閱讀797 返回首頁    go iPhone_iPad_Mac_apple

'Mysterious' Airplay traffic to BSSID 00:25:00:...

We regularly scan for rogue APs and most recently we've found iPhone, iPad and iPod devices being used inside our building are sending Airplay traffic to BSSID 00:25:00:FF:94:73. A packet capture revealed the traffic was Airplay traffic and revealed the names of the devices broadcasting to it. I knew who one of the owners was and she said she did not (knowingly) have Airplay turned on on her device, and did not have an Apple TV.

 

A web search for the BSSID id returned enough results that it seems like a common MAC address (mostly returned packet captures, or a few forum posts), but there don't seem to be any definitive answers. I'm trying to figure out what this is, and what it is used for. Thanks in advance for any help!

Your users could also be using software like airserver, reflector etc that mimics appletv

Or https://annotate.net  which can mirror to ios devices

 

I guess it's possible an app the user has installed is doing something with AirPlay

After looking at this a bit more, I think this traffic is related to either Peer-to-Peer AirPlay (half-way down: Use AirPlay to wirelessly stream content from your iPhone, iPad, or iPod touch), or an Apple device 'probing' for an Airplay receiver.

 

Here's why:

 

  1. We only see traffic from the devices to 00:25:00:FF:94:73 -- nothing coming from 00:25:00:FF:94:73 to any device (presumably b/c its not in use).
  2. The traffic is unencrypted and contains an Apple device name
  3. Based on search results the MAC address (00:25:00:FF:94:73) is not unique, so I'm thinking it is somehow defined in software
  4. This iPhone 5 boot crash shows the phone setting its BSSID to 00:25:00:FF:94:73 (https://pastebin.com/4Wa4xVbr, line 428)
  5. The traffic is on 2.4 GHz on channel 6 (https://chambersdaily.com/bradleychambers/2014/9/19/technical-details-of-peer-to- peer-airplay)
  6. There are IPv6 multicast packets that contain "_airplay._tcp.local._raop" or "_raop._tcp.local._airplay" (https://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/AirPlay-mirr oring/m-p/28950/highlight/true#M9923)

 

Can anyone confirm or deny this?

If anyone else is still wonder, it's anything over AWDL, or Apple Wireless Direct Link, which is used for AirDrop, AirPlay peer-to-peer, and a huge amount of other local peering.

最後更新:2017-10-22 12:42:04

  上一篇:go How to get more storage
  下一篇:go how do I makeiTunes display smaller