The 5228 port listening on 3G/Edge interface could be the Google market place persistent connection to the device that allows Google to send PUSH notifications to the device (like C2DM or Google kill switch). Apple uses port 5223 on iOS devices to send Apple PUSH messages to the device. Even if the phone is connected to Wi-Fi, Apple is still able to send PUSH messages directly to the phone and is used for sending MDM initiation commands to the phone.
In IOS world, output of netstat: netstat -a tcp4 0 0 10.XXX.XXX.XXX.4XXXX nk11p01st-courie.5223 ESTABLISHED The 3G/Edge network interface on iOS is called pdp_ip0 A tcpdump on the interface could reveal more.... My 2 cents... On Aug 31, 8:22 pm, ed24 <[email protected]> wrote: > Thanks for your detailed explanation Chris. > Based on the logs that I have, it appears that at some points the > phone uses address assigned to it by my router and sometimes it seems > to use it's internal rmnet0 ip address belonging to 28.* address > segment. > > I did different Google searches after reading your post and found that > other people that use VirginMobile complain about even mifi devices > using 28.* address segment internally and sometimes externally instead > of the one from Sprint. > > I'll do more testing and see if I can see something that I missed. > > On Aug 31, 8:58 am, Chris Stratton <[email protected]> wrote: > > > > > > > > > On Wednesday, August 31, 2011 7:48:09 AM UTC-4, ed24 wrote: > > > > Thaks for your reply. > > > Of course I googled. I know all of the info you put in your reply, but > > > I am still not understanding why there are two WAN IP addresses on the > > > phone itself. > > > It makes no sense to me that a phone uses DOD (Department of Defense) > > > IP address segment of 28.197.54.* for rmnet0 interface. > > > Think for a minute about a PC on a home network connected to a cable > > modem/router. The PC has some address - 192.168.x.x or 10.x.x.x on the > > local LAN downstream from that cable modem, and only visible to other local > > machines. If you visit a get my ip type site with the PC, you'll be told an > > external IP address assigned by the cable company, which may change from > > time to time. The reason there are two different addresses is that your > > cable modem and/or router are doing Network Address Translation (NAT). As > > IPV4 space is exhausted, the cable company may even be doing an additional > > level of this on its own. > > > Now on the mobile network, you have much the same situation, only you have > > NAT (and actually a whole lot more) occurring at the tower or more likely > > the backend network feeding it. This results in there being an address for > > the rmnet0 interface, which is private to the mobile company's network, and > > also a different external address which comes up when you visit external > > sites like an IP checker page. > > > Why the private internal address appears to be one reserved to another > > organization and not one such as 192.168.x.x or 10.x.x.x is unclear, but > > unless you are trying to access a site in the "miss-appropriated" network it > > should not matter, since nothing will get out of the mobile carrier's > > network until it has been address translated. > > > Likely your ip spoofing alert from your wifi router came about as a result > > of your android device not taking and using a local IP address assigned by > > the dhcp server on your wifi router, but instead picking its own. This > > suggests there's something wrong with the configuration of your device or of > > the dhcp server on your router. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
