48

On my debian server (squeeze) I get this message every few seconds:

Sep 18 21:28:14 myhost kernel: [7903784.720091] AIF:UNPRIV connect attempt: IN=eth0 OUT= MAC= SRC=my_serverip_eth0 DST=224.0.0.251 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=52

the packets are coming from inside my server (i replaced it with my_serverip_eth0) and seem to be blocked going out to the destination 224.0.0.251.

So some task inside my server is contacting 224.0.0.251 and this is blocked by my arnos_firewall.

How can I find out who or which task is trying to do that and if it is useful or not?

And if I don't need it, how can I suppress that message then?

rubo77
  • 19,527
  • 31
  • 134
  • 226
  • 7
    Hi there. Your question isn't exactly on topic for Stack Overflow as there isn't any programming involved (not that I can see). Would you like me to move your question to another site (say, Server Fault or Unix & Linux)? – BoltClock Sep 19 '12 at 20:15
  • 1
    yes, please move it to a fitting stack – rubo77 Sep 04 '19 at 23:41
  • The Apple iTunes and Avahi daemon has been mentioned, but the elephant in the room is chrome browser. For example take a look at here: https://support.google.com/chrome/a/thread/5939360?hl=en – SddS Dec 16 '20 at 01:44

3 Answers3

48

Those look much like Bonjour / mDNS requests to me. Those packets use multicast IP address 224.0.0.251 and port 5353.

The most likely source for this is Apple iTunes, which comes pre-installed on Mac computers (and is a popular install on Windows machines as well). Apple iTunes uses it to discover other iTunes-compatible devices in the same WiFi network.

mDNS is also used (primarily by Apple's Mac and iOS devices) to discover mDNS-compatible devices such as printers on the same network.

If this is a Linux box instead, it's probably the Avahi daemon then. Avahi is ZeroConf/Bonjour compatible and installed by default, but if you don't use DNS-SD or mDNS, it can be disabled.

Suman
  • 9,221
  • 5
  • 49
  • 62
  • but i use debian squeeze. how can i find out which process is using it ? – rubo77 Sep 19 '12 at 10:35
  • Are the packets coming from the Debian box or something else? – Suman Sep 19 '12 at 15:03
  • i added explanation to the main question – rubo77 Sep 19 '12 at 15:09
  • 1
    OK, that's probably the Avahi daemon then. Its ZeroConf/Bonjour compatible: http://wiki.debian.org/ZeroConf . Can you check if Avahi is installed? – Suman Sep 19 '12 at 16:44
  • yes, `avahi-daemon` is installed i removed it and it removed also the packet `libnss-mdns`. what was that for? – rubo77 Sep 19 '12 at 19:59
  • Its only needed if you use DNS-SD or mDNS - http://en.wikipedia.org/wiki/Avahi_(software) . Sounds like you don't need it. :) Its usually installed by default, if I remember correctly. – Suman Sep 19 '12 at 20:05
  • sorry, the messages are still there, so uninstalling avahi was not the solution – rubo77 Nov 01 '12 at 21:50
  • 1
    mDNS DNS-SD Bonjour has some interest for autodiscovery of printers, it is useful by example for hp laser printers. within cups they appear with an url dnssd:// . – philippe lhardy Dec 31 '18 at 10:44
4

If you don't have avahi installed then it's probably cups.

dangerguy
  • 41
  • 1
1

I deactivated my "Arno's Iptables Firewall" for testing, and then the messages are gone

rubo77
  • 19,527
  • 31
  • 134
  • 226
  • although it would still be interesting how to stop the source of the messages instead – rubo77 Nov 03 '12 at 05:45
  • I'm pretty sure its Avahi. Are you sure Avahi got uninstalled - its possible it got reinstalled during an update. – Suman Nov 03 '12 at 21:17
  • yes, avahi-daemon and libnss-mdns are still removed – rubo77 Nov 04 '12 at 05:56
  • 10
    To remove the error message (and firewall!) isn't really a solution to the problem, is it? The collateral damage is just too high, I find. You could just whilelist the service, and that's it. – Ned64 Jun 18 '15 at 09:01