[avahi] malformed mDNS data in wireshark?

Frank Graffagnino frank.graffagnino at metecs.com
Wed Jul 30 08:20:56 PDT 2014


My apologies in advance if this isn't the best place to post this.

We recently had some software that is set up to respond to mDNS requests and 
we noticed a log filling up exponentially.  After investigation, we found 
that it was reporting a corrupted mDNS packet and logging tons of data about 
it.  We captured the data from wireshark and found many mDNS packets on port 
5353 that wireshark reported as "malformed".  We could also see valid mDNS 
queries and responses elsewhere in the log.  However, the malformed packets 
seemed to be appearing about every 2 seconds.

The only discernible ASCII information in the packet was the string:

  {"command": "broadcast"}

Looking at the source IP information on the packet, we went to that machine 
which turned out to be a Ubuntu 12.10 machine.  I have confirmed that if I 
run "nc -lup 5353" on that Ubuntu 12.10 machine, that I see the text string 
above, and if I shut down the avahi daemon (with "sudo service avahi-daemon 
stop") that I no longer see that print out from port 5353 when listening 
with netcat.

Now, my google-fu is not too bad, and the only thing I could find that sort 
of smelled like this was this post:  
http://lists.freedesktop.org/archives/avahi/2007-August/001110.html

But the data on that posting is way back in 2007, so it certainly seems like 
the avahi package in Ubuntu 12.10 should have that fix.  The ubuntu avahi 
package reports as: 0.6.31-1ubuntu2

Has anyone else seen this?  Any ideas on why the packet is malformed or 
where it is coming from?

Thanks!

FG



More information about the avahi mailing list