1 | initial version |
The screnshot and the wireshark file is in the link below
The pcapng file is sufficient, and is far better than the screenshot, as it allows the reader to see all the packets and look at them in detail. No need to upload a screenshot of packets if you upload the capture file containing the packets.
He sends about every 3 seconds a UDP packet to the ip 255.255.255.255
To 255.255.255.255, which is the IP addresses for broadcasts on the local network, and to port 6667. Doing a Web search for
broadcasts to port 6667
found this Reddit post, in which somebody makes a comment that "The Tuya Discovery Port is 6667." Tuya is a developer of software for Internet of Things devices, so the smart temperature sensor is probably using their software.
According to this forum post:
The Tuya plugin rely on UDP broadcast traffic on ports 6666 and 6667 only for discovering the devices at startup or when the "Read devices" button is clicked. Once devices are discovered, then UDP is never used anymore, all local control and status updates are done using a TCP connection on port 6668.
so the UDP broadcasts to 6667 are probably just "here I am!" messages, and probably don't contain temperature values.
and about every 15 seconds sends a TSLv1.2 followed by a Tcp packet
They're both TCP packets; some of them are TLS v1.2, and others are just TCP acknowledgments with no data, so they're shown as TCP rather than as TLS v1.2.
The traffic appears to be between the temperature sensor at 192.168.137.48 and some Amazon AWS cloud host ec2-34-213-103-51.us-west-2.compute.amazonaws.com (34.213.103.51).
Unfortunately, it's TLS traffic, which means it's encrypted. Wireshark can decrypt TLS traffic, but, as that notes, you need additional information, which might be difficult to get.
The TCP port on 192.168.137.48 is 8886; this comment on an issue for Tuya 2.0 firmware says "The switches with the 2.0.0 firmware show connections on 8886, which appears to be MQTT over TLS.".