On my debian server (squeeze) I get this message every few seconds:
Sep 18 21:28:14 myhost kernel: [7903784.720091] AIF:UNPRIV connect attempt: IN=eth0 OUT= MAC= SRC=my_serverip_eth0 DST=224.0.0.251 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=52
the packets are coming from inside my server (i replaced it with my_serverip_eth0) and seem to be blocked going out to the destination 224.0.0.251.
So some task inside my server is contacting 224.0.0.251 and this is blocked by my arnos_firewall
.
How can I find out who or which task is trying to do that and if it is useful or not?
And if I don't need it, how can I suppress that message then?
Those look much like Bonjour / mDNS requests to me. Those packets use multicast IP address 224.0.0.251 and port 5353.
The most likely source for this is Apple iTunes, which comes pre-installed on Mac computers (and is a popular install on Windows machines as well). Apple iTunes uses it to discover other iTunes-compatible devices in the same WiFi network.
mDNS is also used (primarily by Apple's Mac and iOS devices) to discover mDNS-compatible devices such as printers on the same network.
If this is a Linux box instead, it's probably the Avahi daemon then. Avahi is ZeroConf/Bonjour compatible and installed by default, but if you don't use DNS-SD or mDNS, it can be disabled.