I recently rebuild my OpenWRT from scratch so I have some more focus on it.
And checking vnstat I noticed something odd on the 5-minute graph:
the wan interface mostly is identical to the br-an interface, but every so often has an extra 1, 2 sometimes even 3MB.
This is only visible if I do not do anything for a while, so the relatively low numbers are not drowned out by real volumes. But it intriges me. If on wan but not on br-lan, it means it is downloaded on the router itself. See 6:25 (obviously I started the PC day only at 7:00)
What might be downloading something local to the router?
As far as I know, I have no stuff installed that I know would be downloading. No ad-blocker downloading lists, no ftp server, no services other then a basic router with firewall.
Either there is something downloading on a clean OpenWRT (and if so, I hope it is nothing sinister) or I have burst of very intensive external hacking attempts (and if so, I hope the OpenWRT is hardened)
At some point I may script a tcpdump, but maybe someone here already knows what this is?
I upgraded my Archer c2600 from v21 to v24, which means due to the new kernel based DSA switch I did so without keeping config files, so I reconfigured from scratch.
As to renewed focus: Having reinstalled it only last sunday, I have checked it a few times yesterday, which can be considered new focus, because honestly I rarely checked it over the last 3 years and in a month or so hope to not have any need to check it for at least another 3 years.
It is a NTP client and server yes, but I do not think a NTP query would be 3MB. For DNS it is the standard dnsmasq, which I seem to recall does not buffer any DNS lookups. The old router version was setup for papertrail syslog, but this one not (yet)
Yes, that's what I meant with tcpdump. tcpdump generates wireshark compatible output. Not trivial though, as I cannot predict what time of day to dump it, and I cannot keep tcpdump running all night on such a limited storage device.
I'd have to script small tcpdump sections every minute or so into /tmp (RAM storage) for both wan and br-lan, and then script so it deletes the ones with no significant size difference.
Hence my question: anyone happen to already know the answer before I commit to that effort?
you do not need to store the data on the router, but can pipe it directly to a beefier machine...
On macos I use:
### MACOS
# the following works, but if you ^C the command Wireshark shuts down. -> Stop capturing in wireshark and save the file then close wireshark to end the tcpdump capture as well
ssh root@192.168.42.1 tcpdump -i pppoe-wan -U -s0 -w - 'not port 22' | /Applications/Wireshark.app/Contents/MacOS/Wireshark -k -i -
### Seems to work
Possible. given I have seen it 3 times now, and the 5 minute log only shows 1 hour. it means that happens a lot more than I would have guessed. Roughly about twice an hour (see 6:55 also)
I'll see if I can setup something for tonight or failing that, this week.
Maybe it indeed is a port-scan or something. Its seems plausible and would enable me to nicely ignore it, but it nags me. For example, afaik (and I am not an expert) port scans mostly happen on well known ports. 22, 80, 553. To fill up 1Mb it would need to indiscriminately scan all or at least all low ports. Lets see if I can catch it in the act, and hopefully see no answers.
Interesting. I was just wondering earlier today, why do we have reject as default. I though wisdom was to let them timeout on a reply rather then assist them with an immediate option to retry the next port.
Anyway, I cheaped out on the scripting, and do a cron every minute to a USB stick:
This way is hard to find the correct sample as I could not merely look at the size. I would really need to also tcpdump br-lan at the same time, so I can compare sizes. Now i had some legit through traffic showing up.
On a idle sample a nice and clean 20KB of mostly DHCP and some PPP handshaking. Most of the DHCP is not even to/from my router, just a generic "who there" from the ISP. Not sure why they do that every second. I did find a screen where my IP shows up as target, but they are rare.
I think I did find the culprit. But I am not entirely sure what I am looking at. My cautious guess is a neighbor on my shared PON fiber doing a UDP broadcast to a 224 address on a VLAN and leaking that onto the WAN side of his routerboard. Please have a look and give your opinion.
But it may also be some ISP equipment doing the same.
Because it might be a neighbour, I am blanking his IP
Anyway, not a port scan. At least not this time. Will go to default DROP regardless.
Do you mean you recognize this as a "route multicast" ? Any clues or hints?
Anyway, I have nothing in my router that responds, so given it is UDP it means it is practically already black-holed. But yes, I did change my default from reject to drop.
