Can someone explain to me what's going on?

Ok there is no firewall logs of SSDP connection attempts but when I load up wireshark I’m getting thousands of SSDP messages from my IP to 239.255.255.250. I disabled SSDP on my computer and router so why am I getting these?? When I go on my Vpn connection I don’t get any of these requests. can someone please tell me what’s going on and if I should be concerned?

Welcome to the forum.

If you’ve stopped and disabled SSDP and UPnP services on the PC and disabled similar services on your router - assuming they’re the only devices available - you shouldn’t be seeing any activity of this type. Just to be clear, network discovery also used 239.255.255.250.

With regard to the logs, you won’t see any for this kind of traffic, because these are hosted services - they run under the context of svchost - and svchost.exe is allowed any outbound connection - it’s part of the Windows System Applications group.

Thanks for the reply Radaghast. I’m not sure if I’ve completley disabled it yet. I went into services.msc and disabled it through there but still I get the requests. Then I loaded up comodos autorun analyzer and found ssdpsrv.dll I tried to disable it but it said “access denied” I tried it with admin privledges and it still said access denied. I’m on windows 8, comodo autorun analyzer let me disable ever other service I wanted except this one. I tried blocking it with comodos file block but it didn’t help I still am getting SSDP packets. It’s driving me crazy!! Would a comodo tech be able to diagnose this problem remotely you think?

There are two services involved with this, SSDP and UPnP - although stopping SSDP should be enough - both of which can be stopped and disabled vis services.msc.

Another thing to consider, when you run wireshark it defaults to promiscuous mode - all traffic on the wire. With that in mind, did you check the source address of the events?

As far as using Autoruns Analyser for disabling and reporting the status of services, you’d do better using services.msc, as ARA fails to report and disable correctly, especially on Windows 8.

I have both of those options disabled. I used comodo autorun analyzer to disable them. It seems effective as if removes them completely from services.msc except ssdpsrv.dll that file was access denied, so I used a registry hack that way I can inherit the permissions of ssdpsrv.dll. I successfully removed the file but I’m still getting hundreds of SSDP notify requests. The IP it originates from is my default gateway. This is how it goes, I plug in my internet then I get dozens of requests from my default gateway to send to the 239 IP.

Unfortunately, I don’t have the answer your problem, however in the past when I noticed SSDP traffic on my PC, I went looking for what application was sending them. In my case, it was Skype on another computer connected to the same network, which was sending SSDP requests every second. To cure it I disabled uPNP in the Skype settings on the other computer.

If the source of the events is your router, (your default gateway) you need to disable the appropriate services on that device.