[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Strange network activity after updates

Henrique de Moraes Holschuh <hmh@debian.org> writes:
>Alternatively you may use 'tcpdump' instead of wireshark. 
>Run "tcpdump -s 1600 -i any -w /tmp/output.tcpdump.bin 
>host", and stop it with ^C after 5-10s. 
>It will save the packet dump to /tmp/output.tcpdump.bin, 
>which you should gzip or xz'ip before attaching.

>While you're doing the capture, just in case, DO NOT engage
>in any other activities, do not have your browser, mail user 
>agent, or any other programs open that could send credentials 
>over the wire (such as email logins, etc) just in case the 
>wireshark filter is not correct and it ends up capturing
>packets with data you'd rather keep private. 
I prefer the alternative. tcpdump is a much smaller package. :)

So, I did this for several minutes and looked at the log. Doesn't
look like it needs much technical expertise to interpret. The 
content of the packets is printed in plain text and very clearly 
what it should be for that address and port. For some odd reason 
the AP is sending out a continuous stream of uPNP data. XML URLs
to the interface points. Product ID and URLs to the hardware 
manufacturer's site. That sort of thing. Other APs send out the 
same sort of thing, in short bursts. But this one sends 10-14k 
per second non-stop. 

But I don't recall seeing that stream before in several months of 
intermittent use of that AP. It would be very, very odd if they 
just happened to change something in the configuration of the AP 
right when I downloaded my updates. So it seems most likely that
somehow the interface was tweaked by the updates so that it now 
shows the traffic that was always there. Or maybe it changed the
dhcp login scripts in a way that makes this AP think my login is 
not complete, and this constant stream of uPNP packets is the 
attempt to complete the process?

Since it's not an emergency, I can just put up with it for now.

Reply to: