Bellow I show the output of my tcpdump
What does the first two mean lines means(what are all the question-marks meaning is this a sign of a intruder)?
I am especially intrested in the meaning of what this mean:
_airplay._tcp.local. PTR (QM)? _raop._tcp.local. PTR (QM)? _sleep-proxy._udp.local. PTR (QM)? _uscan._tcp.local. PTR (QM)? _uscans._tcp.local. PTR (QM)? _ippusb._tcp.local. PTR (QM)? _scanner._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _printer._tcp.local. PTR (QM)? _pdl-datastream._tcp.local. PTR (QM)? _ptp._tcp.local. PTR (QM)? _googlecast._tcp.local. PTR (QM)? _airport._tcp.local. PTR (QM)? _privet._tcp.local. (247)
06:58:18.995368 IP 192.168.2.22.5353 > 224.0.0.251.5353: 0 [15q] PTR (QM)? _airplay._tcp.local. PTR (QM)? _raop._tcp.local. PTR (QM)? _sleep-proxy._udp.local. PTR (QM)? _uscan._tcp.local. PTR (QM)? _uscans._tcp.local. PTR (QM)? _ippusb._tcp.local. PTR (QM)? _scanner._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _printer._tcp.local. PTR (QM)? _pdl-datastream._tcp.local. PTR (QM)? _ptp._tcp.local. PTR (QM)? _googlecast._tcp.local. PTR (QM)? _airport._tcp.local. PTR (QM)? _privet._tcp.local. (247)
06:58:19.004888 IP 192.168.2.22.5353 > 224.0.0.251.5353: 0 [15q] PTR (QM)? _airplay._tcp.local. PTR (QM)? _raop._tcp.local. PTR (QM)? _sleep-proxy._udp.local. PTR (QM)? _uscan._tcp.local. PTR (QM)? _uscans._tcp.local. PTR (QM)? _ippusb._tcp.local. PTR (QM)? _scanner._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _printer._tcp.local. PTR (QM)? _pdl-datastream._tcp.local. PTR (QM)? _ptp._tcp.local. PTR (QM)? _googlecast._tcp.local. PTR (QM)? _airport._tcp.local. PTR (QM)? _privet._tcp.local. (247)
06:58:21.294223 IP 192.168.2.22.52089 > 239.255.255.250.1900: UDP, length 174
06:58:21.300872 IP 192.168.2.22.52089 > 239.255.255.250.1900: UDP, length 174
Best Answer
The first two lines are the system with IP address 192.168.2.22 sending a bunch of mDNS multicast queries for PTR records of various services in the local network.
PTR means the message is about a PoinTeR record, (QM) are the flags in the mDNS request packet (Query and Multicast), and the question mark just makes it easier to see that it's a query.
PTR (QM)? _airplay._tcp.local.Any Apple AirPlay-capable video displays here?PTR (QM)? _raop._tcp.local.Any Apple AirPlay-capable audio devices here?PTR (QM)? _sleep-proxy._udp.local.Is there a device that could tell anyone who might ask that I'm still available while I'd doze off for a quick power-save nap?PTR (QM)? _uscan._tcp.local.Any HP-compatible network scanners here?PTR (QM)? _uscans._tcp.local.Any SSL/TLS-capable HP-compatible network scanners here?PTR (QM)? _ippusb._tcp.local.Are there any shared printers that are using the IPP-over-USB protocol, i.e. USB-connected printers shared by a Mac?PTR (QM)? _scanner._tcp.local.Are there any Bonjour-capable scanners?PTR (QM)? _ipp._tcp.local.Are there any printers using the IPP protocol here?PTR (QM)? _ipps._tcp.local.Any SSL/TLS capable IPP printers?PTR (QM)? _printer._tcp.local.Any kinds of shared printers at all?PTR (QM)? _pdl-datastream._tcp.local.Any HP JetDirect-style network printers?PTR (QM)? _ptp._tcp.local.Any devices supporting the Picture Transfer Protocol over this network?PTR (QM)? _googlecast._tcp.local.Is there a ChromeCast-capable device in this network?PTR (QM)? _airport._tcp.local.Any Apple AirPort WiFi APs?PTR (QM)? _privet._tcp.local.Any Google CloudPrint-capable printers or print services?On the last two lines, the same device is sending out multicast SSDP (a HTTP-like Simple Service Discovery Protocol) messages, but
tcpdumpdoes not analyze that protocol deep enough to tell whether it's querying for local services or announcing its own network services. A SSDP query would be the first step in e.g. network uPnP, which might allow an application to request a temporary port forwarding through a NAT automatically if the NAT router has the uPnP feature enabled.I think those four lines are a fairly typical example of queries a smartphone or a tablet might make when connecting to a WiFi network.