0

Having sniffed my SOHO network's I notice the heaviest burden from multicast addresses relating to UPNP services.

There is 1 external drive on the network. Am I correct in thinking the networked drive would be using SMB2 rather than SSDP?

Is it normal for UPNP to multicast, frequently, using SSDP and of varying packet length's?

Improve this question
9
  • SMB2 should be considered insecure
    – Ramhound
    Commented Sep 8, 2021 at 8:42
  • I'd be inclined to just disable UPnP & as Ramhound says, SMB2 is years out of date & shouldn't be used.
    – Tetsujin
    Commented Sep 8, 2021 at 8:54
  • I did have it disabled but could not get detect my external drive (it is usb'd into the router). Im disabling smb currently
    – ChristAHFER
    Commented Sep 8, 2021 at 9:00
  • 1
    "SSDP is the basis of the discovery protocol of Universal Plug and Play (UPnP)" en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol - yeah, I'd say that's possible. To find out look at the source/destination addresses and port numbers of the packets. Or just disconnect it for a moment, you'll see the effect within seconds. Now my question is "why"... do you have some network performance issues or something alike you think could be related to the UPnP traffic?
    – Peregrino69
    Commented Sep 8, 2021 at 9:01
  • 1
    It's important to quantify "heaviest burden" with respect to network capacity - UPNP is extremely chatty, and in particular with Apple hardware, you'll see lots of packets. While in a normal SOHO network, usually nothing much else goes on. But that's the normal situation and nothing you need to change, the network is using only a small fraction of its capacity for this UPNP traffic. So unless it's taking up significant capacity in your case, leave it as it is.
    – dirkt
    Commented Sep 8, 2021 at 9:39

1 Answer 1

Reset to default
0

Is it normal for UPNP to multicast, frequently, using SSDP and of varying packet length's?

Yes, service discovery is an integral part of UPnP (it's literally in the name: "universal plug-and-play"). Some of those packets probably come from different devices, either advertising or searching for different service types. The SSDP packets contain text, so you can just look inside to see what's happening.

However, the expected rate (from a single device) should be somewhere along the lines of "a few times per minute" – aside from the initial burst of packets when the service starts up, it should not repeat the same thing every second.

Though if you have many devices hosting or searching for UPnP services, it may add up – but it should still not grow above several KB/s, i.e. it might be "heaviest burden" on an otherwise completely idle network, but not overwhelm unicast communications.

There is 1 external drive on the network. Am I correct in thinking the networked drive would be using SMB2 rather than SSDP?

No; those protocols achieve different things. SSDP is used for service discovery via multicast while SMB2 makes the direct connection for file transfer. To be specific, SMB2 does not have any form of discovery, it always relies on an external protocol.

But SSDP isn't the discovery protocol used together with SMB2 – that's WS-Discovery (aka WSD), which uses the same IP multicast group but a different UDP port (3702 vs 1900).

Instead, SSDP is mainly used for "appliance" discovery. For example, most home routers host the UPnP IGD "Internet Gateway Device" service (which apps use for automated port-forwarding); a NAS might host UPnP "Media Server"; and a TV or a Chromecast may advertise itself as a UPnP "Media Renderer" – those are discoverable via SSDP.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .