I received an alarm the other day of LAND Attack.

Hi,

Searching Google suggests the ASA 5510 is a Cisco network device of some kind.

Looking at pictures it seems it is a four port router in a Server rack style body.

I have no knowledge of this device.

I am not sure I can add much more on the way iChat worked when it was in iChat 2 and 3 when you could Video from within the app - or the port changes in iChat 4 and later - which do go into Messages for the AIM and Jabber (plus Bonjour) accounts.

Messages in El Capitan and Sierra no longer do Video chats from within the app for AIM, Jabber and Bonjour.

The only related option is an iMessages conversation invoking the FaceTime app.

As said earlier Apple now have this Doc on the ports used by iChat 3

Using iChat with a firewall or NAT router - Apple Support

IF you use an AIM Account then port 5190 to login to the AIM servers.

It now uses port 80 to Apple and port 443 to AIM and this double Login verifies that your are logging in to allow Apple to let AIM see the password of the Apple ID if you are using one.

Ports 5222 and 5223 are about Jabber/Google Logins

Video (or Audio Only chats) used to start on port 5678 then move to 5060 for the invite pasts the then 4 ports in iChat 2 and 3 from 16384 - 160403 (one each for Vid In, Vid Out, Audio in and Audio Out)

At iChat 4 and onwards the Video/Audio ports become 16303-16402 (10 ports within the earlier range). This coincided with the Audio and Video using only one port in and out.

As some people are still using iChat 3 then you will see the ports listed in some connections.

In Messages in Sierra the Little Snitch App reports these ports

The last is the Yahoo Plugin that no longer works. IMAgent handles Buddy List accounts (AIM, Jabber which includes Google and Bonjour

IMRemote and the identityservicesd are the Messages login bits. There are loads of IP addresses for the server farms for this.

Small selection

Without knowing more about what you are actually seeing it is difficult to say more.

8:53 pm Thursday; February 2, 2017

Has anyone found a solution for this? We've recently been experiencing the same issue on an ASA 5510 and have determined that it is only apple devices when connected to our wifi networks. It just started happening all of a sudden without any config changes, as far as I am aware.

They look like iChat ports http://support.apple.com/kb/HT1507?viewlocale=en_US&locale=en_US

And Messages beta(new name for iChat in Mountain Lion) and facetime ports http://support.apple.com/kb/HT4245

I would say its the iPhones/iPads using an IM(instant messenger) agent on them.

Hi,

I have some sampled ports and IPs from Little Snitch

This is from Using Message Beta on Mac which should be using the same ports and IPs.

Messages itself

Uploaded with Skitch!

IMRemote... is to do with iMessages are far as I can make out

Uploaded with Skitch!

IMAgent is now seemingly only handling Account Logins

Uploaded with Skitch!

There is a separate Apple Push Service that is handling some of the iMessage Stuff

Uploaded with Skitch!

I don't have any software to capture the traffic through the router.

I do have 4 iPhones here in total.

9:01 PM Friday; June 1, 2012

Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

 iMac 2.5Ghz 5i 2011 (Lion 10.7.4)
 G4/1GhzDual MDD (Leopard 10.5.8)
 MacBookPro 2Gb (Snow Leopard 10.6.8)
 Mac OS X (10.7.4),
"Limit the Logs to the Bits above Binary Images."  No, Seriously

Addition due to issues with Posting.

Defcom and I once helped someone in whose female relative was in New York who was having issues with Video chats in an older version of iChat.

Tracing the issue by the male poster led to finding out the woman's ISP was routing Incoming stuff and Outgoing stuff by different routes to get around a maintenance/Damage cable issue.

This meant that the iChat in use at that time thought it was in "two" places and it needs to be in just one.

The client 192.168.100.23 responds not to apple but to its Outside translated address 12.124.1.15 ( not the real ip ) port 16403 bothe sourced and destination.

If this Outside Translated port is your Public IP then part of this would be correct.

