What is brvread service/protocol in computer networks? [closed]

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

This question does not appear to be about programming within the scope defined in the help center.

Closed 8 years ago.

Improve this question

I'm analyzing a TCPdump file with Wireshark. Within the connection traces, I saw "brvread" port 1054 as both source and destination ports. When I searched it in the Internet, the only thing I found out was that it may be an indication of an attack or vulnerability. But apart from that I could not find any other information about what brvread is. Does anybody have any idea about it?

---

The package looks like this (Data from Angelo Neuschitzer):

#   Time            Source          Target          Protoco Length  Info
1   0.000000000 192.168.2.107   239.255.255.250 UDP 1310    Source port: brvread  Destination port: us-cli

Content:

NOTIFY * HTTP/1.1
x-type: localDvr
x-filter: 5107dcd0-aed6-4f2a-aa93-b5fea9caffec
x-lastUserActivity: 12/23/2013 10:03:29 AM
x-location: http://192.168.2.107:8080/dvrfs/info.xml
x-device: 3244238e-0e41-4f90-ae8a-35b8c84a11a2
x-debug: http://192.168.2.107:8080

<node count='961525'>
  <activities>
    <p15n stamp='08CF44F5A880AA10ECE09BE967E7'/>
    <schedver dver='3' ver='600' pendcap='False' />
    <x/>
    <recreq src='udp://239.35.20.43:10000:79b02293-93df-46f1-976d-c651c578fed7?r=3537009&amp;p=1&amp;ssrc0=514095545&amp;r0=3537009&amp;ch=11&amp;profile=multicastICC&amp;forceDetune=true&amp;age=-1&amp;skip=0' st='0x0' et='0xFFFFFFFFFFFFFFFF' postpad='0' rate='3537009' pri='1'/>
    <recordver ver='1' verid='0' size='137438953472' free='136834973696' />
    <x/>
    <tune src='udp://239.35.20.43:10000:79b02293-93df-46f1-976d-c651c578fed7' pipe='FULLSCREEN' ct='0xd6628ecdc4833e0d' pil='0x0' rate='0x35f871' stopped='false'/>
    <tune src='udp://239.35.20.43:10000:79b02293-93df-46f1-976d-c651c578fed7' rate='0x35f871' pil='0x0'/>
    <record url='http://192.168.2.107:8080/dvrfs/v17' src='udp://239.35.20.43:10000:79b02293-93df-46f1-976d-c651c578fed7' pri='1' st='0xd66288ea884a134e' et='0xd6628eced30f4a81' stopped='false'/>
  </activities>
</node>

(Indentation manually, there are no newlines etc. in package)

Following is a dump from wireshark:

