Even if it’s not running? I have been trying to find out which program on my computer is using SSDP messages and I believe it is Battlefield 3. When I log into BattleField 3 Comodo alerted me that the program was trying to make an outbound connection using SSDP port 1900. I allowed this just to see what would happen. As of now I don’t think it has had any negative impact on my computer? My biggest concern is that some ■■■■ is spying on me without my knowledge. I used wireshark in promiscuous mode on and off, with promiscuous mode off I don’t get the SSDP messages but with it on i get dozens of SSDP messages. When I log into my VPN I don’t get any SSDP messages until I start up battlefield 3. Can battlefield 3 send SSDP messages even though the ■■■■ thing isn’t running??
I forgot to mention that I use a router that was wireless capabilities. Could the wireless function on the router be responsible for the ssdp notify requests? In wireshark the packet says it has something to do with “WIFI ALLIANCE” and its being run on a Linux server. I’m not running Linux.
In your earlier thread you said:
The IP it originates from is my default gateway. This is how it goes, I plug in my internet then I get dozens of requests from my default gateway to send to the 239 IP.
Perhaps it would be helpful if you posted the wireshark log.
As far as the Wi-Fi Alliance, they are simply a certification and standards body for WiFi products. You’ll also find most routers run some form of linux as their firmware.
Thank you for the response Radaghast. I’m not sure how to upload the wireshark file I tried it but it said the file is not allowed? I have a capture of my VPN connection when i get home I will capture it on my original IP. Is there anyway I can message it to you?
If you want to attach the capture(s) to a post, either rename it with a .txt extension or zip the file first. If you don’t want to post it here, you can upload it to something like skydrive, dropbox or a filehost like mediafire and PM me the address.
Edit: You might mention the make and model of your router, too.
Thanks for the reply Radaghast I sent you the file through messages. Thank you again.
Thanks for the file. As suspected, the SSDP notify messages are originating from your router and not your PC. These messages are multicast datagrams (239.255.255.250) which means all devices on the local subnet will receive them. If you want to stop these, you’ll have to disable the related services on your router, probably UPnP.
That’s whats driving me crazy I have UPNP disabled on my router but still I get these. I have UPNP disabled on my router and on my pc. Do you think my router could be defective?
From what you see Radaghast could that be a potential security risk?? Thanks again for the help I really appreciate it! 
Two things.
-
These multicasts are quite normal and are for the local subnet only, i.e., your LAN. As far as I’m aware, the only potential ‘threat’ is via a UPnP exploit, which you can test for at GRC’s UPnP Exposure Test
-
If you can provide the make and model of router, maybe I can see something in the settings.
As soon as I get home I will let you know the make and model. Thanks again. :-TU