First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Why is there traffic from and to an external IP address in my network?

  • retag add tags

Hello all,

Today I wanted to capture some things in my network - but before analizing this capture I immediately saw that there is traffic from and to an external IP address. So neither source IP, nor destination IP is from my network. And non of the IPs is my personal public IP from my ISP.

Here is a picture of my capture: https://gofile.io/?c=40n4ID

It's a lot of traffic, in less than 10 minutes there were more than one million frames just from these two unknown IP addresses.

Is someone able to explain this behaviour?

I would appreciate any tipps or explanations.

msuter's avatar
3
msuter
asked 2019-08-17 20:52:39 +0000, updated 2019-08-17 20:56:41 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

The traffic is UDP multicast. 239.x.x.x is administratively scoped (local to a subnet) so is an address in your network.

grahamb's avatar
23.8k
grahamb
answered 2019-08-17 21:02:56 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks a lot grahamb, I totally forgot about the multicast range. I really appreciate your quick response.

msuter's avatar msuter (2019-08-17 21:05:07 +0000) edit
more
  • delete

The source address is a unicast address. It would still be valid to investigate that host (filter on the mac-address) why it is sending packets from an IP that is not known to you.

Also, since there are so many of these packets, there might be a routing loop. What is the ip.ttl of these packets? Do you see any ICMP TTL exceeded packets too?

(Are you able to share a pcap file on any public filesharing service like DropBox, OneDrive, etc.?)

SYN-bit's avatar SYN-bit (2019-08-18 09:46:17 +0000) edit
more
  • delete

Thank you SYN-bit for your comment. I investigated further and came to the conclusion that the traffic was oridinary as someone was watching IPTV. Thankfully there was no loop. I really appreciate your time and thanks again.

msuter's avatar msuter (2019-08-20 22:06:49 +0000) edit
more
  • delete
add a comment see more comments
0

Do you have Swisscom TV?

From the screen shot:

    IP address: 213.3.72.5
    https://www.maxmind.com/en/geoip-demo
    GeoIP2 City Results

        IP Address  Country Code    Location    Postal Code Approximate Coordinates*    Accuracy Radius (km)    ISP Organization    Domain  Metro Code
        213.3.72.5  CH  Switzerland,    Europe      47.1449,    8.1551  100 Swisscom    Swisscom        

    MAC address:
    1c:b0:44:95:a9:70  (AskeyCom)
    Set top boxes: https://www.askey.com.tw/about.html

    One example of UDP port 10000 on Swisscom network:
    https://community.cisco.com/t5/routing/887va-w-qos-for-swisscom-bluewin-tv/td-p/2836486
"For that I use QoS for the UDP port 10000 because it's the port used by the box for the TV streams."

The packets come in every ~1ms so maybe audio only (radio?) or status/guide information?

Chuckc's avatar
3k
Chuckc
answered 2019-08-18 14:14:16 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Scope 239.x.x.x is like RFC1918 of the multicast world. It may be used by any provider and does not have to be unique. So this traffic may indeed be related to IPTV. Especially with 1368 bytes packets. Unless MTU < 1500 this looks like an arbitrary value. If these packets are for MPEG for instance, you end up with frames < 1500 bytes even with L2-L3-L4 headers. MPEG uses 188 bytes frames so seven MPEG frames (188 bytes x 7) is 1316 bytes packet when you add IPv4 (20 bytes) and UDP (8 bytes) this gives 1344 bytes.

Spooky's avatar Spooky (2019-08-20 21:10:02 +0000) edit
more
  • delete

Thank you bubbasnmp, you are completely right. After some further investigations, I actually found out that it was a Swisscom TV (IPTV) which caused that. And Spooky is right too, this was oridinary traffic as someone was watching TV. Thank you so much for these very interesting and useful information. I would like to give your answer a thumbs up - but I don't have enough points to do it.

msuter's avatar msuter (2019-08-20 22:03:52 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer