Announcements

For the latest on our response to Coronavirus (COVID-19), click here.

Tutor

 • 

4 Messages

Tue, Mar 19, 2019 8:27 PM

Unrecognized device sending traffic on local network

I made some wireshark captures of local network traffic and noticed a significant amount of traffic coming from an ip address I don't recognize. The ip address in question is 192.168.1.1. I'm using a NVG599 router and the DHCP server on the router is configured to hand out ip addresses in the  192.168.1.64 - 192.168.1.253 range. The ip address for the router configuration is 192.168.1.254 and all known devices are accounted for in the ip allocation table. I haven't assigned any static IP addresses. Based on the packet captures I can see that this address is sending packets to an external public ip address, usually on port 1900, which leads me to think it might have something to do with uPnP. If it is uPnP related, I would like to disable this feature entirely, but I don't see any options in the router configuration related to uPnP. Maybe this is just normal behavior for this type of router and nothing to be concerned about, but it does look vaguely like it could be traffic from some sort of malicious botnet. Has anyone else seen similar traffic on their systems or know more about this?

Responses

Tutor

 • 

4 Messages

a year ago

Capture.JPGI see that the device shows up in the windows network map as a broadcom router, but it does not have the ip address associated with my router. It is somewhat concerning to see unknown devices on my network topology though i understand the windows network map is not always 100 % accurate. Anyone else seen something like this?

_xyzzy_

ACE - Expert

 • 

15K Messages

a year ago

Why not change the wifi password and reboot the gateway?  See if it's still there then.

___________________________________________________

This is a public forum and I am a customer just like you. Click "Like" if you feel this post is helpful and "Accept as Solution" if it solves your problem.

Award for Community Excellence 2019 Achiever*
*I am not an AT&T employee, and the views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Tutor

 • 

4 Messages

a year ago

I rebooted with a new password and the mysterious device still shows up, but when I went through the logs of the reboot I noticed a line that shows the mac address of the 802.11ac interface and it is the same mac address as the mysterious device so my guess is that the packets are somehow related to the 802.11ac wifi interface contained in the router, and therefore not some kind of malicious attack. I do think it's strange that the interface has an ip address that was not allocated by DHCP and my computer sees it as a separate device though. There's also no mention of that mac address on the router configuration page, only in the logs.

_xyzzy_

ACE - Expert

 • 

15K Messages

a year ago

Probably part of the way the firmware implements the wifi (maybe band steering?).  Curious if it disappears if you disable the wifi on both bands (assuming you can connect your computer with ethernet to check it of course).

___________________________________________________

This is a public forum and I am a customer just like you. Click "Like" if you feel this post is helpful and "Accept as Solution" if it solves your problem.

Award for Community Excellence 2019 Achiever*
*I am not an AT&T employee, and the views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
browndk26

ACE - Professor

 • 

2.1K Messages

a year ago

Do you have any WiFi extenders in the house?   Have you tried clearing the device list in the gateway? Several years ago a phantom wireless device would show up in the 5268 gateway’s device list. I think it was the 5 ghz WiFi band. I’ll try to find the old posts in the dslreports uverse forum tomorrow. 

Award for Community Excellence 2019 Achiever*
*I am not an AT&T employee, and the views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Tutor

 • 

4 Messages

a year ago

I do not have any wifi extenders, although If i click on properties for the mysterious device in the network map, the brand of the device is "airties" which is a company that makes wifi extenders. I guess it's possible there is some kind of airties device in the hardware of the router to extend the range of the wifi. It was provided by at&t so i don't know much about its hardware components. There's no mention of the of the airties device mac address in the router configuration page though.

lottytx

Teacher

 • 

69 Messages

may want to try to identify the mac address. next goto any number of online sources to lookup the make / model of that mac address.

to identify the mac address here are some suggestions a) check host table for you dhcp assigments b) ipscan tool c) try the arp -a from windows cmd

AT&T TV – All Your Entertainment In One Spot.  Learn more…