chris789's profile

Tutor

 • 

4 Messages

Tue, Mar 19, 2019 8:27 PM

Unrecognized device sending traffic on local network

I made some wireshark captures of local network traffic and noticed a significant amount of traffic coming from an ip address I don't recognize. The ip address in question is 192.168.1.1. I'm using a NVG599 router and the DHCP server on the router is configured to hand out ip addresses in the  192.168.1.64 - 192.168.1.253 range. The ip address for the router configuration is 192.168.1.254 and all known devices are accounted for in the ip allocation table. I haven't assigned any static IP addresses. Based on the packet captures I can see that this address is sending packets to an external public ip address, usually on port 1900, which leads me to think it might have something to do with uPnP. If it is uPnP related, I would like to disable this feature entirely, but I don't see any options in the router configuration related to uPnP. Maybe this is just normal behavior for this type of router and nothing to be concerned about, but it does look vaguely like it could be traffic from some sort of malicious botnet. Has anyone else seen similar traffic on their systems or know more about this?

Tutor

 • 

4 Messages

Il y a 3 y

Capture.JPGI see that the device shows up in the windows network map as a broadcom router, but it does not have the ip address associated with my router. It is somewhat concerning to see unknown devices on my network topology though i understand the windows network map is not always 100 % accurate. Anyone else seen something like this?

_xyzzy_

Expert

 • 

15K Messages

Il y a 3 y

Why not change the wifi password and reboot the gateway?  See if it's still there then.

Tutor

 • 

4 Messages

Il y a 3 y

I rebooted with a new password and the mysterious device still shows up, but when I went through the logs of the reboot I noticed a line that shows the mac address of the 802.11ac interface and it is the same mac address as the mysterious device so my guess is that the packets are somehow related to the 802.11ac wifi interface contained in the router, and therefore not some kind of malicious attack. I do think it's strange that the interface has an ip address that was not allocated by DHCP and my computer sees it as a separate device though. There's also no mention of that mac address on the router configuration page, only in the logs.

_xyzzy_

Expert

 • 

15K Messages

Il y a 3 y

Probably part of the way the firmware implements the wifi (maybe band steering?).  Curious if it disappears if you disable the wifi on both bands (assuming you can connect your computer with ethernet to check it of course).

browndk26

ACE - Professor

 • 

4.6K Messages

Il y a 3 y

Do you have any WiFi extenders in the house?   Have you tried clearing the device list in the gateway? Several years ago a phantom wireless device would show up in the 5268 gateway’s device list. I think it was the 5 ghz WiFi band. I’ll try to find the old posts in the dslreports uverse forum tomorrow. 

Tutor

 • 

4 Messages

Il y a 3 y

I do not have any wifi extenders, although If i click on properties for the mysterious device in the network map, the brand of the device is "airties" which is a company that makes wifi extenders. I guess it's possible there is some kind of airties device in the hardware of the router to extend the range of the wifi. It was provided by at&t so i don't know much about its hardware components. There's no mention of the of the airties device mac address in the router configuration page though.

lottytx

Teacher

 • 

73 Messages

may want to try to identify the mac address. next goto any number of online sources to lookup the make / model of that mac address.

to identify the mac address here are some suggestions a) check host table for you dhcp assigments b) ipscan tool c) try the arp -a from windows cmd

Need help?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.