I ran Wireshark on my laptop to capture the packets for only a few seconds while I had bunch of application open but inactive. I turned on address resolver and while some apps run on AWS send packets in the background via TCP makes a lot of sense, my Philip Hue System talking to my Laptop over SSDP every second wasn't immediate clear. Three of my four Hue light bulbs was on at the time of the analysis, what happens if they were off?

With all the devices connect to my network, while both my Mac and my iPad is able to control the Hue system, I exclusively use my iPhone to control, sometimes via HomeKit, some times through the Hue app.

So I went on a quest to investigate what is SSDP and when/how/why do my lightbulbs talk to my laptop.

All frames has the same src and dst port numbers:

It is IPV4

Uses UDP underneath:

From the packets, I got that there is UDP connections under SSDPs. The source port and destination port doesn't change between packets. From looking up SSDP, the patterns fit the profile. For example, use UDP port number 1900.

"SSDP is a text-based protocol based on HTTPU. It uses UDP as the underlying transport protocol. Services are announced by the hosting system with multicast addressing to a specifically designated IP multicast address at UDP port number 1900. In IPv4, the multicast address is 239.255.255.250[4] and SSDP over IPv6 uses the address set ff0X::c for all scope ranges indicated by X.[5]"

Philip Hue Disappeared when I ran Wireshark for the second time. I happen to have caught Hue talking to my laptop on my first run. I ran a few more times, and started controlling hue with my iPhone. The first time I controlled Hue on my iPhone, it send out a broadcast of "who has xxx.xxx.xxx.x address" which I failed to screenshot. As I continued to control Hue from my iPhone, the connection stopped showing up on my laptop.