Solved

what does port 2313 do?

Posted on 2004-08-15
14
559 Views
Last Modified: 2007-12-19
we handle support for 30+ hotels broadband connection.  we have installed the hardware for accessing the internet for those hotels either wired or wirelessly.  a little over 1/2 of the hotels are hooked up wireless using multiple access points, mostly 3com access points (8000 or 8200).  they all show minor traffic on 10.0.0.255 using port 2313, which i think it some sort of cross talk between the aps, kind of like handshaking.

recently, we had a hardware failure in one hotel and replaced the 2 APs in use there.  since just before replacing them and after replacing them we are getting much more traffic than normal on that port from both APs.  i am concerned it is signifying something still wrong there but we are not getting complaints about access so i am not sure of my guess.

i recently sent this excerpt from our servers DAT log showing some traffic this a.m.  it lists over 20 calls to the ports all in a brief period.  i have seen as many as a couple hundred all together at other times.  none of the other APs come close to this many entries all at once.

any ideas what may be going on?  should i be concerned?

(540) 10.0.0.124/1207 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1334 ---> 10.0.0.255/2313 UDP MAPPED to=1671
(541) 10.0.0.124/1208 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1335 ---> 10.0.0.255/2313 UDP MAPPED to=1667
(542) 10.0.0.124/1209 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1336 ---> 10.0.0.255/2313 UDP MAPPED to=1654
(543) 10.0.0.73/3509 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1337 ---> 10.0.0.255/2313 UDP MAPPED to=1650
(544) 10.0.0.124/1210 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1338 ---> 10.0.0.255/2313 UDP MAPPED to=1648
(545) 10.0.0.73/3510 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1339 ---> 10.0.0.255/2313 UDP MAPPED to=1618
(546) 10.0.0.124/1211 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1340 ---> 10.0.0.255/2313 UDP MAPPED to=1610
(547) 10.0.0.73/3511 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1341 ---> 10.0.0.255/2313 UDP MAPPED to=1604
(548) 10.0.0.124/1212 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1342 ---> 10.0.0.255/2313 UDP MAPPED to=1599
(549) 10.0.0.124/1213 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1343 ---> 10.0.0.255/2313 UDP MAPPED to=1599
(550) 10.0.0.73/3512 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1344 ---> 10.0.0.255/2313 UDP MAPPED to=1552
(551) 10.0.0.124/1214 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1345 ---> 10.0.0.255/2313 UDP MAPPED to=1549
(552) 10.0.0.73/3513 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1346 ---> 10.0.0.255/2313 UDP MAPPED to=1527
(553) 10.0.0.124/1215 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1348 ---> 10.0.0.255/2313 UDP MAPPED to=1526
(554) 10.0.0.23/9370 (00:0f:66:2f:1e:c0) <-> xxx.yyy.zzz.131/1349 ---> 193.64.205.202/370 UDP MAPPED to=1489
(555) 10.0.0.73/3514 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1350 ---> 10.0.0.255/2313 UDP MAPPED to=1396
(556) 10.0.0.124/1216 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1351 ---> 10.0.0.255/2313 UDP MAPPED to=1392
(557) 10.0.0.73/3515 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1352 ---> 10.0.0.255/2313 UDP MAPPED to=1379
(558) 10.0.0.124/1217 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1353 ---> 10.0.0.255/2313 UDP MAPPED to=1373
(559) 10.0.0.73/3516 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1354 ---> 10.0.0.255/2313 UDP MAPPED to=1371
(560) 10.0.0.124/1218 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1355 ---> 10.0.0.255/2313 UDP MAPPED to=1342
(561) 10.0.0.73/3517 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1356 ---> 10.0.0.255/2313 UDP MAPPED to=1334
(562) 10.0.0.124/1219 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1357 ---> 10.0.0.255/2313 UDP MAPPED to=1331
(563) 10.0.0.73/3518 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1358 ---> 10.0.0.255/2313 UDP MAPPED to=1321
(564) 10.0.0.124/1220 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1359 ---> 10.0.0.255/2313 UDP MAPPED to=1304
(565) 10.0.0.73/3519 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1360 ---> 10.0.0.255/2313 UDP MAPPED to=1296
(566) 10.0.0.124/1221 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1361 ---> 10.0.0.255/2313 UDP MAPPED to=1295
(567) 10.0.0.73/3520 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1362 ---> 10.0.0.255/2313 UDP MAPPED to=1291
(568) 10.0.0.124/1222 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1363 ---> 10.0.0.255/2313 UDP MAPPED to=1290
(569) 10.0.0.73/3521 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1364 ---> 10.0.0.255/2313 UDP MAPPED to=1279
(570) 10.0.0.73/3522 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1365 ---> 10.0.0.255/2313 UDP MAPPED to=1277
(571) 10.0.0.124/1223 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1366 ---> 10.0.0.255/2313 UDP MAPPED to=1269
(572) 10.0.0.124/1224 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1367 ---> 10.0.0.255/2313 UDP MAPPED to=1267
(573) 10.0.0.124/1225 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1368 ---> 10.0.0.255/2313 UDP MAPPED to=1254
(574) 10.0.0.73/3523 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1369 ---> 10.0.0.255/2313 UDP MAPPED to=1217
(575) 10.0.0.124/1226 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1370 ---> 10.0.0.255/2313 UDP MAPPED to=1203
(576) 10.0.0.73/3524 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1371 ---> 10.0.0.255/2313 UDP MAPPED to=1201
(577) 10.0.0.124/1227 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1372 ---> 10.0.0.255/2313 UDP MAPPED to=1196
(578) 10.0.0.73/3525 (00:0e:6a:cd:81:e1) <-> xxx.yyy.zzz.131/1373 ---> 10.0.0.255/2313 UDP MAPPED to=1176
(579) 10.0.0.124/1228 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1374 ---> 10.0.0.255/2313 UDP MAPPED to=1158
(580) 10.0.0.124/1229 (00:0e:6a:cd:82:77) <-> xxx.yyy.zzz.131/1375 ---> 10.0.0.255/2313 UDP MAPPED to=1157

