find out who's broadcasting in my network?

[glideFX]

Hi,

I noticed that the network and wireless leds on my access point are constantly blinking, even with 0 connected clients. I think there is constant broadcasting from somewhere in my network, how can I find it?

if can help this is a basic scheme of the network

router -> Samsung TV
router -> Apple TV
router -> Cisco Access Point
router -> [COLOR="SeaGreen"]Cisco SG300-10[/COLOR]

[COLOR="SeaGreen"]Cisco SG300-10[/COLOR] -> my workstation
[COLOR="SeaGreen"]Cisco SG300-10[/COLOR] -> [3 link] ESXi server (5-6 active VM)
[COLOR="SeaGreen"]Cisco SG300-10[/COLOR] -> [2 link] Synology RS814

 

[glideFX]

find something from the nas

tcpdump -n "broadcast or multicast"

result

11:31:14.378750 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.397436 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.416382 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.435557 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.454393 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.473237 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.497492 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.517764 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.539221 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.559532 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.578458 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.597212 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.616294 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.635511 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.654509 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.673383 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.692079 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.710951 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.730109 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.748989 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.767927 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.788332 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.807046 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.828478 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46
11:31:14.847583 ARP, Request who-has 192.168.1.51 tell 192.168.1.1, length 46

11:31:09.549997 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.566402 IP6 fe80::8678:acff:fea7:6f5a.546 > ff02::1:2.547: dhcp6 inf-req
11:31:09.572361 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.592552 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.612629 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.633100 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.653621 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.673975 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.694116 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.714114 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.734424 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.755518 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.776270 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.797160 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.815881 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.834647 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.853623 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.872518 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.891179 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.909655 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.929054 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.948266 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.967223 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:09.985877 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:10.004393 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:10.023614 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46
11:31:10.042394 ARP, Request who-has 192.168.1.50 tell 192.168.1.1, length 46

192.168.1.50 and 51 are the NAS IP addresses...

 

[imagoon]

Hi,

I noticed that the network and wireless leds on my access point are constantly blinking, even with 0 connected clients. I think there is constant broadcasting from somewhere in my network, how can I find it?

In most cases, this is normal, why are you concerned?

 

[John Connor]

Synchronization packets?

 

[glideFX]

In most cases, this is normal, why are you concerned?

unplugging the NAS and the ESXi server the access point activity decreases, it blinks just a couple of times every 10 seconds more or less, while when they are connected there is lot of constant activity.
I don't think this is normal

 

[Fardringle]

It is perfectly normal. Network clients constantly "chatter" at each other even when they are not actively transferring data.

 

[imagoon]

unplugging the NAS and the ESXi server the access point activity decreases, it blinks just a couple of times every 10 seconds more or less, while when they are connected there is lot of constant activity.
I don't think this is normal

It still sounds normal to me. You trace only shows ARP packets which are just the devices keeping track of each other. If anything I would think that the ARP cache is set below 4 seconds for some reason.

 

[John Connor]

http://www.wi-fiplanet.com/tutorials/article.php/1492071

 

[imagoon]

http://www.wi-fiplanet.com/tutorials/article.php/1492071

Those never go over the wire. SG300 is a wired switch. He said both are blinking.

 

[John Connor]

OH! I thought he was referring to WIFI.

Well, OP if you think you're being hacked you could always set up an Untangle server. But I think you are just seeing normal traffic.

Can I ask what the server and VM's are for? Is your WIFI encrypted?

I've only used Wireshark a few times, but currently I use a basic naetwork packet capture App. I wonder if Wireshark could analyze your traffic. https://www.wireshark.org/

Actually, TCPdump would do the same thing, wouldn't? LOL

 

[John Connor]

I have a netbook in the kitchen connected to a monitor and external mouse/keyboard I call the kitchen kiosk and the NIC blinks all the time and I see no packets move through the NIC at all. So you're not along.

 

[John Connor]

NVM

 

[lif_andi]

Disable your internet and use Wireshark to see who's broadcasting. Its pretty simple.

 

[easp]

The same request, a dozen plus times a second? That seems like a whole lot of ARPing.

 

[imagoon]

It isn't that atypical for something running DHCP.

 

[Elixer]

Yeah, seems like normal ARP noise.

 

[EvaCarey]

Your router's administrative console can help you find out more about your wireless network activity and change your security settings. To log into the console, go to your router's IP address. You can find this address on Windows by going to a command prompt (press Win+R then type cmd) and then typing ipconfig in the window, then find the "Default Gateway" IP address. On a Mac? Open the Network Preference pane and grab the IP address listed next to "Router:".

 

[glideFX]

OH! I thought he was referring to WIFI.

Well, OP if you think you're being hacked you could always set up an Untangle server. But I think you are just seeing normal traffic.

Can I ask what the server and VM's are for? Is your WIFI encrypted?

I've only used Wireshark a few times, but currently I use a basic naetwork packet capture App. I wonder if Wireshark could analyze your traffic. https://www.wireshark.org/

Actually, TCPdump would do the same thing, wouldn't? LOL

a part the dns server they are for tests, slurm, puppet ..

Your router's administrative console can help you find out more about your wireless network activity and change your security settings. To log into the console, go to your router's IP address. You can find this address on Windows by going to a command prompt (press Win+R then type cmd) and then typing ipconfig in the window, then find the "Default Gateway" IP address. On a Mac? Open the Network Preference pane and grab the IP address listed next to "Router:".

I'm not using my router for the wireless, I'm using a dedicated access point which is already configured (WPA2 personal).

I'm just wondering why my AP lights are constantly blinking even with no activity and as said it's not simply the random sync traffic.

As you can see it's something between the router and the NAS, I don't have other similar traffic between other devices/computers.

If it's normal ARP noise why just between these two?

 

[Ertaz]

Any particular reason the Synology needs 2 IPs?

 

[JoeMcJoe]

Want to stop the lights blinking, you have these options:

1) put black tape over them
2) don't have any devices on your network
3) turn the power off

 

[glideFX]

Want to stop the lights blinking, you have these options:

1) put black tape over them
2) don't have any devices on your network
3) turn the power off

blinking sometimes for sync != blinking constantly like crazy

 

[glideFX]

Any particular reason the Synology needs 2 IPs?

this is just until I find some time to set up the link aggregation

 

[Ertaz]

this is just until I find some time to set up the link aggregation

All the arping may be related to the link setup with multiple macs. If it were me, I'd temporarily setup the nas on a single link and see if the behavior continued.

 

[glideFX]

Solved simply disabling the second LAN on the NAS.

Now I have created a bond (LAG) on the NAS and the relative ports on the Switch. Works perfectly