Router Traffic - Excessive UDP Traffic

Highlighted
Contributor

Router Traffic - Excessive UDP Traffic

U-verse Board,

 

I recently started to experience a slow down in local network performance including video streaming to a PS3. After disconnecting everything from my network and leaving one PC connected to the U-verse router I ran a packet capture. A short capture showed a large amount of UDP traffic from strange source and destination IP addresses. Below are the details of that traffic.

 

Source:75.29.26.124

Destination:239.192.7.120

UDP

Source port: solera-epmap

Destination port: 7534

 

This is constant traffic across any PC connected to the U-verse router. Has anyone seen this before?

 

I verified the router and all firewall settings are active and at max security. Any help would be appreciated. I need to stop this traffic that is flooding my home network.

Message 1 of 9 (2,908 Views)
Employee

Re: Router Traffic - Excessive UDP Traffic

The 239.x.x.x destination address is a multicast ... this would be / is likely to be the video/audio or control stream to the STB/DVR. i.e. "normal traffic" in an IPTV system.

 

Virtually all real-time and near real-time protocols are UDP, since there is no time or space for a re-transmit and still leep the packet order.

 

 

Employee Contributor*
*I am an AT&T employee and the postings on this site are my own and don't necessarily represent AT&T's position, strategies or opinions.
Message 2 of 9 (2,908 Views)
Contributor

Re: Router Traffic - Excessive UDP Traffic

Voice and video traffic is generally transmitted using UDP... data until all data can be properly re-ordered and delivered to the application. ...

 

 

_______________________________________

 

 

 

Want to get-on Google's first page and loads of traffic to your website? Hire a SEO Specialist from Ocean Groups  [url=http://oceangroups.org/] seo pecialist [/url]

 

Message 3 of 9 (2,908 Views)
Expert

Re: Router Traffic - Excessive UDP Traffic

239.192.7.120 is the multicast IP used for Cartoon Network HD on channel 1325.

 

You had one of your STBs tuned to this channel and were seeing the IPTV stream on your network.

 

Message 4 of 9 (2,908 Views)
Contributor

Re: Router Traffic - Excessive UDP Traffic

So if I understand correctly, my entire LAN will see broadcast traffic for the channels I am viewing. Why would I want to use the U-verse router. I guess the only solution is to revert to my previous router that way my LAN is clear. Thank you for the info all.

Message 5 of 9 (2,908 Views)
Expert

Re: Router Traffic - Excessive UDP Traffic

The U-Verse router has a feature called IGMP Snooping, which will keep this multicast traffic only to those Ethernet ports that are requesting a channel.

 

For example, there are 4 Ethernet ports on the U-Verse router.  If there is an STB plugged into port 1 and a computer plugged into port 2, then the computer will not see the UDP traffic.  The U-Verse router will keep the multicast traffic only on port 1.

 

But, if you have a switch plugged into port 1, and then have an STB and a computer both plugged into the switch, then the computer will see all the multicast traffic, because that switch will not use IGMP snooping to isolate the multicast traffic.

 

Without knowing how your network is hooked up, I can't give you a recommendation on how to rewire the network to avoid the multicast traffic, but the U-Verse router is capable of separating everything if it's hooked up right.

 

Message 6 of 9 (2,908 Views)
Employee

Re: Router Traffic - Excessive UDP Traffic

 


warsonsmu wrote:

So if I understand correctly, my entire LAN will see broadcast traffic for the channels I am viewing. Why would I want to use the U-verse router. I guess the only solution is to revert to my previous router that way my LAN is clear. Thank you for the info all.


 

NOT broadcast, multicast; there's a big difference.

 

While both occupy whatever bandwidth, every host that receives a broadcast MUST, by protocol definition, look at that frame up to a level where the host can determine if the broadcast is something it must deal with; a multicast uses specific addresses (called groups ... in the range of 224.0.0.0  to 239.255.255.255) and the host has to be "looking for" the specific address/group, or it will ignore it.  The difference being the stack and process time used (computer processor time - virtually nil for multicast, more for the broadcast).

 

As pointed out above, the right switch (and/or the RG ethernet ports) prevents the multicast from going to network branches that do not have participants in the group. Broadcasts go out every port, of every hub/switch device, everytime. In high-end commercial switches, there are broadcast limiting options, but they are not often used.

 

Also, you probably saw a lot of ARP traffic too ... because ARP must occur as a natural consequence of the IP protocol, and the ARP requests are all broadcast in nature (meaning it goes to all branches of the broadcast domain - out all switch ports). Normal traffic is "unicast" - it has a specific destination from a specific source. Under normal operation, unicast traffic  can only be seen on two switch ports: the one the frame entered, and the one the frame exited; that's the nature of a switch - to create a virtual cicuit between two hosts.

 

If you plug a "sniffer" into a third port to see the traffic, you only get broadcast, multicast, and flood traffic (and only multicast on a switch that's doesn't use IGMP). Flooded traffic only occurs on a host's first transmission (assuming the destination host hasn't talked in a while to keep its address/port table entry refreshed ... if there's a table entry, there's no flood).

 

To get a genuine feel for the traffic levels and balance and normal network operation, you need one of two things: either a switch that permits "mirroring," where duplicate traffic is sent to a pre-defined monitoring port, or a "TAP,"  which passes the traffic through, but echos a copy to another device (which is my preference, to keep the critical timing intact).

 

 

Employee Contributor*
*I am an AT&T employee and the postings on this site are my own and don't necessarily represent AT&T's position, strategies or opinions.
Message 7 of 9 (2,908 Views)
Contributor

Re: Router Traffic - Excessive UDP Traffic

Thank you all for the feedback and the excellent explanations. My question has been completely addressed, as it is clear that this traffic is negligible and not a concern.

Message 8 of 9 (2,908 Views)
Expert

Re: Router Traffic - Excessive UDP Traffic

Go to this page and UNCHECK Excessive Session Detection (under Attack Detection).  It will no longer bother you with messages.

Message 9 of 9 (2,908 Views)
Share this topic
Announcements

Welcome to the AT&T Community Forums!!! Stop by the Community How-To section for tips on how to get started.