First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Why Src My Computer Accessing An Apple IP Address Dst. When I Did Not Search This Out?

Why is my computer accessing a Apple IP Address when I did not even search for anything on or about this scanstat port. How would I find out more about this.

Thank you so very much

Vtechie

Frame 10027: 66 bytes on wire, 66 bytes captured on interface \Device\NPF_{}, id 0
Ethernet II, Src: Dell_ (), Dst: ASUSTekC_()
Internet Protocol Version 4, Src: 192.168.50.112 (192.168.50.112), Dst: 17.253.25.202 (17.253.25.202)
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 52
    Identification: 0x0e7c (3708)
    Flags: 0x40, Don't fragment
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 128
    Protocol: TCP (6)
    Header Checksum: 0x0000 incorrect, should be 0xcd68(may be caused by "IP checksum offload"?)
        [Expert Info (Error/Checksum): Bad checksum [should be 0xcd68]]
    [Header checksum status: Bad]
    [Calculated Checksum: 0xcd68]
    Source Address: 192.168.50.112 (192.168.50.112)
    <Source or Destination Address: 192.168.50.112 (192.168.50.112)>
    <[Source Host: 192.168.50.112]>
    <[Source or Destination Host: 192.168.50.112]>
    Destination Address: 17.253.25.202 (17.253.25.202)
    <Source or Destination Address: 17.253.25.202 (17.253.25.202)>
    <[Destination Host: 17.253.25.202]>
    <[Source or Destination Host: 17.253.25.202]>
Transmission Control Protocol, Src Port: scanstat-1 (1215), Dst Port: http (80), Seq: 0, Len: 0
    Source Port: scanstat-1 (1215)
    Destination Port: http (80)
    <Source or Destination Port: scanstat-1 (1215)>
    <Source or Destination Port: http (80)>
    [Stream index: 103]
    [Conversation completeness: Incomplete, DATA (15)]
    [TCP Segment Len: 0]
    Sequence Number: 0    (relative sequence number)
    Sequence Number (raw): 2632828988
    [Next Sequence Number: 1    (relative sequence number)]
    Acknowledgment Number: 0
    Acknowledgment number (raw): 0
    1000 .... = Header Length: 32 bytes (8)
    Flags: 0x002 (SYN)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish request (SYN): server port80]
                [Connection establish request (SYN): server port 80]
                <Message: Connection establish request (SYN): server port 80>
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ...0 = Fin: Not set
        [TCP Flags: ··········S·]
    Window: 64240
    [Calculated window size: 64240]
    Checksum: 0x1f06 incorrect, should be 0xeb06(maybe caused by "TCP checksum offload"?)
        [Expert Info (Error/Checksum): Bad checksum [should be 0xeb06]]
            [Bad checksum [should be 0xeb06]]
            <Message: Bad checksum [should be 0xeb06]>
            [Severity level: Error]
            [Group: Checksum]
    [Checksum Status: Bad]
    [Calculated Checksum: 0xeb06]
    Urgent Pointer: 0
    Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
        TCP Option - Maximum segment size: 1460 bytes
        TCP Option - No-Operation (NOP)
        TCP Option - Window scale: 8 (multiply by 256)
        TCP Option - No-Operation (NOP)
        TCP Option - No-Operation (NOP)
        TCP Option - SACK permitted
    [Timestamps]
        [Time since first frame in this TCP stream ...
(more)
Vtechie's avatar
1
Vtechie
asked 2022-07-24 21:06:00 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2022-07-25 09:15:16 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Why is my computer accessing a Apple IP Address when I did not even search for anything on or about this scanstat port.

Not all traffic from a machine comes from something you did. It could be software you installed - for example, do you have iTunes-for-Windows installed on your machine?

How would I find out more about this.

1) Do a web search for "uschi5-vip-bx-002.aaplimg.com", which is the host name corresponding to that IP address. A similar host name showed up on this question on an Apple discussion board - one answer notes, based on a VentureBeat story, that it's part of a "content distribution network" (CDN) set up by Apple to allow them to pump out a lot of data to multiple clients, and suggests that "Besides SW updates I believe it's used for syncing iTunes & other things", and another answer asks "If it is iTunes could it be Apple Music streaming radio or iCloud?"

2) it's to port 80, so it's attempting non-TLS-encrypted HTTP; if it doesn't end up getting redirected to an https:// site, so that it switches to TLS, you may be able to look at the traffic to see what it is.

Guy Harris's avatar
19.9k
Guy Harris
answered 2022-07-25 09:35:55 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer