1362 ---> 10.0.0.255/2313 UDP MAPPED to=1291
(568) 10.0.0.124/1222 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1363 ---> 10.0.0.255/2313 UDP MAPPED to=1290
(569) 10.0.0.73/3521 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1364 ---> 10.0.0.255/2313 UDP MAPPED to=1279
(570) 10.0.0.73/3522 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1365 ---> 10.0.0.255/2313 UDP MAPPED to=1277
(571) 10.0.0.124/1223 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1366 ---> 10.0.0.255/2313 UDP MAPPED to=1269
(572) 10.0.0.124/1224 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1367 ---> 10.0.0.255/2313 UDP MAPPED to=1267
(573) 10.0.0.124/1225 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1368 ---> 10.0.0.255/2313 UDP MAPPED to=1254
(574) 10.0.0.73/3523 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1369 ---> 10.0.0.255/2313 UDP MAPPED to=1217
(575) 10.0.0.124/1226 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1370 ---> 10.0.0.255/2313 UDP MAPPED to=1203
(576) 10.0.0.73/3524 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1371 ---> 10.0.0.255/2313 UDP MAPPED to=1201
(577) 10.0.0.124/1227 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1372 ---> 10.0.0.255/2313 UDP MAPPED to=1196
(578) 10.0.0.73/3525 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1373 ---> 10.0.0.255/2313 UDP MAPPED to=1176
(579) 10.0.0.124/1228 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1374 ---> 10.0.0.255/2313 UDP MAPPED to=1158
(580) 10.0.0.124/1229 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1375 ---> 10.0.0.255/2313 UDP MAPPED to=1157

thanks.

jim

0
Comment
Question by:jsturtz
  • 5
  • 3
  • 2
14 Comments
 
LVL 10

Accepted Solution

by:
Nukfror earned 125 total points
ID: 11804005
0
 
LVL 2

Expert Comment

by:kpmas
ID: 11804015
This is broadcast traffic so it appears that the access points (presuming those source IP's are access points) are looking for something network wide that they do not know how to find.

As long as this traffic isn't leaking it's probably not a big deal, however from a security perspective I'd look at getting rid of it if possible.  Depends on your view of security as it would take some considerable work to exploit but if these are management packets for a centralized access point system (just for example) then it's a perfect way to hi-jack a wireless LAN....

Do you have a management system that can talk to all AP's at the same time?  What kind of security/firewalling do you use internally?

Can you take a packet capture of this stuff so we can see the contents of these packets?  That's probably the fastest way to answer your question...

Thanks,

Paul
0
 
LVL 2

Expert Comment

by:kpmas
ID: 11804032
Sorry.. let's try this again...

IAPP (Inter Access Point Protocol) is port 2313/UDP

Wish I have of read your entire posting before making the last comments...heheehe...

IAPP allows for roaming between access points without the client losing their connection.  So, if you have clients moving around your hotel they will continue to have a connection even though they are possibly changing access points.

A lot of this is "cutting edge" and if you want a reference take a look at IEEE 802.11F standards...

Paul
0
 
LVL 1

Author Comment

by:jsturtz
ID: 11805801
so you think this is related to someone walking around with a wireless link?  i suppose it is possible, might be a tad unusual.  but i am not even close to the hotel to check.  

but it definately isnt any kind of diagnostic or 'check-in' type traffic the access points themselves are using that is suddenly spurting lots of stuff.  that is what i was concerned about.

thanks.

jim
0
 
LVL 2

Expert Comment

by:kpmas
ID: 11806043
It could be "roaming" or it could be someone at the hotel who is picking up more than one access point and "flip-flopping" back and forth.  You could pose this question to 3com support and/or look at the configurations to see what kind of IAPP support they have.

Perhaps on newer AP's, they have someone turned on by default?  Don't know the 3com AP's very well to be honest...

Do you see any other weird traffic on the network that stands out?  A sniff of these packets would tell you more possibly...

Take care,

Paul
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:jsturtz
ID: 11808706
nope, nothing else suspicious.  each hotels net pretty much has problems keeping viruses off it.  primarily this affects only that user.  however, the hotel-wide bandwidth suffers some so we watch and kill those users off, till they run a scan a clean up.  the other offensive behaviour is filesharing software which can slow things up alot.  they too get stopped and asked to quit using it while at the hotel.

the other hotels show some activitiy of the 10.0.0.255/2313 traffic but nowhere near as much or often as the one particular hotel we are looking at here.  which is why i was concerned.

jim
0
 
LVL 2

Expert Comment

by:kpmas
ID: 11808793
I'm honestly not 100% sure on this one... however because it's a registered port to IAPP I would think it's legit... that doesn't answer your question as to why more traffic in this particular case.

My best educated guess is that because these were recently replaced, perhaps they have either an option turned on that the rest don't... a configuration that's slightly different, or different firmware that may behave slightly different.

Paul
0
 
LVL 1

Author Comment

by:jsturtz
ID: 11809526
will try little harder getting info from 3com i guess.  so far they havent replied to questions to well.  NOT
0
 
LVL 2

Assisted Solution

by:kpmas
kpmas earned 125 total points
ID: 11809624
Yeh, their support sucks... sorry to be blunt but we used to use (well, still have one) their RAS gear for providing dial-up internet access.  Best support we could get was from 3rd parties at a price....

Paul
0
 
LVL 10

Expert Comment

by:Nukfror
ID: 12370066
Ummm ... split plez
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

    Over the past few years, small business and home owners have become so dependent on internet that a need for redundancy has arisen.    What happens when your small business or home / home office loses its internet connection?  The results c…
This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now