Ask Your Question
0

Strange UDP Handling - Any Ideas?

asked 2022-08-10 16:56:26 +0000

DWP gravatar image

I am trying to resolve a problem with a wifi IoT device. I have several and at times all of them appear to go offline. By this, I mean they seem to no longer be delivering UDP packets to a server on the internet. When this happened this morning, I managed to run tcpdump on my router and I see a pattern of UDP from the IP of the device.

The pattern shows 1 or more UDP messages that look like this:

Frame 1250: 58 bytes on wire (464 bits), 58 bytes captured (464 bits)
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 1
    Link-layer address length: 6
    Source: LSDScien_e4:8b:00 (00:95:69:e4:8b:00)
    Unused: 0000
    Protocol: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.23, Dst: 47.52.241.127
User Datagram Protocol, Src Port: 49154, Dst Port: 17000
    Source Port: 49154
    Destination Port: 17000
    Length: 22
    Checksum: 0x8b5a [unverified]
    [Checksum Status: Unverified]
    [Stream index: 4]
    [Timestamps]
Data (14 bytes)
    Data: 3c540169e48b0001010100006c3e
    [Length: 14]

Followed immediately by an equal number of almost identical UDP messages that look like this:

Frame 1252: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) Linux cooked capture
    Packet type: Sent by us (4)
    Link-layer address type: 1
    Link-layer address length: 6
    Source: 04:42:1a:47:f7:e8 (04:42:1a:47:f7:e8)
    Unused: 0000
    Protocol: IPv4 (0x0800) Internet Protocol Version 4, Src: 192.168.1.23, Dst: 47.52.241.127 User Datagram Protocol, Src Port: 49154, Dst Port: 17000
    Source Port: 49154
    Destination Port: 17000
    Length: 22
    Checksum: 0x8b5a [unverified]
    [Checksum Status: Unverified]
    [Stream index: 4]
    [Timestamps] Data (14 bytes)
    Data: 3c540169e48b0001010100006c3e
    [Length: 14]

The difference between the two seems to be mainly: (a) the packet type and (b) the source MAC address. The first shows the MAC of the device while the second shows the router's wifi BSSID as the source. At first, I thought this was just an artifact of the router's handling of the message - maybe the firewall?

But the same capture file shows the UDP messages from several different but identical devices - where I can confirm the messages are delivered to the same internet server - doing the same sort of thing. They look like the first shown above and there are none like the second shown above for any of these devices. And I cannot help but wonder if the presence of these "extra" messages are somehow to blame for the failure of the one device.

Thanks in advance for any light you can shed on this.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-08-11 06:14:35 +0000

tmp gravatar image

updated 2022-08-11 06:15:14 +0000

So with devices not showing the second packet are working correctly, but the others are not, is that correct? The two above are the same packet destined to that external server, but for some reason, your router is forwarding it out the same wifi interface, causing it to show up twice. I'm assuming it should not do that. Check your forwarding table. Replacing the MAC addresses is done hop-by-hop, that is normal behaviour that probably has nothing to do with this issue.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2022-08-10 16:56:26 +0000

Seen: 173 times

Last updated: Aug 11 '22

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2