Unexpected traffic sent on wan interface to china and japan, not see on br-lan

So here I am with my Buffalo WXR-2533DHP

I was configuring collectd graphs and I noted that the traffic pattern on the wan was not a match with the traffic patter on the br-lan, so I decided to go deeper into that and find out what was the story.

So I have 2x 4G usb dongles connected via mwan3, eth2 and eth3, both same operator, nothing special here.

But if you look at the image I attach..

Up left corner eth2, sending traffic from the wan interface to china
Up right corner eth3, sending traffic from the wan interface to japan
Down left corner br-lan, just discovery Tuya traffic, there is no match at all with the traffic displayed on the eth2 and the eth3!
All wiresharks were capturing traffic at the same time.

So, my question is, what is triggering that traffic?
I don't have any particular stuff on the openwrt, actually it is a fresh installation

cat /etc/openwrt_release
DISTRIB_DESCRIPTION='OpenWrt 22.03.5 r20134-5f15225c1e'

Any idea? becaut it is very strange, I can't find a reason for it.

lsof does not display anything unusual

lsof -i udp
dnsmasq 5149 dnsmasq 4u IPv4 8850 0t0 UDP *:bootps
unbound 6142 unbound 3u IPv4 11199 0t0 UDP *:domain

Some searching suggests 21116/udp is associated with Rustdesk Remote Desktop viewer. Ever used it?

1 Like

Yes, I just found a very old phone on the wifi connected and yes, rustdesk was installed there.
I dont understand yet why I didnt see the traffic on br-lan before, I guess it was because of the load? but I also tried tcpdump locally and no traffic appeared there

I don't know if this applies to your setup but I have seen situations where packat captures didn't get traffic I expected on systems with switch chips. I may be mis-remembering but if the packets are not cpu processed, but are switched in the switch chip, they do not show up. There may not be any hooks for tcpdump to get access in these low-end consumer grade switches. Maybe some kind of mirroring setup can get the desired packets to pass through a path with visibility assuming cpu routing isn't in play.

I know what you are referring to, something similar to CEF and process switching on Cisco.
However, the fact that tcpdump does not see all the traffic imposes a limit on solutions like darkstat for analysis.

I have SW and HW offloading enabled so that might be also related to the tcpdump limitation.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.