Solved

what does port 2313 do?

Posted on 2004-08-15
14
563 Views
Last Modified: 2007-12-19
we handle support for 30+ hotels broadband connection.  we have installed the hardware for accessing the internet for those hotels either wired or wirelessly.  a little over 1/2 of the hotels are hooked up wireless using multiple access points, mostly 3com access points (8000 or 8200).  they all show minor traffic on 10.0.0.255 using port 2313, which i think it some sort of cross talk between the aps, kind of like handshaking.

recently, we had a hardware failure in one hotel and replaced the 2 APs in use there.  since just before replacing them and after replacing them we are getting much more traffic than normal on that port from both APs.  i am concerned it is signifying something still wrong there but we are not getting complaints about access so i am not sure of my guess.

i recently sent this excerpt from our servers DAT log showing some traffic this a.m.  it lists over 20 calls to the ports all in a brief period.  i have seen as many as a couple hundred all together at other times.  none of the other APs come close to this many entries all at once.

any ideas what may be going on?  should i be concerned?

(540) 10.0.0.124/1207 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1334 ---> 10.0.0.255/2313 UDP MAPPED to=1671
(541) 10.0.0.124/1208 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1335 ---> 10.0.0.255/2313 UDP MAPPED to=1667
(542) 10.0.0.124/1209 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1336 ---> 10.0.0.255/2313 UDP MAPPED to=1654
(543) 10.0.0.73/3509 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1337 ---> 10.0.0.255/2313 UDP MAPPED to=1650
(544) 10.0.0.124/1210 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1338 ---> 10.0.0.255/2313 UDP MAPPED to=1648
(545) 10.0.0.73/3510 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1339 ---> 10.0.0.255/2313 UDP MAPPED to=1618
(546) 10.0.0.124/1211 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1340 ---> 10.0.0.255/2313 UDP MAPPED to=1610
(547) 10.0.0.73/3511 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1341 ---> 10.0.0.255/2313 UDP MAPPED to=1604
(548) 10.0.0.124/1212 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1342 ---> 10.0.0.255/2313 UDP MAPPED to=1599
(549) 10.0.0.124/1213 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1343 ---> 10.0.0.255/2313 UDP MAPPED to=1599
(550) 10.0.0.73/3512 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1344 ---> 10.0.0.255/2313 UDP MAPPED to=1552
(551) 10.0.0.124/1214 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1345 ---> 10.0.0.255/2313 UDP MAPPED to=1549
(552) 10.0.0.73/3513 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1346 ---> 10.0.0.255/2313 UDP MAPPED to=1527
(553) 10.0.0.124/1215 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1348 ---> 10.0.0.255/2313 UDP MAPPED to=1526
(554) 10.0.0.23/9370 (00:0f:66:2f:1e:c0) <-> xxx.yyy.zzz.131/1349 ---> 193.64.205.202/370 UDP MAPPED to=1489
(555) 10.0.0.73/3514 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1350 ---> 10.0.0.255/2313 UDP MAPPED to=1396
(556) 10.0.0.124/1216 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1351 ---> 10.0.0.255/2313 UDP MAPPED to=1392
(557) 10.0.0.73/3515 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1352 ---> 10.0.0.255/2313 UDP MAPPED to=1379
(558) 10.0.0.124/1217 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1353 ---> 10.0.0.255/2313 UDP MAPPED to=1373
(559) 10.0.0.73/3516 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1354 ---> 10.0.0.255/2313 UDP MAPPED to=1371
(560) 10.0.0.124/1218 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1355 ---> 10.0.0.255/2313 UDP MAPPED to=1342
(561) 10.0.0.73/3517 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1356 ---> 10.0.0.255/2313 UDP MAPPED to=1334
(562) 10.0.0.124/1219 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1357 ---> 10.0.0.255/2313 UDP MAPPED to=1331
(563) 10.0.0.73/3518 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1358 ---> 10.0.0.255/2313 UDP MAPPED to=1321
(564) 10.0.0.124/1220 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1359 ---> 10.0.0.255/2313 UDP MAPPED to=1304
(565) 10.0.0.73/3519 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1360 ---> 10.0.0.255/2313 UDP MAPPED to=1296
(566) 10.0.0.124/1221 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1361 ---> 10.0.0.255/2313 UDP MAPPED to=1295
(567) 10.0.0.73/3520 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1362 ---> 10.0.0.255/2313 UDP MAPPED to=1291
(568) 10.0.0.124/1222 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1363 ---> 10.0.0.255/2313 UDP MAPPED to=1290
(569) 10.0.0.73/3521 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1364 ---> 10.0.0.255/2313 UDP MAPPED to=1279
(570) 10.0.0.73/3522 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1365 ---> 10.0.0.255/2313 UDP MAPPED to=1277
(571) 10.0.0.124/1223 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1366 ---> 10.0.0.255/2313 UDP MAPPED to=1269
(572) 10.0.0.124/1224 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1367 ---> 10.0.0.255/2313 UDP MAPPED to=1267
(573) 10.0.0.124/1225 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1368 ---> 10.0.0.255/2313 UDP MAPPED to=1254
(574) 10.0.0.73/3523 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1369 ---> 10.0.0.255/2313 UDP MAPPED to=1217
(575) 10.0.0.124/1226 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1370 ---> 10.0.0.255/2313 UDP MAPPED to=1203
(576) 10.0.0.73/3524 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1371 ---> 10.0.0.255/2313 UDP MAPPED to=1201
(577) 10.0.0.124/1227 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1372 ---> 10.0.0.255/2313 UDP MAPPED to=1196
(578) 10.0.0.73/3525 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1373 ---> 10.0.0.255/2313 UDP MAPPED to=1176
(579) 10.0.0.124/1228 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1374 ---> 10.0.0.255/2313 UDP MAPPED to=1158
(580) 10.0.0.124/1229 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1375 ---> 10.0.0.255/2313 UDP MAPPED to=1157