thanks.

jim

0
Comment
Question by:jsturtz
  • 5
  • 3
  • 2
14 Comments
 
LVL 10

Accepted Solution

by:
Nukfror earned 125 total points
ID: 11804005
0
 
LVL 2

Expert Comment

by:kpmas
ID: 11804015
This is broadcast traffic so it appears that the access points (presuming those source IP's are access points) are looking for something network wide that they do not know how to find.

As long as this traffic isn't leaking it's probably not a big deal, however from a security perspective I'd look at getting rid of it if possible.  Depends on your view of security as it would take some considerable work to exploit but if these are management packets for a centralized access point system (just for example) then it's a perfect way to hi-jack a wireless LAN....

Do you have a management system that can talk to all AP's at the same time?  What kind of security/firewalling do you use internally?

Can you take a packet capture of this stuff so we can see the contents of these packets?  That's probably the fastest way to answer your question...

Thanks,

Paul
0
 
LVL 2

Expert Comment

by:kpmas
ID: 11804032
Sorry.. let's try this again...

IAPP (Inter Access Point Protocol) is port 2313/UDP

Wish I have of read your entire posting before making the last comments...heheehe...

IAPP allows for roaming between access points without the client losing their connection.  So, if you have clients moving around your hotel they will continue to have a connection even though they are possibly changing access points.

A lot of this is "cutting edge" and if you want a reference take a look at IEEE 802.11F standards...

Paul
0
 
LVL 1

Author Comment

by:jsturtz
ID: 11805801
so you think this is related to someone walking around with a wireless link?  i suppose it is possible, might be a tad unusual.  but i am not even close to the hotel to check.  

but it definately isnt any kind of diagnostic or 'check-in' type traffic the access points themselves are using that is suddenly spurting lots of stuff.  that is what i was concerned about.

thanks.

jim
0
 
LVL 2

Expert Comment

by:kpmas
ID: 11806043
It could be "roaming" or it could be someone at the hotel who is picking up more than one access point and "flip-flopping" back and forth.  You could pose this question to 3com support and/or look at the configurations to see what kind of IAPP support they have.

Perhaps on newer AP's, they have someone turned on by default?  Don't know the 3com AP's very well to be honest...

Do you see any other weird traffic on the network that stands out?  A sniff of these packets would tell you more possibly...

Take care,

Paul
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 1

Author Comment

by:jsturtz
ID: 11808706
nope, nothing else suspicious.  each hotels net pretty much has problems keeping viruses off it.  primarily this affects only that user.  however, the hotel-wide bandwidth suffers some so we watch and kill those users off, till they run a scan a clean up.  the other offensive behaviour is filesharing software which can slow things up alot.  they too get stopped and asked to quit using it while at the hotel.

the other hotels show some activitiy of the 10.0.0.255/2313 traffic but nowhere near as much or often as the one particular hotel we are looking at here.  which is why i was concerned.

jim
0
 
LVL 2

Expert Comment

by:kpmas
ID: 11808793
I'm honestly not 100% sure on this one... however because it's a registered port to IAPP I would think it's legit... that doesn't answer your question as to why more traffic in this particular case.

My best educated guess is that because these were recently replaced, perhaps they have either an option turned on that the rest don't... a configuration that's slightly different, or different firmware that may behave slightly different.

Paul
0
 
LVL 1

Author Comment

by:jsturtz
ID: 11809526
will try little harder getting info from 3com i guess.  so far they havent replied to questions to well.  NOT
0
 
LVL 2

Assisted Solution

by:kpmas
kpmas earned 125 total points
ID: 11809624
Yeh, their support sucks... sorry to be blunt but we used to use (well, still have one) their RAS gear for providing dial-up internet access.  Best support we could get was from 3rd parties at a price....

Paul
0
 
LVL 10

Expert Comment

by:Nukfror
ID: 12370066
Ummm ... split plez
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

    Over the past few years, small business and home owners have become so dependent on internet that a need for redundancy has arisen.    What happens when your small business or home / home office loses its internet connection?  The results c…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now