0000   01 00 5e 7f ff fa 00 23 a3 97 87 d1 08 00 45 60  ..^....#......E`
0010   05 10 12 4d 00 00 01 11 ef 22 c0 a8 02 6b ef ff  ...M....."...k..
0020   ff fa 04 1e 1f 92 04 fc 98 bd 02 57 9c 74 3e 4c  ...........W.t>L
0030   ad cc 43 83 bb 3c a2 de 24 9c 64 00 21 00 10 00  ..C..<..$.d.!...
0040   31 04 c3 d6 62 8e d5 8a 16 3f dd 7d 1a a7 28 ac  1...b....?.}..(.
0050   4c 21 c7 d1 24 5f a6 55 a6 5b e5 4e 4f 54 49 46  L!..$_.U.[.NOTIF
0060   59 20 2a 20 48 54 54 50 2f 31 2e 31 0d 0a 78 2d  Y * HTTP/1.1..x-
0070   74 79 70 65 3a 20 6c 6f 63 61 6c 44 76 72 0d 0a  type: localDvr..
0080   78 2d 66 69 6c 74 65 72 3a 20 35 31 30 37 64 63  x-filter: 5107dc
0090   64 30 2d 61 65 64 36 2d 34 66 32 61 2d 61 61 39  d0-aed6-4f2a-aa9
00a0   33 2d 62 35 66 65 61 39 63 61 66 66 65 63 0d 0a  3-b5fea9caffec..
00b0   78 2d 6c 61 73 74 55 73 65 72 41 63 74 69 76 69  x-lastUserActivi
00c0   74 79 3a 20 31 32 2f 32 33 2f 32 30 31 33 20 31  ty: 12/23/2013 1
00d0   30 3a 30 33 3a 32 39 20 41 4d 0d 0a 78 2d 6c 6f  0:03:29 AM..x-lo
00e0   63 61 74 69 6f 6e 3a 20 68 74 74 70 3a 2f 2f 31  cation: http://1
00f0   39 32 2e 31 36 38 2e 32 2e 31 30 37 3a 38 30 38  92.168.2.107:808
0100   30 2f 64 76 72 66 73 2f 69 6e 66 6f 2e 78 6d 6c  0/dvrfs/info.xml
0110   0d 0a 78 2d 64 65 76 69 63 65 3a 20 33 32 34 34  ..x-device: 3244
0120   32 33 38 65 2d 30 65 34 31 2d 34 66 39 30 2d 61  238e-0e41-4f90-a
0130   65 38 61 2d 33 35 62 38 63 38 34 61 31 31 61 32  e8a-35b8c84a11a2
0140   0d 0a 78 2d 64 65 62 75 67 3a 20 68 74 74 70 3a  ..x-debug: http:
0150   2f 2f 31 39 32 2e 31 36 38 2e 32 2e 31 30 37 3a  //192.168.2.107:
0160   38 30 38 30 0d 0a 0d 0a 3c 6e 6f 64 65 20 63 6f  8080....<node co
0170   75 6e 74 3d 27 39 36 31 35 32 35 27 3e 3c 61 63  unt='961525'><ac
0180   74 69 76 69 74 69 65 73 3e 3c 70 31 35 6e 20 73  tivities><p15n s
0190   74 61 6d 70 3d 27 30 38 43 46 34 34 46 35 41 38  tamp='08CF44F5A8
01a0   38 30 41 41 31 30 45 43 45 30 39 42 45 39 36 37  80AA10ECE09BE967
01b0   45 37 27 2f 3e 3c 73 63 68 65 64 76 65 72 20 64  E7'/><schedver d
01c0   76 65 72 3d 27 33 27 20 76 65 72 3d 27 36 30 30  ver='3' ver='600
01d0   27 20 70 65 6e 64 63 61 70 3d 27 46 61 6c 73 65  ' pendcap='False
01e0   27 20 2f 3e 3c 78 2f 3e 3c 72 65 63 72 65 71 20  ' /><x/><recreq 
01f0   73 72 63 3d 27 75 64 70 3a 2f 2f 32 33 39 2e 33  src='udp://239.3
0200   35 2e 32 30 2e 34 33 3a 31 30 30 30 30 3a 37 39  5.20.43:10000:79
0210   62 30 32 32 39 33 2d 39 33 64 66 2d 34 36 66 31  b02293-93df-46f1
0220   2d 39 37 36 64 2d 63 36 35 31 63 35 37 38 66 65  -976d-c651c578fe
0230   64 37 3f 72 3d 33 35 33 37 30 30 39 26 61 6d 70  d7?r=3537009&amp
0240   3b 70 3d 31 26 61 6d 70 3b 73 73 72 63 30 3d 35  ;p=1&amp;ssrc0=5
0250   31 34 30 39 35 35 34 35 26 61 6d 70 3b 72 30 3d  14095545&amp;r0=
0260   33 35 33 37 30 30 39 26 61 6d 70 3b 63 68 3d 31  3537009&amp;ch=1
0270   31 26 61 6d 70 3b 70 72 6f 66 69 6c 65 3d 6d 75  1&amp;profile=mu
0280   6c 74 69 63 61 73 74 49 43 43 26 61 6d 70 3b 66  lticastICC&amp;f
0290   6f 72 63 65 44 65 74 75 6e 65 3d 74 72 75 65 26  orceDetune=true&
02a0   61 6d 70 3b 61 67 65 3d 2d 31 26 61 6d 70 3b 73  amp;age=-1&amp;s
02b0   6b 69 70 3d 30 27 20 73 74 3d 27 30 78 30 27 20  kip=0' st='0x0' 
02c0   65 74 3d 27 30 78 46 46 46 46 46 46 46 46 46 46  et='0xFFFFFFFFFF
02d0   46 46 46 46 46 46 27 20 70 6f 73 74 70 61 64 3d  FFFFFF' postpad=
