# Why is my FreeBSD install seeing googlecast packets?



## veryuniquename (Feb 10, 2021)

I have wanted to learn how to properly use Wireshark for some time now and decided to finally install it and play around with it. With no programs open I ran it on my regular network interface and it was just default pinging between the router and this FreeBSD computer. For some reason however I see these MDNS packets come up between different devices on the network. When I select one of these packets I see its a google cast packet "googlecast tcp local".

Is there anyway to block google cast packets?


----------



## Snurg (Feb 10, 2021)

Interesting replies here...


----------



## veryuniquename (Feb 11, 2021)

Snurg said:


> Interesting replies here...


It was an interesting read! I see these things when I have nothing but i3, X11 and my console urxvt on this machine actively turned on:

What is this more exactly? Is urxvt sending local packets?    

```
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     urxvt      85526 4  stream -> ??
username     urxvt      79348 3  stream -> ??
username     urxvt      79348 6  stream -> /tmp/.X11-unix/X0
root     urxvt      96450 4  stream -> ??
username     urxvt      96140 3  stream -> ??
username     urxvt      96140 6  stream -> /tmp/.X11-unix/X0
username     wireshark  70378 3  stream -> /tmp/.X11-unix/X0
username     python3.9  95554 4  stream /tmp/powerline-ipc-1001
...
```

UDP (iPad laying around)

```
192.168.1.66 -> 224.0.0.7
...
0020   00 07 1f 41 1f 41 00 ce db 4b 7b 22 64 61 74 61   ...A.A...K{"data
0030   22 3a 7b 22 76 31 22 3a 7b 22 75 72 69 22 3a 22   ":{"v1":{"uri":"
0040   68 74 74 70 3a 2f 2f 31 39 32 2e 31 36 38 2e 31   http://192.168.1
0050   2e 36 36 3a 38 30 30 31 2f 6d 73 2f 31 2e 30 2f   .66:8001/ms/1.0/
0060   22 7d 2c 22 76 32 22 3a 7b 22 75 72 69 22 3a 22   "},"v2":{"uri":"
0070   68 74 74 70 3a 2f 2f 31 39 32 2e 31 36 38 2e 31   http://192.168.1
0080   2e 36 36 3a 38 30 30 31 2f 61 70 69 2f 76 32 2f   .66:8001/api/v2/
0090   22 7d 7d 2c 22 72 65 6d 6f 74 65 22 3a 22 31 2e   "}},"remote":"1.
...
00d0   39 61 64 22 2c 22 74 74 6c 22 3a 38 30 30 30 2c   9ad","ttl":8000,
00e0   22 74 79 70 65 22 3a 22 61 6c 69 76 65 22 7d 0a   "type":"alive"}.
```

and when I connect to the above 192.168.1.66:8001 I get to an html page saying "401".

iPad
UDP

```
239.255.255.250
0000   01 00 5e 7f ff fa 64 e7 d8 34 8e 64 08 00 45 00   ..^...d..4.d..E.
0010   00 3f 3e 02 40 00 40 11 4a c7 c0 a8 01 42 ef ff   .?>.@.@.J....B..
0020   ff fa c6 e3 3c f0 00 2b 01 a8 53 45 41 52 43 48   ....<..+..SEARCH
0030   20 42 53 44 50 2f 30 2e 31 0a 44 45 56 49 43 45    BSDP/0.1.DEVICE
0040   3d 30 0a 53 45 52 56 49 43 45 3d 31 0a            =0.SERVICE=1.
```

TV
MDNS

```
192.168.1.123 -> 224.0.0.251
0000   01 00 5e 00 00 fb a8 db 03 8b da 70 08 00 45 00   ..^........p..E.
0010   00 7a b6 8b 40 00 ff 11 21 c8 c0 a8 01 7b e0 00   .z..@...!....{..
0020   00 fb 14 e9 14 e9 00 66 2f 16 00 11 00 00 00 02   .......f/.......
...
0060   44 04 5f 73 75 62 0b 5f 67 6f 6f 67 6c 65 63 61   D._sub._googleca
0070   73 74 04 5f 74 63 70 05 6c 6f 63 61 6c 00 00 0c   st._tcp.local...
0080   00 01 c0 3c 00 0c 00 01                           ...<....
```


Is it posisble to block these "local discovery" and the google cast packets??


----------



## SirDice (Feb 11, 2021)

There's nothing picking these up on your side, blocking them isn't going to make them go away (they'll still appear on your network). Nowadays there are many devices that are constantly sending UPnP and/or DLNA packets. PCs, printers, smartphones, tablets, TVs, even refrigerators (if they're network connected). That's the traffic you're seeing. 






						Universal Plug and Play - Wikipedia
					






					en.wikipedia.org
				








						Digital Living Network Alliance - Wikipedia
					






					en.wikipedia.org


----------



## a6h (Feb 11, 2021)

SirDice said:


> Nowadays there are many devices that are constantly sending UPnP and/or DLNA packets.


Also port-forwarding/UPnP programs, e.g. BitTorrent clients.
Users have to check "UPnP service/mapping list" (generally temporary, but sometimes permanent)" in their Router/ADSL/etc. Interesting stuff!


----------



## SirDice (Feb 11, 2021)

vigole said:


> Users have to check "UPnP service/mapping list" (generally temporary, but sometimes permanent)" in their Router/ADSL/etc. Interesting stuff!


You can use net/miniupnpd on your FreeBSD firewall, if you need it. Works rather well.


----------

