In XP, the Simple Service Discovery Protocol (SSDP) discovery service searches for Universal Plug and Play devices on your home network. SSDP searches for upstream Internet gateways using UDP port 1900 - a potential security risk many organizations will want to block. OK, you decide to block SSDP services but to your surprise, your firewall and network sniffers continue to see the UDP port 1900 packets. You have disabled XP's SSDP and even Universal Plug and Play Device Host. Whats going on? This is Universal Plug and Play Network Address Translation (NAT) traversal discovery used by Messenger. If you run a sniffer trace, the following information is displayed in the data section of the packet:

SSDP: Method = M-SEARCH
SSDP: Uniform Resource Identifier = *
SSDP: HTTP Protocol Version = HTTP/1.1
SSDP: Host = 239.255.255.250:1900
SSDP: Search Target = urn:schemas-upnp-org:device:InternetGatewayDevice:1
SSDP: Mandatory Extension = "ssdp:discover"
SSDP: Maximum Wait = 3
XP's Windows Messenger is attempting to communicate to an Internet host. To block Windows Messenger's broadcasts:

Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\DirectPlayNATHelp\DPNHUPnP
Name: UPnPMode
Type: REG_DWORD
Value: 2 disabled
With UPnPMode=2, Universal Plug and Play Network Address Translation (NAT) traversal discovery does not occur.