Understanding router traffic - who is doing that?

hello,

I've setup some network traffic monitoring tools for OpenWRT 21.2.01 described here. It's a good list.

iftop is pretty nifty and the ~/.iftoprc is helpful for getting simple outputs like on the iftop project page. This is what's in ~/.iftoprc:

hide-source: yes
line-display: one-line-both
port-display: on
port-resolution: yes

This, and the iftop filters make it simple to remove the clutter, like http port 80, https port 443, ntp on port 123 and dns on port 53 with this:

iftop -i wan -f "not port ntp and not port 80 and not port 443 and not port 53"

What's remaining appears to be some bizarre traffic happening on non-standard ports.

It's not at all clear what's going on with someone in Switzerland on port 8099 (thank you nslookup). And there are a few Amazon AWS instances that seem to communicate with something on my router or home network even after a reboot.

What are some good tools for OpenWRT for discovering more about the devices or processes associated with these external machines and network ports?

How can I find out who's doing what on my router or my network?

1 Like

the keywords for figuring this out were 'network forensics'

this post had some good ideas, including the IP WHOIS lookup.

fwiw, FlightRadar24 telemetry seems to report with udp on port 8099.

that's not documented anywhere obvious :shushing_face: :joy:

Are these inbound or outbound connections?

Do you have upnp or upnp2 enabled?

these appear to be outbound connections... mmm, mostly. the 1-line format in iftop hides the direction, so setting it back to 2-line mode shows this clearly.

  • line 1: outbound transfer to an amazon ec2 machine. I have no idea what's doing that. Perhaps FlightRadar24.
  • line 2: definitely FlightRadar24 telemetry
  • lines 3, 6, 8, 9, 10, 13, 14, and 16 have no source or destination port. what? why not? (13,14,16 are dns, machine names but all port 53 traffic was removed from this scan)
  • line 5: ???
  • line 7: ???

OpenWrt_screenshot

I have no idea if upnp or upnp2 is enabled. I will look. what would these provide in the hunt for understanding what processes or services are making these data transfers?