I've noticed that OpenWRT is reporting constant incoming data on the WAN port at approximately 10 KBytes/s. This data is not being requested by the attached PC and is not being routed to it (LAN traffic is < 1KByte/s).

Does anyone know what's going on here or can suggest a way to track it down?

Cheers,
Baz.

P.S. I've recently installed OpenWRT 10.03.1-rc5 firmware on my D-Link DIR-615 E4... and am super impressed. Many thanks to the OpenWRT team for the solid software!

what do you mean by reporting?

As shown in the LuCI "Realtime Traffic" window (or by the ifconfig CLI command).

check with tcpdump

opkg install tcpdump

http://linux.die.net/man/8/tcpdump

(Last edited by Orca on 6 Sep 2011, 19:45)

Thanks for your help Orca, this is exactly what I was looking for!

Unfortunately I'm new to this and can't interpret the output below (but I'm looking into it). If anyone can assist, please do.

WAN IP: 190.160.134.2
Router IP: 192.168.1.1
LAN PC IP: 192.168.1.154

root@OpenWrt:~# tcpdump -c 50 -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
19:15:47.455555 ARP, Request who-has pc-233-126-101-190.cm.vtr.net tell pc-193-126-101-190.cm.vtr.net, length 46
19:15:47.463837 IP pc-2-134-160-190.cm.vtr.net.18717 > resolver02.vtr.net.domain: 36440+ PTR? 233.126.101.190.in-addr.arpa. (46)
19:15:47.463938 IP pc-2-134-160-190.cm.vtr.net.18717 > resolver01.vtr.net.domain: 36440+ PTR? 233.126.101.190.in-addr.arpa. (46)
19:15:47.468814 ARP, Request who-has pc-72-56-120-200.cm.vtr.net tell pc-1-56-120-200.cm.vtr.net, length 46
19:15:47.472992 ARP, Request who-has pc-190-133-160-190.cm.vtr.net tell pc-1-132-160-190.cm.vtr.net, length 46
19:15:47.481720 ARP, Request who-has pc-38-27-162-190.cm.vtr.net tell pc-1-27-162-190.cm.vtr.net, length 46
19:15:47.486522 ARP, Request who-has pc-208-157-83-200.cm.vtr.net tell pc-1-157-83-200.cm.vtr.net, length 46
19:15:47.489609 ARP, Request who-has 10.130.4.19 tell 10.130.0.1, length 46
19:15:47.490744 ARP, Request who-has pc-33-174-162-190.cm.vtr.net tell pc-1-174-162-190.cm.vtr.net, length 46
19:15:47.491976 IP resolver01.vtr.net.domain > pc-2-134-160-190.cm.vtr.net.18717: 36440 1/2/2 PTR pc-233-126-101-190.cm.vtr.net. (159)
19:15:47.492087 IP resolver02.vtr.net.domain > pc-2-134-160-190.cm.vtr.net.18717: 36440 1/2/2 PTR pc-233-126-101-190.cm.vtr.net. (159)
19:15:47.494244 IP pc-2-134-160-190.cm.vtr.net.9172 > resolver01.vtr.net.domain: 42422+ PTR? 193.126.101.190.in-addr.arpa. (46)
19:15:47.496401 ARP, Request who-has pc-109-179-44-190.cm.vtr.net tell pc-65-179-44-190.cm.vtr.net, length 46
19:15:47.500021 ARP, Request who-has pc-207-97-215-201.cm.vtr.net tell pc-129-97-215-201.cm.vtr.net, length 46
19:15:47.508956 ARP, Request who-has 10.130.4.23 tell 10.130.0.1, length 46
19:15:47.509327 ARP, Request who-has pc-44-123-163-190.cm.vtr.net tell pc-1-123-163-190.cm.vtr.net, length 46
19:15:47.509645 ARP, Request who-has pc-193-90-162-190.cm.vtr.net tell pc-1-90-162-190.cm.vtr.net, length 46
19:15:47.512914 ARP, Request who-has pc-127-55-163-190.cm.vtr.net tell pc-1-55-163-190.cm.vtr.net, length 46
19:15:47.521738 ARP, Request who-has pc-126-164-161-190.cm.vtr.net tell pc-1-164-161-190.cm.vtr.net, length 46
19:15:47.525433 ARP, Request who-has pc-128-203-104-200.cm.vtr.net tell pc-1-203-104-200.cm.vtr.net, length 46
19:15:47.529600 ARP, Request who-has pc-153-114-120-200.cm.vtr.net tell pc-1-114-120-200.cm.vtr.net, length 46
19:15:47.533726 ARP, Request who-has pc-206-135-160-190.cm.vtr.net tell pc-1-132-160-190.cm.vtr.net, length 46
19:15:47.538195 ARP, Request who-has pc-89-129-161-190.cm.vtr.net tell pc-1-129-161-190.cm.vtr.net, length 46
19:15:47.540518 IP resolver01.vtr.net.domain > pc-2-134-160-190.cm.vtr.net.9172: 42422 1/2/2 PTR pc-193-126-101-190.cm.vtr.net. (159)
19:15:47.542115 ARP, Request who-has pc-144-17-163-190.cm.vtr.net tell pc-1-17-163-190.cm.vtr.net, length 46
19:15:47.548508 IP pc-2-134-160-190.cm.vtr.net.17158 > resolver01.vtr.net.domain: 2970+ PTR? 72.56.120.200.in-addr.arpa. (44)
19:15:47.555477 ARP, Request who-has pc-241-135-160-190.cm.vtr.net tell pc-1-132-160-190.cm.vtr.net, length 46
19:15:47.559573 ARP, Request who-has pc-251-202-86-200.cm.vtr.net tell pc-129-202-86-200.cm.vtr.net, length 46
19:15:47.567092 ARP, Request who-has pc-51-223-83-200.cm.vtr.net tell pc-1-223-83-200.cm.vtr.net, length 46
19:15:47.568755 ARP, Request who-has 10.130.4.3 tell 10.130.0.1, length 46
19:15:47.572709 ARP, Request who-has pc-207-174-162-190.cm.vtr.net tell pc-1-174-162-190.cm.vtr.net, length 46
19:15:47.581930 ARP, Request who-has pc-143-133-160-190.cm.vtr.net tell pc-1-132-160-190.cm.vtr.net, length 46
19:15:47.586207 ARP, Request who-has pc-246-56-120-200.cm.vtr.net tell pc-1-56-120-200.cm.vtr.net, length 46
19:15:47.589053 ARP, Request who-has 10.130.4.7 tell 10.130.0.1, length 46
19:15:47.636377 IP pc-2-134-160-190.cm.vtr.net.34902 > resolver01.vtr.net.domain: 34774+ PTR? 190.133.160.190.in-addr.arpa. (46)
19:15:47.669326 IP pc-2-134-160-190.cm.vtr.net.52679 > resolver01.vtr.net.domain: 13119+ PTR? 38.27.162.190.in-addr.arpa. (44)
19:15:47.723287 IP pc-2-134-160-190.cm.vtr.net.8191 > resolver01.vtr.net.domain: 17761+ PTR? 208.157.83.200.in-addr.arpa. (45)
19:15:47.780945 ARP, Request who-has pc-5-46-46-190.cm.vtr.net tell pc-1-46-46-190.cm.vtr.net, length 46
19:15:47.782320 IP pc-2-134-160-190.cm.vtr.net.5498 > resolver01.vtr.net.domain: 49127+ PTR? 33.174.162.190.in-addr.arpa. (45)
19:15:47.820908 ARP, Request who-has pc-232-25-239-201.cm.vtr.net tell pc-1-25-239-201.cm.vtr.net, length 46
19:15:47.824422 IP pc-2-134-160-190.cm.vtr.net.21795 > resolver01.vtr.net.domain: 5971+ PTR? 207.97.215.201.in-addr.arpa. (45)
19:15:47.828627 ARP, Request who-has 10.130.4.87 tell 10.130.0.1, length 46
19:15:47.829936 ARP, Request who-has pc-209-247-86-200.cm.vtr.net tell pc-193-247-86-200.cm.vtr.net, length 46
19:15:47.839680 ARP, Request who-has 10.130.4.85 tell 10.130.0.1, length 46
19:15:47.898310 IP pc-2-134-160-190.cm.vtr.net.11172 > resolver01.vtr.net.domain: 50307+ PTR? 44.123.163.190.in-addr.arpa. (45)
19:15:47.900447 ARP, Request who-has pc-250-49-101-190.cm.vtr.net tell pc-193-49-101-190.cm.vtr.net, length 46
19:15:47.931819 IP pc-2-134-160-190.cm.vtr.net.32467 > resolver01.vtr.net.domain: 38370+ PTR? 193.90.162.190.in-addr.arpa. (45)
19:15:47.984144 IP pc-2-134-160-190.cm.vtr.net.23765 > resolver01.vtr.net.domain: 39248+ PTR? 127.55.163.190.in-addr.arpa. (45)
19:15:48.079333 ARP, Request who-has pc-93-157-215-201.cm.vtr.net tell pc-1-157-215-201.cm.vtr.net, length 46
19:15:48.118156 ARP, Request who-has pc-55-174-162-190.cm.vtr.net tell pc-1-174-162-190.cm.vtr.net, length 46
50 packets captured
285 packets received by filter
203 packets dropped by kernel

