What Does “BBS” in TCPDump Output Mean

firewallioslinuxnetworkingtcpdump

I've recently implemented stricter firewall rules, and I keep seeing the Apple devices on my local network attempt to reach out to 192.168.1.156 or 192.168.1.152. In an attempt to understand what it's doing, I ran tcpdump and received this output:

19:36:05.273166 IP 192.168.22.8.53058 > 192.168.1.156.bbs: Flags [S], seq 2685942121, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2363049810 ecr 0,sackOK,eol], length 0
19:36:14.889388 IP 192.168.22.8.53064 > 192.168.1.152.bbs: Flags [S], seq 3567670609, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2054024907 ecr 0,sackOK,eol], length 0

Can anyone help explain what the bbs port/protocol is, and/or why Apple devices keep trying to talk to these seemingly random IPs outside of their subnet? To be more specific, it's both iPhones and the Apple TV doing it, but not the homepods on the same network.

I’ve read about the Bulletin Bus Service, but I haven’t found any information on how or why it would be used by certain Apple devices, especially to an IP that isn’t in use.

Best Answer

Due to the comment by @Spiff I was able to find out it was trying to send traffic over port 7000/tcp, which according to a couple Apple discussion pages is for Airplay. It appears that Apple devices remember the IPs of Airplay destinations, and continuously try to connect to them.

Apple's support page does not indicate it uses port 7000 for anything, though this explanation lines up with my experience. In any event, it doesn't appear malicious, even if it is annoying to see in my firewall logs.

Related Solutions

Can’t I see other computers’ traffic in the output of tcpdump

You router and/or switch will only send you packets which are either broadcasted or addressed to your own network card (NIC). That is not the case if you use a hub, which will blindly forward everything it receives to everyone. Having a switch (or a proper router) ensure you can use the whole bandwidth between two NICs, without them beeing spammed by the other NICs' packets.

Imagine computer1 downloads at 100Mb/s from computer2. Computer3 then tries to download at 100Mb/s from computer4. If everyones' packets were to be sent to everyone, computer1/2 would'nt be able to use the whole bandwidth, only a half, and same thing for computer3/4.

Linux – tcpdump: how to get grepable output

For those like you who cannot use ngrep, here's how to use awk to make the tcpdump output of packet contents grepable.

First some sample output as provided by tcpdump -x, in order to present the task ahead:

$ tcpdump -xr dump.pcap 2>/dev/null
12:04:59.590664 IP 10.17.14.93.51009 > 239.194.1.9.51009: UDP, length 370
        0x0000:  4500 018e 0000 4000 fa11 7625 0a11 0e5d
        0x0010:  efc2 0109 c741 c741 017a 6f28 1120 2020
        0x0020:  3337 3030 3039 3031 3835 3635 3430 3130
...

And this is the copy-and-pastable awk script you can pipe the output to

awk '{ if (match($0, /^[0-9]/, _)) { printf (NR == 1 ? "%s " : "\n%s "), $0; fflush() } else { sub(/^\s+0x[0-9a-z]+:\s+/, " "); gsub(" ", ""); printf "%s", $0 } } END { print ""; fflush() }'

in order to get the following, grepable output

12:04:59.590664 IP 10.17.14.93.51009 > 239.194.1.9.51009: UDP, length 370 4500018e00004000fa1176250a...
12:04:59.590798 IP 10.17.14.113.51011 > 239.194.1.11.51011: UDP, length 370 4500018e00004000fa11760f...
...

Below is a commented version of above script:

awk '{
    # if this is a header line
    if (match($0, /^[0-9]/, _)) {
        # print the header, but:

        # except for the first line,
        # we need to insert a newline,
        # as the preceding data lines
        # have been stripped of theirs

        # we also append a space to
        # separate header info from the
        # data that will get appended
        printf (NR == 1 ? "%s " : "\n%s "), $0
        # enforce line-buffering
        fflush()
    }
    # otherwise it is a data line
    else {
        # remove the data address
        sub(/^\s+0x[0-9a-z]+:\s+/, " ");
        # remove all spaces
        gsub(" ", "");
        # print w/o newline
        printf "%s", $0 
    }
}
END {
    # print final newline, as
    # the preceding data lines
    # have been stripped of theirs
    print ""
    # enforce line-buffering
    fflush()
}'

Related Question

Networking – Does tcpdump bypass iptables