31

I've been trying to analyze some WiFi issues in my house using airodump-ng and noticed that there's a lot of traffic on a BSSID beginning with 00:25:00, which Wireshark's OUI lookup says is assigned to Apple... but the BSSID doesn't match any network I have, and the SSIDs don't match any of the devices.

How do I know it's an AppleTV? When I bring the scanner near one of them, its signal goes from the -60 dBm range to the -30 dBm range. I repeat for the other two Apple TVs and their signals go up as well.

The reported SSIDs don't match any device I have on my network and the BSSID they're "connected" to isn't any device I have (in fact, I don't currently have any Apple APs).

These devices seem very chatty. While watching a YouTube video one one AppleTV, airodump-ng reported a few thousand frames from the AppleTV's real SSID, and 10k frames between the three other SSIDs.

Why are the AppleTVs making their own network and why are they so chatty?

  • 12
    "How do I know it's an AppleTV?" Have you tried the obvious - turn off your AppleTV(s) and see if the packets go away? – dwizum Apr 18 at 13:57
  • Newer AppleTV's make it to my understanding possible to use them without both devices using an existing WiFi in the same way that AirDrop works. – Thorbjørn Ravn Andersen Apr 19 at 20:52
  • @ThorbjørnRavnAndersen For a while, I had my LAN segmented using VLAN switches and a custom gateway, and my computers were on a totally separate network than my AppleTVs.... and I always wondered why AirPlay was still discoverable, even though mDNS/SD was not forwarded from the AppleTVs' subnet to the computers' subnet. This makes sense now... – iAdjunct Apr 19 at 22:35
  • A change from -60 dBm to -30 dBm means the power level goes up, not down, in strength and numerically, as they are both negative values. Values of dBm are relative to 1 mW, so values below 1 Mw are negative. Power level -60 dBm equals 1 nW power, -30 dBm = 1.0 µW. That means, a -30 dBm signal is 1000 times stronger than a -60 dBm signal. – Volker Siegel Apr 21 at 6:51
  • @VolkerSiegal Thank you. I am aware of this, hence why I said the signal strength going from -60 to -30 dBm was indicative of it being that device as I brought the scanner near it, which one would naturally expect to make the signal go up. Though I see your confusion because I proceed to say "their signal goes down," which is not what I meant...... but is what I wrote....... I suppose this is what happens when I write something too quickly and don't proof-read it. I've corrected this. – iAdjunct Apr 21 at 7:09
37

They are likely packets for Airplay, since that works over an Ad-Hoc Wireless network

Reference - https://en.wikipedia.org/wiki/AirPlay

  • 9
    Note that if you wish to make them less chatty, you can probably simply install the Youtube app on your Apple TV so you don't need Airplay to watch Youtube. Assuming Apple TV apps are still a thing... – Nzall Apr 18 at 13:17
  • @nzall that works if the only thing you want to push to the TV is YouTube, which is about the only thing I don’t push to the TV (because the YouTube app sucks) – iAdjunct Apr 20 at 18:42
27

These look to be AirPlay advertisements.

When I look at the packets in Wireshark, they are unencrypted and contain IPv6 multicast messages advertising airplay. They also contain data on the type of device, device capabilities, and who knows what other data.

At the very least, it does not appear to contain the AppleID used in plain text, so there's a plus, but I can't guarantee it's not hidden/encoded somewhere else.

  • :( expected some crazy teories flowing around, too bad it didnt happen xD – DGoiko May 13 at 19:23

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged or ask your own question.