Cheers,
Baz.

What kind of network have you got the WAN port of this device connected to? It looks like there are quite a lot of computers on the upstream network, and they're all broadcasting their presence to one another (this is what the ARP requests are). It doesn't look like your OpenWRT router it's connected directly to your ISP, right? Normally you shouldn't see such broadcast traffic as an ISP customer. At the rate those broadcasts seem to be taking place, 10KB/s doesn't appear unreasonable, and the traffic meter in LuCI will be counting this traffic.

If you want to exclude broadcast traffic, you can change your tcpdump command to:

tcpdump -c 50 -i eth1 not broadcast

Thanks,

Sam

Hi Sam, thanks for your input!

I'm just a regular retail customer connected like this: PC <-> Router <-> Cable Modem <-> ISP (VTR Chile)

The command you suggested was much slower than before, taking 2 minutes 12 seconds to output the data below. This certainly indicates that most of the WAN data are ARP requests.

Would this affect performance? Would you recommend doing something with these packets or just forget about them?

Thanks again,
Baz.

root@OpenWrt:~# tcpdump -c 50 -i eth1 not broadcast -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
20:36:57.992772 IP 190.160.134.2.19277 > 216.115.74.202.80: Flags [s], seq 3618957554, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:36:58.170802 IP 216.115.74.202.80 > 190.160.134.2.19277: Flags [R.], seq 0, ack 3618957555, win 0, length 0
20:36:58.699990 IP 190.160.134.2.19277 > 216.115.74.202.80: Flags [s], seq 3618957554, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:36:58.893261 IP 216.115.74.202.80 > 190.160.134.2.19277: Flags [S.], seq 2061932054, ack 3618957555, win 4380, options [mss 1460,nop,wscale 0,sackOK,eol], length 0
20:36:58.908919 IP 190.160.134.2.19277 > 216.115.74.202.80: Flags [.], ack 1, win 16425, length 0
20:36:58.919197 IP 190.160.134.2.19277 > 216.115.74.202.80: Flags [P.], seq 1:369, ack 1, win 16425, length 368
20:36:59.196004 IP 216.115.74.202.80 > 190.160.134.2.19277: Flags [.], ack 369, win 4748, length 0
20:37:00.253560 IP 216.115.74.202.80 > 190.160.134.2.19277: Flags [P.], seq 1:490, ack 369, win 4748, length 489
20:37:00.253759 IP 216.115.74.202.80 > 190.160.134.2.19277: Flags [F.], seq 490, ack 369, win 4748, length 0
20:37:00.254874 IP 190.160.134.2.19277 > 216.115.74.202.80: Flags [.], ack 491, win 16302, length 0
20:37:00.255000 IP 190.160.134.2.19277 > 216.115.74.202.80: Flags [F.], seq 369, ack 491, win 16302, length 0
20:37:00.465000 IP 216.115.74.202.80 > 190.160.134.2.19277: Flags [.], ack 370, win 4748, length 0
20:37:02.135927 IP 74.125.127.125.5222 > 190.160.134.2.14268: Flags [P.], seq 310732513:310732550, ack 870998056, win 340, length 37
20:37:02.356540 IP 190.160.134.2.14268 > 74.125.127.125.5222: Flags [.], ack 37, win 16435, length 0
20:37:47.144613 IP 190.160.134.2.14268 > 74.125.127.125.5222: Flags [.], seq 0:1, ack 37, win 16435, length 1
20:37:47.323739 IP 74.125.127.125.5222 > 190.160.134.2.14268: Flags [.], ack 1, win 340, options [nop,nop,sack 1 {0:1}], length 0
20:37:55.631262 IP 74.125.234.71.80 > 190.160.134.2.19205: Flags [F.], seq 3589278570, ack 3983016801, win 123, length 0
20:37:55.635435 IP 190.160.134.2.19205 > 74.125.234.71.80: Flags [.], ack 1, win 16213, length 0
20:37:56.685218 IP 74.125.127.102.80 > 190.160.134.2.19209: Flags [F.], seq 3072941002, ack 1767091959, win 157, length 0
20:37:56.693846 IP 190.160.134.2.19209 > 74.125.127.102.80: Flags [.], ack 1, win 16445, length 0
20:38:07.057184 IP 190.160.134.2.37510 > 200.83.1.5.53: 58465+ A? tools.google.com. (34)
20:38:07.057298 IP 190.160.134.2.37510 > 200.83.1.4.53: 58465+ A? tools.google.com. (34)
