Packet Capture: What is my wireless printer uploading?

pf123user · May 29, 2017, 11:40 PM

13:17:52.413529 00:1e:8f:~~xx:xx:xx~~ (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 255: (tos 0x0, ttl 64, id 2910, offset 0, flags [none], proto UDP (17), length 241)
CanonMP560.~~fqdn.net~~.netbios-dgm > ~~192.168.1~~.255.netbios-dgm: [udp sum ok]

NBT UDP PACKET(138) Res=0x1102 ID=0x2635 IP=10 (0xa).28 (0x1c).28 (0x1c).38 (0x26) Port=138 (0x8a) Length=281 (0x119) Res2=0x0
SourceName=CANONMP560 NameType=0x20 (Server)
DestName=WORKGROUP NameType=0x1D (Master Browser)

SMB PACKET: SMBtrans (REQUEST)
SMB Command = 0x25
Error class = 0x0
Error code = 0 (0x0)
Flags1 = 0x0
Flags2 = 0x0
Tree ID = 0 (0x0)
Proc ID = 0 (0x0)
UID = 0 (0x0)
MID = 0 (0x0)
Word Count = 17 (0x11)
TotParamCnt=0 (0x0)
TotDataCnt=45 (0x2d)
MaxParmCnt=0 (0x0)
MaxDataCnt=0 (0x0)
MaxSCnt=0 (0x0)
TransFlags=0x0
Res1=0x0
Res2=0x0
Res3=0x0
ParamCnt=0 (0x0)
ParamOff=0 (0x0)
DataCnt=45 (0x2d)
DataOff=86 (0x56)
SUCnt=3 (0x3)
Data: (6 bytes)
[000] 01 00 01 00 02 00 \0x01\0x00\0x01\0x00\0x02\0x00
smb_bcc=62
Name=\MAILSLOT\BROWSE
BROWSE PACKET
BROWSE PACKET:
Type=0x1 (HostAnnouncement)
UpdateCount=0x8000
Res1=0xFC
AnnounceInterval=10 (0xa)
Name=CANONMP560 NameType=0x00 (Workstation)
MajorVersion=0x4
MinorVersion=0x0
ServerType=0x2
ElectionVersion=0x10F
BrowserConstant=0xAA55
Data: (13 bytes)
[000] 4D 50 35 36 30 20 73 65 72 69 65 73 00 MP560 se ries\0x00

I changed the ~~strikethrough~~ stuff. It is a Canon MP560 model printer with same 'canonmp560' as hostname on the network. Is this just standard netbios broadcast info? This printer is by far, the wireless client uploading the most information on the network. If it's nothing to be worried about then no big deal. Please let me know if I should edit out any info from the packet capture. I recorded for about 8 hours. Happy to upload or host a larger dump somewhere. Just wondering if it's anything to worry about.

Thanks.

Edit: To be clear, this is data coming from the client to a Unifi WAP and into that AP's vlan interface. Thanks.

johnpoz · May 30, 2017, 7:47 PM

Sure looks like just broadcast noise to me..

marvosa · May 31, 2017, 2:42 AM

TBH, this is really a question for the Canon forums.

Having said that, if you look at the details of the capture along with some quick research, it tells us what we need to know. Your capture shows broadcast traffic on port 138 (UDP). A few quick google searches along with skimming thru the manual shows that the traffic you're seeing has to do with the functionality of the memory card slot. Your printer appears to use NETBIOS ports (137, 138, 139) to share its memory card slot over the network.

In short, the traffic you're seeing is to be expected and harmless.

NOYB · May 31, 2017, 5:29 AM

Maybe it an NSA backup. :-X

pf123user · Jun 1, 2017, 8:30 PM

@marvosa:

TBH, this is really a question for the Canon forums.

Having said that, if you look at the details of the capture along with some quick research, it tells us what we need to know. Your capture shows broadcast traffic on port 138 (UDP). A few quick google searches along with skimming thru the manual shows that the traffic you're seeing has to do with the functionality of the memory card slot. Your printer appears to use NETBIOS ports (137, 138, 139) to share its memory card slot over the network.

In short, the traffic you're seeing is to be expected and harmless.

Thanks. I asked here because I used the pfSense tool to capture the data (and because people here know things about this stuff). Obviously if I'm asking what it is I'm not a forensic networking analyst. I looked into it enough that I'm comfortable nothing is trying to get out over WAN.

Just really odd. I understand what it is doing. Even though there are no cards in the slots. Just odd that when I look at overall upload traffic, the wireless printer far exceeds every other device in the home, by a factor of 10, at least. Thanks.

johnpoz · Jun 2, 2017, 8:54 PM

"I understand what it is doing. Even though there are no cards in the slots."

What do you mean there are not cards in the slots? As to its upload.. Well if it flooding the network with broadcast noise.. How many packets a second do you see with this sniff?

How exactly are you printing/finding the printer - its quite possible you just disable netbios on the printer itself so it doesn't broadcast that noise.

Alex Atkin UK · Jun 5, 2017, 5:50 AM

It may be the most frequent uploader on the network but unless nothing else is ever being used its highly unlikely its using the most bandwidth, or enough bandwidth to even worry about.

Harvy66 · Jun 5, 2017, 12:25 PM

Why does everyone keep saying "uploader"? Making it sound like the device is using Internet bandwidth. This is just broadcast domain NetBIOS spam. The only bandwidth it uses is on the local switch. The frame is only 255 bytes long, that's only 2040 bits, or 0.000204% of a 1Gb switch. Even if it was spamming 1000 packets per second, it would only consume 0.204%.

johnpoz · Jun 5, 2017, 1:12 PM

Other than the OP I don't think anyone else thinks its uploading anything Harvy66 ;)

With you here - is noise, and unless there is something wrong with it and its spewing such packets at some crazy rate its going to be minuscule amount of traffic that would go nowhere beyond the layer 2 its currently on.