Help!

non-unicast packets on Wan interface (cable modem)

 
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Networking RSS
Next:  [PATCH 2/2] Staging: comedi: fix code warnings in..  
Author Message
Scott
External


Since: Jun 18, 2010
Posts: 1



PostPosted: Fri Jun 18, 2010 3:02 pm    Post subject: non-unicast packets on Wan interface (cable modem)
Archived from groups: comp>os>linux>networking (more info?)

Technically this isn't Linux-specific, but I couldn't find a decent
generic networking group that still existed. If anyone has a
suggestion, please point me in that direction...

While poking around my router, I noticed something interesting.
Approximately one third of the incoming traffic is classified as non-
unicast. My statistics show approximately 20 million unicast packets
and 10 million non-unicast (broadcast or multicast) packets.

Out of sheer curiosity, what are these non-unicast packets? My first
guess would be that they are DHCP traffic to or from other routers on
the same pipe, but it sure looks like an awful lot of traffic.

The internet service is a comcast cable modem.
Back to top
Ken Sims
External


Since: Sep 24, 2006
Posts: 13



PostPosted: Fri Jun 18, 2010 5:44 pm    Post subject: Re: non-unicast packets on Wan interface (cable modem) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Hi Scott -

On Fri, 18 Jun 2010 11:02:04 -0700 (PDT), Scott
wrote:

>Out of sheer curiosity, what are these non-unicast packets? My first
>guess would be that they are DHCP traffic to or from other routers on
>the same pipe, but it sure looks like an awful lot of traffic.

A while back I start getting a bunch of multi-cast stuff, so I added
iptables rules to DROP anything -d 224.0.0.0/3 or -s 224.0.0.0/3 on
the INPUT of my WAN interfaces.

It was not DHCP traffic. I was already DROPping that by protocol plus
port numbers.

--
Ken
Back to top
Tauno Voipio
External


Since: Oct 21, 2009
Posts: 36



PostPosted: Fri Jun 18, 2010 7:10 pm    Post subject: Re: non-unicast packets on Wan interface (cable modem) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

On 18.6.10 9:02 , Scott wrote:
> Technically this isn't Linux-specific, but I couldn't find a decent
> generic networking group that still existed. If anyone has a
> suggestion, please point me in that direction...
>
> While poking around my router, I noticed something interesting.
> Approximately one third of the incoming traffic is classified as non-
> unicast. My statistics show approximately 20 million unicast packets
> and 10 million non-unicast (broadcast or multicast) packets.
>
> Out of sheer curiosity, what are these non-unicast packets? My first
> guess would be that they are DHCP traffic to or from other routers on
> the same pipe, but it sure looks like an awful lot of traffic.
>
> The internet service is a comcast cable modem.


It may be Microsoft computers hollering for visitors,
UDP ports 135 to 139 and 445. The Windows networking
stack is pretty talkative.

--

Tauno Voipio
tauno voipio (at) iki fi
Back to top
Pascal Hambourg
External


Since: Oct 11, 2006
Posts: 249



PostPosted: Fri Jun 18, 2010 7:10 pm    Post subject: Re: non-unicast packets on Wan interface (cable modem) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Hello,

Scott a écrit :
> Technically this isn't Linux-specific, but I couldn't find a decent
> generic networking group that still existed. If anyone has a
> suggestion, please point me in that direction...

What about comp.protocols.tcp-ip if it's IP traffic ?

> While poking around my router, I noticed something interesting.
> Approximately one third of the incoming traffic is classified as non-
> unicast. My statistics show approximately 20 million unicast packets
> and 10 million non-unicast (broadcast or multicast) packets.

Over what time interval ?

> Out of sheer curiosity, what are these non-unicast packets? My first
> guess would be that they are DHCP traffic to or from other routers on
> the same pipe, but it sure looks like an awful lot of traffic.

Yes, except maybe if the lease time is ridiculously short.

> The internet service is a comcast cable modem.

Maybe multicast traffic for TV ?
Back to top
Rick Jones
External


Since: Jun 13, 2005
Posts: 207



PostPosted: Fri Jun 18, 2010 8:10 pm    Post subject: Re: non-unicast packets on Wan interface (cable modem) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Scott wrote:
> Technically this isn't Linux-specific, but I couldn't find a decent
> generic networking group that still existed. If anyone has a
> suggestion, please point me in that direction...

> While poking around my router, I noticed something interesting.
> Approximately one third of the incoming traffic is classified as non-
> unicast. My statistics show approximately 20 million unicast packets
> and 10 million non-unicast (broadcast or multicast) packets.

> Out of sheer curiosity, what are these non-unicast packets? My first
> guess would be that they are DHCP traffic to or from other routers on
> the same pipe, but it sure looks like an awful lot of traffic.