20:38:07.084452 IP 200.83.1.5.53 > 190.160.134.2.37510: 58465 17/4/4 CNAME tools.l.google.com., A 74.125.234.64, A 74.125.234.65, A 74.125.234.66, A 74.125.234.67, A 74.125.234.68, A 74.125.234.69, A 74.125.234.70, A 74.125.234.71, A 74.125.234.72, A 74.125.234.73, A 74.125.234.74, A 74.125.234.75, A 74.125.234.76, A 74.125.234.77, A 74.125.234.78, A 74.125.234.79 (448)
20:38:07.089408 IP 200.83.1.4.53 > 190.160.134.2.37510: 58465 17/4/4 CNAME tools.l.google.com., A 74.125.234.44, A 74.125.234.45, A 74.125.234.46, A 74.125.234.47, A 74.125.234.32, A 74.125.234.33, A 74.125.234.34, A 74.125.234.35, A 74.125.234.36, A 74.125.234.37, A 74.125.234.38, A 74.125.234.39, A 74.125.234.40, A 74.125.234.41, A 74.125.234.42, A 74.125.234.43 (448)
20:38:07.089574 IP 190.160.134.2 > 200.83.1.4: ICMP 190.160.134.2 udp port 37510 unreachable, length 484
20:38:07.093549 IP 190.160.134.2.19302 > 74.125.234.64.80: Flags [s], seq 4284131923, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:38:07.171595 IP 74.125.234.64.80 > 190.160.134.2.19302: Flags [S.], seq 3930701892, ack 4284131924, win 5720, options [mss 1430,nop,nop,sackOK,nop,wscale 6], length 0
20:38:07.172882 IP 190.160.134.2.19302 > 74.125.234.64.80: Flags [.], ack 1, win 16445, length 0
20:38:07.176529 IP 190.160.134.2.19302 > 74.125.234.64.80: Flags [P.], seq 1:585, ack 1, win 16445, length 584
20:38:07.177796 IP 190.160.134.2.19302 > 74.125.234.64.80: Flags [P.], seq 585:1215, ack 1, win 16445, length 630
20:38:07.276931 IP 74.125.234.64.80 > 190.160.134.2.19302: Flags [.], ack 585, win 108, length 0
20:38:07.277122 IP 74.125.234.64.80 > 190.160.134.2.19302: Flags [.], ack 1215, win 128, length 0
20:38:07.406822 IP 74.125.234.64.80 > 190.160.134.2.19302: Flags [P.], seq 1:719, ack 1215, win 128, length 718
20:38:07.467933 IP 190.160.134.2.19302 > 74.125.234.64.80: Flags [R.], seq 1215, ack 719, win 0, length 0
20:38:32.338293 IP 190.160.134.2.14268 > 74.125.127.125.5222: Flags [.], seq 0:1, ack 37, win 16435, length 1
20:38:32.535557 IP 74.125.127.125.5222 > 190.160.134.2.14268: Flags [.], ack 1, win 340, options [nop,nop,sack 1 {0:1}], length 0
20:38:55.894485 IP 192.168.1.154.19205 > 74.125.234.71.80: Flags [F.], seq 3983016801, ack 3589278571, win 16213, length 0
20:38:56.205917 IP 192.168.1.154.19205 > 74.125.234.71.80: Flags [F.], seq 0, ack 1, win 16213, length 0
20:38:56.814410 IP 192.168.1.154.19205 > 74.125.234.71.80: Flags [F.], seq 0, ack 1, win 16213, length 0
20:38:58.015581 IP 192.168.1.154.19205 > 74.125.234.71.80: Flags [F.], seq 0, ack 1, win 16213, length 0
20:39:00.418077 IP 192.168.1.154.19205 > 74.125.234.71.80: Flags [F.], seq 0, ack 1, win 16213, length 0
20:39:05.222810 IP 192.168.1.154.19205 > 74.125.234.71.80: Flags [F.], seq 0, ack 1, win 16213, length 0
20:39:05.910333 IP 192.168.1.154.19209 > 74.125.127.102.80: Flags [F.], seq 1767091959, ack 3072941003, win 16445, length 0
20:39:06.455219 IP 192.168.1.154.19209 > 74.125.127.102.80: Flags [F.], seq 0, ack 1, win 16445, length 0
20:39:07.142887 IP 192.168.1.154.19209 > 74.125.127.102.80: Flags [F.], seq 0, ack 1, win 16445, length 0
20:39:08.467786 IP 187.194.38.177.12907 > 190.160.134.2.31253: Flags [s], seq 3885321968, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
20:39:08.467999 IP 190.160.134.2.31253 > 187.194.38.177.12907: Flags [R.], seq 0, ack 3885321969, win 0, length 0
20:39:08.514508 IP 192.168.1.154.19209 > 74.125.127.102.80: Flags [F.], seq 0, ack 1, win 16445, length 0
20:39:09.254172 IP 187.194.38.177.12912 > 190.160.134.2.31253: Flags [s], seq 3885321968, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
20:39:09.254369 IP 190.160.134.2.31253 > 187.194.38.177.12912: Flags [R.], seq 0, ack 3885321969, win 0, length 0
50 packets captured
53 packets received by filter
0 packets dropped by kernel

