Nlbwmon's other traffic

I've installed OpenWRT 22.03.3 (including nlbwmon).

According to @jow's description on github:

nlbwmon tracks traffic by IP Version (ipv4/ipv6), by IP Address, by MAC address, and by layer7 protocol (ie, port numbers). ... The default protocol file contains approximately 45 port definitions. The user can add/remove ports to this file as necessary. Any traffic that doesn't match a port definition is classified as 'Other'.

I've added some entries to the protocol file to accomplish my personal needs. Nevertheless nlbwmon discovers a huge amount of other traffic.

I've tried to discover this other traffic with the help of tcpdump - without success so far.

I'm looking for the other traffic with the following command (all other traffic is generated by clients of the br-lan interface, p1 ... pn are port numbers):

tcpdump -i br-lan -nv 'not ( (tcp or udp) and port (p1 or ... or pn) )'

About every 10 to 20 seconds tcpdump lists some ARP records, nothing else:

20:50:55.778825 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.22.10.14 tell 172.22.10.1, length 28
20:50:55.779170 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.22.10.14 is-at <mac-addr>, length 42
20:51:12.978823 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.22.10.30 tell 172.22.10.1, length 28
20:51:12.979210 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.22.10.30 is-at <mac-addr>, length 46

I can't image, that these ARP queries sum up to more then 43 MBytes within one day (despite the fact that this traffic is between two br-lan clients).

I have a bad feeling, that I'm missing something. But what? Can anybody help?

There is a large disconnect between what you are asking tcpdump for, and the categories on nlbwmon.

You have on nlbwmon:

  • TCP traffic that is HTTPS protocol
  • TCP traffic that is HTTP
  • TCP traffic that is POP3
  • Everything else.

Everything else means every other form of TCP and UDP traffic that isn't HTTP/HTTPS/POP3. There are dozens of things that could be. SMTP, FTP, SMB, BitTorrent, IMAP, SIRI/HeyGoogle, the list is endless.

The real problem you have tcpdump filtering out all TCP and UDP, so it's likely just filtering out the particular TCP and or UDP protocols being used in that other category. What you want to do is filter out only HTTP, HTTPS, and POP3 in tcpdump, so it's "everything else" matches the current nlbwmon's everything else.

The picture I used in my initial posting showed only the upper part of nlbwmon's table. My intention was to show, that the other traffic is the 3rd biggest data amount. Sorry for being incomplete.

Agreed!

I've filtered all ports that appear in nlbwmon's listing. So - as you correctly said - tcpdump lists nlbwmon's other traffic.

But there is only ARP traffic and I doubt, that this traffic sums up to more than 43 MByte in one day.

If that's a full day's worth of traffic, then that's not impossible. You said you saw a request every 10-20 seconds. Doing the math you'll get 43MB with one request every 7 seconds.

But without seeing the complete list of catetgories nlbwmon is considering, and the exact filter tcpdump is using to filter out only those same categories I can't verify if they match 100%.

nlbwmon draws it's information from conntrack, better look into /proc/net/nf_conntrack and filter out entries with known ports, e.g.

grep -vE 'port=(80|443|53) ' /proc/net/nf_conntrack

In the meantime I found the reason for the high amount of other traffic: a program called during the booting process of my main PC generates this traffic. When starting tcpdump after the booting, it never catches this other traffic. So I booted my laptop, started tcpdump from there and then booted my main PC and suddenly tcpdump discovered the other traffic: TCP on port 8080. After updating the protocol file, there's only 25 KiB other traffic.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.