[avahi] malformed mDNS data in wireshark?
Frank Graffagnino
frank.graffagnino at metecs.com
Wed Jul 30 08:20:56 PDT 2014
My apologies in advance if this isn't the best place to post this.
We recently had some software that is set up to respond to mDNS requests and
we noticed a log filling up exponentially. After investigation, we found
that it was reporting a corrupted mDNS packet and logging tons of data about
it. We captured the data from wireshark and found many mDNS packets on port
5353 that wireshark reported as "malformed". We could also see valid mDNS
queries and responses elsewhere in the log. However, the malformed packets
seemed to be appearing about every 2 seconds.
The only discernible ASCII information in the packet was the string:
{"command": "broadcast"}
Looking at the source IP information on the packet, we went to that machine
which turned out to be a Ubuntu 12.10 machine. I have confirmed that if I
run "nc -lup 5353" on that Ubuntu 12.10 machine, that I see the text string
above, and if I shut down the avahi daemon (with "sudo service avahi-daemon
stop") that I no longer see that print out from port 5353 when listening
with netcat.
Now, my google-fu is not too bad, and the only thing I could find that sort
of smelled like this was this post:
http://lists.freedesktop.org/archives/avahi/2007-August/001110.html
But the data on that posting is way back in 2007, so it certainly seems like
the avahi package in Ubuntu 12.10 should have that fix. The ubuntu avahi
package reports as: 0.6.31-1ubuntu2
Has anyone else seen this? Any ideas on why the packet is malformed or
where it is coming from?
Thanks!
FG
More information about the avahi
mailing list