Re: Strange network activity after updates
Henrique de Moraes Holschuh <hmh@debian.org> writes:
>Alternatively you may use 'tcpdump' instead of wireshark.
>Run "tcpdump -s 1600 -i any -w /tmp/output.tcpdump.bin
>host 239.255.255.250", and stop it with ^C after 5-10s.
>It will save the packet dump to /tmp/output.tcpdump.bin,
>which you should gzip or xz'ip before attaching.
>While you're doing the capture, just in case, DO NOT engage
>in any other activities, do not have your browser, mail user
>agent, or any other programs open that could send credentials
>over the wire (such as email logins, etc) just in case the
>wireshark filter is not correct and it ends up capturing
>packets with data you'd rather keep private.
I prefer the alternative. tcpdump is a much smaller package. :)
So, I did this for several minutes and looked at the log. Doesn't
look like it needs much technical expertise to interpret. The
content of the packets is printed in plain text and very clearly
what it should be for that address and port. For some odd reason
the AP is sending out a continuous stream of uPNP data. XML URLs
to the interface points. Product ID and URLs to the hardware
manufacturer's site. That sort of thing. Other APs send out the
same sort of thing, in short bursts. But this one sends 10-14k
per second non-stop.
But I don't recall seeing that stream before in several months of
intermittent use of that AP. It would be very, very odd if they
just happened to change something in the configuration of the AP
right when I downloaded my updates. So it seems most likely that
somehow the interface was tweaked by the updates so that it now
shows the traffic that was always there. Or maybe it changed the
dhcp login scripts in a way that makes this AP think my login is
not complete, and this constant stream of uPNP packets is the
attempt to complete the process?
Since it's not an emergency, I can just put up with it for now.
Reply to: