Tutor
•
4 Messages
Unrecognized device sending traffic on local network
I made some wireshark captures of local network traffic and noticed a significant amount of traffic coming from an ip address I don't recognize. The ip address in question is 192.168.1.1. I'm using a NVG599 router and the DHCP server on the router is configured to hand out ip addresses in the 192.168.1.64 - 192.168.1.253 range. The ip address for the router configuration is 192.168.1.254 and all known devices are accounted for in the ip allocation table. I haven't assigned any static IP addresses. Based on the packet captures I can see that this address is sending packets to an external public ip address, usually on port 1900, which leads me to think it might have something to do with uPnP. If it is uPnP related, I would like to disable this feature entirely, but I don't see any options in the router configuration related to uPnP. Maybe this is just normal behavior for this type of router and nothing to be concerned about, but it does look vaguely like it could be traffic from some sort of malicious botnet. Has anyone else seen similar traffic on their systems or know more about this?
chris789
Tutor
•
4 Messages
4 years ago
0
0
_xyzzy_
Expert
•
15K Messages
4 years ago
Why not change the wifi password and reboot the gateway? See if it's still there then.
0
0
chris789
Tutor
•
4 Messages
4 years ago
I rebooted with a new password and the mysterious device still shows up, but when I went through the logs of the reboot I noticed a line that shows the mac address of the 802.11ac interface and it is the same mac address as the mysterious device so my guess is that the packets are somehow related to the 802.11ac wifi interface contained in the router, and therefore not some kind of malicious attack. I do think it's strange that the interface has an ip address that was not allocated by DHCP and my computer sees it as a separate device though. There's also no mention of that mac address on the router configuration page, only in the logs.
0
0
_xyzzy_
Expert
•
15K Messages
4 years ago
Probably part of the way the firmware implements the wifi (maybe band steering?). Curious if it disappears if you disable the wifi on both bands (assuming you can connect your computer with ethernet to check it of course).
0
0
browndk26
ACE - Professor
•
5K Messages
4 years ago
Do you have any WiFi extenders in the house? Have you tried clearing the device list in the gateway? Several years ago a phantom wireless device would show up in the 5268 gateway’s device list. I think it was the 5 ghz WiFi band. I’ll try to find the old posts in the dslreports uverse forum tomorrow.
0
0
chris789
Tutor
•
4 Messages
4 years ago
I do not have any wifi extenders, although If i click on properties for the mysterious device in the network map, the brand of the device is "airties" which is a company that makes wifi extenders. I guess it's possible there is some kind of airties device in the hardware of the router to extend the range of the wifi. It was provided by at&t so i don't know much about its hardware components. There's no mention of the of the airties device mac address in the router configuration page though.
1
0