(Last edited by BarryChopper on 6 Sep 2011, 22:28)

Barry,

That is what I'd expect to see. Excluding broadcast traffic means you should only see traffic originating from or destined for your home network.

It's safe to ignore the other broadcast traffic, but it is interesting that you can even see it at all. It appears that you're effectively seeing the broadcast traffic from other people's home networks. Normally you'd expect your ISP to filter that out. Anyway, it highlights the fact that you should definitely be running with a firewall enabled on your router (if you're using a stock OpenWRT install then you will be already). Don't just rely on NAT by itself to hide you!

Thanks,

Sam

Sam and Orca, many thanks for your assistance and explanation of this issue!

Out of interest, one further question:
Would it be possible to exclude broadcast packets from the OpenWRT traffic calculations?

Cheers,
Baz.

I'm afraid not. LuCI uses a daemon called luci-bwc to poll /proc/net/dev for bandwidth stats, and that file does not differentiate between unicast and broadcast packets.

If you really wanted to you could modify the source for luci-bwc to use libpcap (effectively what tcpdump uses under the hood) to exclude broadcast traffic. This wouldn't be 5 minutes work though...

Thanks,

Sam

It would be a nice feature, but I think I'll have to postpone that project until retirement!

Thanks again for your help,
Baz.

(Last edited by BarryChopper on 6 Sep 2011, 23:55)

That kind of "white noise" is not really uncommon on cable networks, I've got cable internet myself and there's all kind of broadcast traffic floating around, even foreign dhcp requests.

Im on time warner and there traffic is also all over the place and has random shit incoming and outgoing