thanks.

jim

0
Comment
Question by:jsturtz
  • 5
  • 3
  • 2
14 Comments
 
LVL 10

Accepted Solution

by:
Nukfror earned 125 total points
ID: 11804005
0
 
LVL 2

Expert Comment

by:kpmas
ID: 11804015
This is broadcast traffic so it appears that the access points (presuming those source IP's are access points) are looking for something network wide that they do not know how to find.

As long as this traffic isn't leaking it's probably not a big deal, however from a security perspective I'd look at getting rid of it if possible.  Depends on your view of security as it would take some considerable work to exploit but if these are management packets for a centralized access point system (just for example) then it's a perfect way to hi-jack a wireless LAN....

Do you have a management system that can talk to all AP's at the same time?  What kind of security/firewalling do you use internally?

Can you take a packet capture of this stuff so we can see the contents of these packets?  That's probably the fastest way to answer your question...

Thanks,

Paul
0
 
LVL 2

Expert Comment

by:kpmas
ID: 11804032
Sorry.. let's try this again...

IAPP (Inter Access Point Protocol) is port 2313/UDP

Wish I have of read your entire posting before making the last comments...heheehe...

IAPP allows for roaming between access points without the client losing their connection.  So, if you have clients moving around your hotel they will continue to have a connection even though they are possibly changing access points.

A lot of this is "cutting edge" and if you want a reference take a look at IEEE 802.11F standards...

Paul
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 1

Author Comment

by:jsturtz
ID: 11805801
so you think this is related to someone walking around with a wireless link?  i suppose it is possible, might be a tad unusual.  but i am not even close to the hotel to check.  

but it definately isnt any kind of diagnostic or 'check-in' type traffic the access points themselves are using that is suddenly spurting lots of stuff.  that is what i was concerned about.

thanks.

jim
0
 
LVL 2

Expert Comment

by:kpmas
ID: 11806043
It could be "roaming" or it could be someone at the hotel who is picking up more than one access point and "flip-flopping" back and forth.  You could pose this question to 3com support and/or look at the configurations to see what kind of IAPP support they have.

Perhaps on newer AP's, they have someone turned on by default?  Don't know the 3com AP's very well to be honest...

Do you see any other weird traffic on the network that stands out?  A sniff of these packets would tell you more possibly...

Take care,

Paul
0
 
LVL 1

Author Comment

by:jsturtz
ID: 11808706
nope, nothing else suspicious.  each hotels net pretty much has problems keeping viruses off it.  primarily this affects only that user.  however, the hotel-wide bandwidth suffers some so we watch and kill those users off, till they run a scan a clean up.  the other offensive behaviour is filesharing software which can slow things up alot.  they too get stopped and asked to quit using it while at the hotel.

the other hotels show some activitiy of the 10.0.0.255/2313 traffic but nowhere near as much or often as the one particular hotel we are looking at here.  which is why i was concerned.

jim
0
 
LVL 2

Expert Comment

by:kpmas
ID: 11808793
I'm honestly not 100% sure on this one... however because it's a registered port to IAPP I would think it's legit... that doesn't answer your question as to why more traffic in this particular case.

My best educated guess is that because these were recently replaced, perhaps they have either an option turned on that the rest don't... a configuration that's slightly different, or different firmware that may behave slightly different.

Paul
0
 
LVL 1

Author Comment

by:jsturtz
ID: 11809526
will try little harder getting info from 3com i guess.  so far they havent replied to questions to well.  NOT
0
 
LVL 2

Assisted Solution

by:kpmas
kpmas earned 125 total points
ID: 11809624
Yeh, their support sucks... sorry to be blunt but we used to use (well, still have one) their RAS gear for providing dial-up internet access.  Best support we could get was from 3rd parties at a price....

Paul
0
 
LVL 10

Expert Comment

by:Nukfror
ID: 12370066
Ummm ... split plez
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question