Once in a while I open wireshark and just look at my baseline traffic. It's useful for when I actually want to find something weird to quickly distinguish between what's normal and what looks fishy.

Weird traffic

One of the quickest ways of discarding normal traffic is by looking at the destination hosts and ports. This is one of those cases where both the destination reverse lookup and the port looked weird to me.

Well, hpvirtgrp sounds like it should be something along the lines of HP Virtual Machine Group Management. I'm pretty sure there should be no HP-related traffic coming from my host, specially to some random domain on the internet.

Lets see what's using this port:

# netstat -b | grep 5223
tcp4       0      0 ie-in-f125.1e100.5223  ESTABLISHED
# lsof -i | grep 5223
imagent     333 diogo    6u  IPv4 0x79c68369b31f8d65      0t0  
TCP>ie-in-f125.1e100.net:5223 (ESTABLISHED)
# ps aux | grep imagent
diogo            333   0.0  0.2  2540616  40544   ??  S    Sun02PM   
1:52.36 /System/Library/PrivateFrameworks/IMCore.framework/imagent.app

So it seems that port 5223 is being used by a process called imagent to connect remotely to this domain: ie-in-f125.1e100.net. What is imagent? Let me google that for you.

Turns out that this process is part of IMCore.framework and used by Facetime (and more generically Messages) to coordinate with our buddies. A simple strings on the binary validates this theory:

# strings imagent

Cool, to it looks like this belongs to Apple and it's not some rogue process. What's up with the weird domain then:

# whois 1e100.net
        DNS Admin
        Google Inc.
        1600 Amphitheatre Parkway
         Mountain View CA 94043
        dns-admin@google.com +1.6502530000 Fax: +1.6506188571

    Domain Name: 1e100.net

Wait, what? So this application is talking to a domain that is owned by google? Also, this domain seems to be parked by Sedo's domain parking (that doesn't seem very googlesc):

A little bit more digging shows me that port 5223 is actually also used for jabber-ssl which reminds me that I have my gtalk configured on my Messages app. To validate this, I started another wireshark capture, and I send a few messages to my friends, and saw the same traffic pattern show up.

I'm still not clear on why google is using this domain pattern, or why did they let the domain be parked by Sedo, but from a L3/4 perspective: Mystery solved.

EDIT: Looks like I'm an idiot and 1e100 is a googol (I should have seen that one coming). Thanks Ben for pointing it out.