Microsoft is interested in retiring the NetBios protocols in favor of more modern local network technologies. One of these new alternatives is their network UPnP (universal plug-n-play) which relies on the new SSDP (simple service discovery protocol) to advertise or find network devices and services (over UDP port 1900). SSDP is similar in purpose to mDNS (used by Apple / Bonjour / Avahi).
In an enterprise / business network, SSDP can be dangerous if malicious or untrusted devices advertise their services and are discovered by your business user computers or servers. Because of this, many organizations are recommending that SSDP and UPnP be disabled in business networks.
- https://kb.berkeley.edu/jivekb/entry.jspa?entryID=2455 (UC Berkeley)
- http://www.nullamatix.com/howto-disable-simple-service-discovery-protocol/ (Tech Blog)
If you’re interested in viewing SSDP traffic on your local network, the recommended Wireshark capture and display filters are listed at http://wiki.wireshark.org/SSDP
If you suspect other low-level network foul play auto-configuring your client devices, take a look for rogue DHCP servers. Run wireshark with a filter to show DHCP offers, then release and renew your IP and see whether any offers come from unauthorized servers. More info including an example wireshark display filter at http://serverfault.com/questions/8526/how-do-i-find-if-there-is-a-rogue-dhcp-server-on-my-network
Fancy switches may provide additional protection such as the dhcp-snooping or rogue dhcp prevention features in procurve, cisco, or other full-featured network equipment. More info on the procurve feature is available at http://www.synetx.com/tips/?p=20
Other things to look into: LLTD (link layer topology discovery), LLMNR (link-local multicast name resolution), group policy setting to override some of this at “Computer Configuration | Policies | Administrative Templates | Network”, wireshark edit-“find packet” by “string” and “packet details”.