Strange UDP Handling - Any Ideas?
I am trying to resolve a problem with a wifi IoT device. I have several and at times all of them appear to go offline. By this, I mean they seem to no longer be delivering UDP packets to a server on the internet. When this happened this morning, I managed to run tcpdump on my router and I see a pattern of UDP from the IP of the device.
The pattern shows 1 or more UDP messages that look like this:
Frame 1250: 58 bytes on wire (464 bits), 58 bytes captured (464 bits)
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 1
Link-layer address length: 6
Source: LSDScien_e4:8b:00 (00:95:69:e4:8b:00)
Unused: 0000
Protocol: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.23, Dst: 47.52.241.127
User Datagram Protocol, Src Port: 49154, Dst Port: 17000
Source Port: 49154
Destination Port: 17000
Length: 22
Checksum: 0x8b5a [unverified]
[Checksum Status: Unverified]
[Stream index: 4]
[Timestamps]
Data (14 bytes)
Data: 3c540169e48b0001010100006c3e
[Length: 14]
Followed immediately by an equal number of almost identical UDP messages that look like this:
Frame 1252: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) Linux cooked capture
Packet type: Sent by us (4)
Link-layer address type: 1
Link-layer address length: 6
Source: 04:42:1a:47:f7:e8 (04:42:1a:47:f7:e8)
Unused: 0000
Protocol: IPv4 (0x0800) Internet Protocol Version 4, Src: 192.168.1.23, Dst: 47.52.241.127 User Datagram Protocol, Src Port: 49154, Dst Port: 17000
Source Port: 49154
Destination Port: 17000
Length: 22
Checksum: 0x8b5a [unverified]
[Checksum Status: Unverified]
[Stream index: 4]
[Timestamps] Data (14 bytes)
Data: 3c540169e48b0001010100006c3e
[Length: 14]
The difference between the two seems to be mainly: (a) the packet type and (b) the source MAC address. The first shows the MAC of the device while the second shows the router's wifi BSSID as the source. At first, I thought this was just an artifact of the router's handling of the message - maybe the firewall?
But the same capture file shows the UDP messages from several different but identical devices - where I can confirm the messages are delivered to the same internet server - doing the same sort of thing. They look like the first shown above and there are none like the second shown above for any of these devices. And I cannot help but wonder if the presence of these "extra" messages are somehow to blame for the failure of the one device.
Thanks in advance for any light you can shed on this.