I say this as iChat will list in the Connection Doctor on a falied chat the LAN IP and the Public IP that is involved.

Sometimes it can actually be seen in the Failed Log

Video Conference Support Report:

0.000000 @SIP/Transport.c:2362 type=1 (00000000/0)

[SIP/2.0 200 OK

Via: SIP/2.0/UDP 66.26.xxx.xxx:16402;branch=z9hG4bK668cf68705ef5e9a

To: 0 <sip:user@lip:16402>;tag=1912370167 To is to lip

From: u0 <sip:user@192.168.11.2:16402>;tag=506858487

Call-ID: 18c8f0e4-c54b-11dc-a8eb-bbeee8514012@192-168-11-2

The previous post with the pics has one that does list my Public IP as part of the process.

I hope this provides some light on the subject.

9:56 PM Friday; June 1, 2012

Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

 iMac 2.5Ghz 5i 2011 (Lion 10.7.4)
 G4/1GhzDual MDD (Leopard 10.5.8)
 MacBookPro 2Gb (Snow Leopard 10.6.8)
 Mac OS X (10.7.4),
"Limit the Logs to the Bits above Binary Images."  No, Seriously

I know this is an EXTREMELY old question, and you may or may not have found the answer; however, I was running into this same issue. Two days ago, I checked my log files at the workplace and noticed only MY iphone was sending out multiple udp packets to these IPs - 17. 173.254.222 and 17. 173.254.223. I have researched it; The port that it sends out of is 16403, destined to port 16385; these ports are TCP/UDP ports for RTP...

Apple:

16384-16403 UDP Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) - connected, - iChat AV (Audio RTP, RTCP; Video RTP, RTCP)

16384-16387 UDP Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) - connected, - FaceTime, Game Center

16393-16402 UDP Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) - - FaceTime, Game Center

16403-16472 UDP Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) - - Game Center

I noticed when I disconnect from the network and reconnect, the traffic starts again, also, when trying to update my apps, the firewall blocks the connection to those IPs as well, thus blocking the updates.

What I did was just created some ACLs that were Apple specific, allowing traffic through various ports that the iPhone uses - it put an end to the firewall blocking and logging the traffic. Below is a link for the ports.

http://support.apple.com/kb/ts1629

Hi,

Originally (iChat 3 and earlier) ichat would send an Invite request on port 5678 using UDP.

It then moved to Port 5060 to repeat the invite using the SIP protocol.

The actual AV chat then used 4 ports starting at 16384 as first choice.

The Document Apple produced then suggested 20 ports should be allowed. (plus another 10 for connection purposes fro the various Accounts)

See http://support.apple.com/kb/HT1507

iChat 4 and later (including Messages) moved the SIP invite and Connection process to port 16402 as first choice.

Video and Audio Chat also then use one port rather than the earlier Vid In, Vid Out, Audio In, Audio Out 4 port method.

The first choice for this remains 16402.

Apple did have a Document for this that listed just 10 ports (16939-160420) which in inside the "group of 20 Ports" from the earlier versions (16384-146403)

When iMessages an Facetime came out Apple produced this Document http://support.apple.com/kb/HT4245

This again highlights the Video ports that FaceTime uses which in fact seem to line up with the iChat ones.

However it seems the two apps use different protocols for doing the two types of Video.

Although the AIM, Jabber and Bonjour account in Messages can use the "iChat Style" video none of the other accounts can.

The iMessages one can invoke the FaceTime app though.

Apple do claim that Video/Video connections are dynamic in later versions of iChat and in Messages.

I.e. the Ports listed in the tables are not always followed through on routing the connection across the Internet.

8:37 pm Thursday; January 23, 2014

 iMac 2.5Ghz 5i 2011 (Mavericks 10.9)
 G4/1GhzDual MDD (Leopard 10.5.8)
 MacBookPro 2Gb (Snow Leopard 10.6.8)
 Mac OS X (10.6.8),
 Couple of iPhones and an iPad