32

I've been trying to analyze some WiFi issues in my house using airodump-ng and noticed that there's a lot of traffic on a BSSID beginning with 00:25:00, which Wireshark's OUI lookup says is assigned to Apple... but the BSSID doesn't match any network I have, and the SSIDs don't match any of the devices.

How do I know it's an AppleTV? When I bring the scanner near one of them, its signal goes from the -60 dBm range to the -30 dBm range. I repeat for the other two Apple TVs and their signals go up as well.

The reported SSIDs don't match any device I have on my network and the BSSID they're "connected" to isn't any device I have (in fact, I don't currently have any Apple APs).

These devices seem very chatty. While watching a YouTube video one one AppleTV, airodump-ng reported a few thousand frames from the AppleTV's real SSID, and 10k frames between the three other SSIDs.

Why are the AppleTVs making their own network and why are they so chatty?

iAdjunct
  • 1,672

2 Answers2

37

They are likely packets for Airplay, since that works over an Ad-Hoc Wireless network

Reference - https://en.wikipedia.org/wiki/AirPlay

Lawrence
  • 4,423
28

These look to be AirPlay advertisements.

When I look at the packets in Wireshark, they are unencrypted and contain IPv6 multicast messages advertising airplay. They also contain data on the type of device, device capabilities, and who knows what other data.

At the very least, it does not appear to contain the AppleID used in plain text, so there's a plus, but I can't guarantee it's not hidden/encoded somewhere else.

iAdjunct
  • 1,672