How to Determine what service is sending out syn packets to other LAN

  • retag add tags

I am running wireshark on an iMac running El Capitan (10.11.6).

When I monitor the traffic on this machine (which is on an internal LAN IP of 10.0.100.10x) I see my IP sending SYN packets to PORT 7000 of IP address 192.168.1.4 I am then seeing lots of re-transmissions of the SYN packets because I am obviously not attached to a network in the 192.x.x.x range and never have been.

Screenshot: https://cl.ly/038d104b3e23

I have stopped all the running programs that OS X will let me stop, Logged in on the Mac as a new user, switched between Wired eth0 and Wireless eth1 networks. No matter what I do or change, my Mac keeps sending SYN packets to 192.168.1.4 port 7000. There are about 15 other iMacs on the same LAN and none of them are displaying the same behaviour.

Does anyone know of a way to isolate what program or service on my Mac is transmitting the packets or have an idea of what might be going on?

SparkE Helper's avatar
1
SparkE Helper
asked 2019-11-05 20:54:44 +0000, updated 2019-11-05 21:04:21 +0000
edit flag offensive 0 remove flag close merge delete

Comments

https://www.wireshark.org/tools/oui-l... The MAC address for the destination maps to a TP-Link device.
B0:4E:26 Tp-LinkT Tp-Link Technologies Co.,Ltd.
Is that the default gateway?

Do you have access to "lsof" on the Mac? Try "lsof -P -i :7000".

Chuckc's avatar Chuckc (2019-11-05 22:00:51 +0000) edit
more
  • delete

Thanks bubbasnmp! (I get a 404 page on the link you posted.) Yes, the router is the TP Link device you see. I do have lsof and when i run it using the parameters you posted (with sudo) I get no results returned... however I felt you were on to something, so I just ran it as "lsof -i -n" and I got this little nugget:

AirPlayXP 108 root 10u IPv4 0xa9ac62b45e6d1631 0t0 TCP 10.0.100.101:50338->192.168.1.4:afs3-fileserver (SYN_SENT).

I did read somewhere that port 7000 is for Apple File Sharing protocol and I see the "afs3-fileserver" so that makes sense, but it looks like it has something to do with AirPlay. That gives me something to go on. So glad you commented!

SparkE Helper's avatar SparkE Helper (2019-11-05 23:35:16 +0000) edit
more
  • delete

Sorry - fat fingered the link - https://www.wireshark.org/tools/oui-l...

The mapping of port number to text name is in /etc/services. Also available in the Wireshark program directory "services" file. Good luck with the rest of your search.

Chuckc's avatar Chuckc (2019-11-06 03:54:28 +0000) edit
more
  • delete
1

If others stumble across this in the future, use netstat to look for programs on ports. Requires Admin privs on Windows or root on linux. Windows: netstat -anb Linux: netstat -anp See comments above for use of "lsof" for Mac and if loaded, Linux.

Chuckc's avatar Chuckc (2019-11-06 04:10:55 +0000) edit
more
  • delete
add a comment see more comments