02e0   27 30 27 20 72 61 74 65 3d 27 33 35 33 37 30 30  '0' rate='353700
02f0   39 27 20 70 72 69 3d 27 31 27 2f 3e 3c 72 65 63  9' pri='1'/><rec
0300   6f 72 64 76 65 72 20 76 65 72 3d 27 31 27 20 76  ordver ver='1' v
0310   65 72 69 64 3d 27 30 27 20 73 69 7a 65 3d 27 31  erid='0' size='1
0320   33 37 34 33 38 39 35 33 34 37 32 27 20 66 72 65  37438953472' fre
0330   65 3d 27 31 33 36 38 33 34 39 37 33 36 39 36 27  e='136834973696'
0340   20 2f 3e 3c 78 2f 3e 3c 74 75 6e 65 20 73 72 63   /><x/><tune src
0350   3d 27 75 64 70 3a 2f 2f 32 33 39 2e 33 35 2e 32  ='udp://239.35.2
0360   30 2e 34 33 3a 31 30 30 30 30 3a 37 39 62 30 32  0.43:10000:79b02
0370   32 39 33 2d 39 33 64 66 2d 34 36 66 31 2d 39 37  293-93df-46f1-97
0380   36 64 2d 63 36 35 31 63 35 37 38 66 65 64 37 27  6d-c651c578fed7'
0390   20 70 69 70 65 3d 27 46 55 4c 4c 53 43 52 45 45   pipe='FULLSCREE
03a0   4e 27 20 63 74 3d 27 30 78 64 36 36 32 38 65 63  N' ct='0xd6628ec
03b0   64 63 34 38 33 33 65 30 64 27 20 70 69 6c 3d 27  dc4833e0d' pil='
03c0   30 78 30 27 20 72 61 74 65 3d 27 30 78 33 35 66  0x0' rate='0x35f
03d0   38 37 31 27 20 73 74 6f 70 70 65 64 3d 27 66 61  871' stopped='fa
03e0   6c 73 65 27 2f 3e 3c 74 75 6e 65 20 73 72 63 3d  lse'/><tune src=
03f0   27 75 64 70 3a 2f 2f 32 33 39 2e 33 35 2e 32 30  'udp://239.35.20
0400   2e 34 33 3a 31 30 30 30 30 3a 37 39 62 30 32 32  .43:10000:79b022
0410   39 33 2d 39 33 64 66 2d 34 36 66 31 2d 39 37 36  93-93df-46f1-976
0420   64 2d 63 36 35 31 63 35 37 38 66 65 64 37 27 20  d-c651c578fed7' 
0430   72 61 74 65 3d 27 30 78 33 35 66 38 37 31 27 20  rate='0x35f871' 
0440   70 69 6c 3d 27 30 78 30 27 2f 3e 3c 72 65 63 6f  pil='0x0'/><reco
0450   72 64 20 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 31  rd url='http://1
0460   39 32 2e 31 36 38 2e 32 2e 31 30 37 3a 38 30 38  92.168.2.107:808
0470   30 2f 64 76 72 66 73 2f 76 31 37 27 20 73 72 63  0/dvrfs/v17' src
0480   3d 27 75 64 70 3a 2f 2f 32 33 39 2e 33 35 2e 32  ='udp://239.35.2
0490   30 2e 34 33 3a 31 30 30 30 30 3a 37 39 62 30 32  0.43:10000:79b02
04a0   32 39 33 2d 39 33 64 66 2d 34 36 66 31 2d 39 37  293-93df-46f1-97
04b0   36 64 2d 63 36 35 31 63 35 37 38 66 65 64 37 27  6d-c651c578fed7'
04c0   20 70 72 69 3d 27 31 27 20 73 74 3d 27 30 78 64   pri='1' st='0xd
04d0   36 36 32 38 38 65 61 38 38 34 61 31 33 34 65 27  66288ea884a134e'
04e0   20 65 74 3d 27 30 78 64 36 36 32 38 65 63 65 64   et='0xd6628eced
04f0   33 30 66 34 61 38 31 27 20 73 74 6f 70 70 65 64  30f4a81' stopped
0500   3d 27 66 61 6c 73 65 27 2f 3e 3c 2f 61 63 74 69  ='false'/></acti
0510   76 69 74 69 65 73 3e 3c 2f 6e 6f 64 65 3e        vities></node>

Answer 1

Ok, it is much easier to proceed having all those details available.

What you actually see is Simple Service Discovery Protocol (SSDP) message. (Wikipedia)

brvread is an old name, came from IANA and used by Wireshark.

This port is also associated with AckCmd trojan. Interesting fact:

The interesting feature about this backdoor is that it only uses ACK packets. This means that a standard connection is not established; rather, data will be transmitted directly using ACK packets. This makes it possible for the Trojan to bypass some firewalls.

So I think the actual explanation is quite trivial: some other service sits on that port and talks SSDP.