> The internet service is a comcast cable modem.

I understand that doed not have the "isoltion" qualities of DSL, so it
could be traffic from your neighbors.

If it is passing through the cable modem to your system, you can run a
packet trace program to look at the traffic and see what it happens to
be. tcpdump, wireshark, etc.

rick jones
--
the road to hell is paved with business decisions...
these opinions are mine, all mine; HP might not want them anyway... Smile
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...
Back to top
Maxwell Lol
External


Since: Feb 11, 2009
Posts: 17



PostPosted: Sat Jun 19, 2010 11:41 am    Post subject: Re: non-unicast packets on Wan interface (cable modem) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Ken Sims writes:

> It was not DHCP traffic. I was already DROPping that by protocol plus
> port numbers.

Well, there's ARP. When I run a sniffer on my openwrt router, I see a
lot of ARP traffic.
Back to top
Ken Sims
External


Since: Sep 24, 2006
Posts: 13



PostPosted: Sat Jun 19, 2010 12:06 pm    Post subject: Re: non-unicast packets on Wan interface (cable modem) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Hi Maxwell -

On Sat, 19 Jun 2010 07:41:51 -0400, Maxwell Lol
wrote:

>Ken Sims writes:
>
>> It was not DHCP traffic. I was already DROPping that by protocol plus
>> port numbers.
>
>Well, there's ARP. When I run a sniffer on my openwrt router, I see a
>lot of ARP traffic.

I'm no expert, but ARP is not IP, and what I was seeing was IP
traffic.

I went back through my logs and found where it started showing up. It
was LOGged (and DROPped) by my rules as "Bad Destination" traffic
because it came in on a WAN interface but the destination IP addresss
was 224.0.0.1, which is not my WAN IP address for that interface. Per
RFC 3330, 224.0.0.0/4 is Multicast.

Here's the first one LOGged:

Jun 8 13:29:56 router kernel: IPTLOG_BADDEST: IN=eth0 OUT=
MAC=01:00:5e:00:00:01:00:30:b8:cc:ee:50:08:00 SRC=98.187.87.65
DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=36350 PROTO=2

This is June 2009. I would get around a dozen of these at the same
time, from various different IP addresses. Then a pause for a minute
or two and the same thing again. It's a continuous thing in my June
2009 log file until shortly after 7am the next morning (after I had
checked the previous day's log and added the rule to DROP it
silently).

Protocol 2 is IGMP (Internet Group Management).

--
Ken
Back to top
Ken Sims
External


Since: Sep 24, 2006
Posts: 13



PostPosted: Sat Jun 19, 2010 6:30 pm    Post subject: Re: non-unicast packets on Wan interface (cable modem) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Hi -

On Sat, 19 Jun 2010 14:16:48 -0500,
ibuprofin@painkiller.example.tld.invalid (Moe Trin) wrote:

>On Sat, 19 Jun 2010, in the Usenet newsgroup comp.os.linux.networking, in
>article , Ken Sims wrote:
>
>>I went back through my logs and found where it started showing up.
>>It was LOGged (and DROPped) by my rules as "Bad Destination" traffic
>>because it came in on a WAN interface but the destination IP addresss
>>was 224.0.0.1, which is not my WAN IP address for that interface. Per
>>RFC 3330, 224.0.0.0/4 is Multicast.
>
>As there is nothing on your systems listening to 224.0.0.1 by default,
>you don't even have to bother running an IP block on this traffic. Your
>router shouldn't be forwarding it anyway

As previously mentioned, I LOG and DROP incoming traffic whose
destination address is not my IP address because it's a sign of
something being amiss. So I added the specific rule for 224.0.0.0/3
(blocking both 224.0.0.0/4 and 240.0.0.0/4) so as to DROP it without
it cluttering up my log.

Even though I have DROP policies on INPUT, FORWARD, and OUTPUT, they
should never be used. I have explicit rules to cover everything.
Rules to ACCEPT what I want and explicit rules to DROP or REJECT
everything else.

--
Ken
Back to top
Maxwell Lol
External


Since: Feb 11, 2009
Posts: 17



PostPosted: Sun Jun 20, 2010 10:48 pm    Post subject: Re: non-unicast packets on Wan interface (cable modem) [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Ken Sims writes:

> Jun 8 13:29:56 router kernel: IPTLOG_BADDEST: IN=eth0 OUT=
> MAC=01:00:5e:00:00:01:00:30:b8:cc:ee:50:08:00 SRC=98.187.87.65
> DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=36350 PROTO=2

Addresses in 224.x.x.x are multicast.
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Networking All times are: Eastern Time (US & Canada)
Page 1 of 1

 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum