Why can I see non-broadcast traffic for other computers on LAN interface?

asked 2022-12-07 21:03:04 +0000

Sharknado438
3 ●1 ●3

updated 2022-12-08 11:12:37 +0000

I have a simple setup of 3 computers connected with LAN cables to the same Asus RT-AX55 router.

I started a trace on computer2 but I can see traffic from the router intended for computer1. I am capturing on the standard Ethernet interface, the only one it has. The traffic isn't broadcast, in fact this is what one packet looks like:

Source          Src Port    Destination Dst Port    Protocol    Length  Info
119.23.52.119   51413       computer1   55764       TCP         60      51413 → 55764 [ACK] Seq=1 Ack=1 Win=11944 Len=0

In the Ethernet part of the packet I can see the source is the router's MAC address.

How is this possible?

edit retag flag offensive close merge delete

Comments

What is the "router", ideally the model number?

grahamb ( 2022-12-08 09:47:44 +0000 )edit

@grahamb, sorry - Asus RT-AX55, I'll add it to the question, as well.

Sharknado438 ( 2022-12-08 11:12:15 +0000 )edit

So that's a home gateway, with WiFI access point, single WAN port and quad switched LAN ports. So from your perspective you're looking at a switch.

Jaap ( 2022-12-08 12:06:49 +0000 )edit

@Jaap, that doesn't make sense to me. The router is configured to be in a wireless router mode (I don't even know if it can be configured as a switch) and the total amount of packets, meant for computer1, that I've captured on computer2 is a tiny, insignificant fraction of the amount computer1 sent and received during the capture time.

Sharknado438 ( 2022-12-08 17:35:51 +0000 )edit

Asus open source their code, if you really want to dig into what's happening.
The MERLIN project doesn't support the RT-AX55 but does list other RT-AX devices.

Chuckc ( 2022-12-09 16:28:44 +0000 )edit

see more comments

2 Answers

Sort by » oldest newest most voted

answered 2022-12-08 20:12:59 +0000

Jaap

13742 ●710 ●115

... and the total amount of packets, meant for computer1, that I've captured on computer2 is a tiny, insignificant fraction of the amount computer1 sent and received during the capture time.

Thus proving my point that the four LAN ports are internally connected to a switch. Mind you this is a common architecture of a home gateway (what you call a wireless router). Such gateways consists of a WAN uplink (either cable modem, optical modem, (A)DSL modem or simply Ethernet from a separate network demarcation point), a NAT / firewall combination, some local network interfaces (ie. WiFi access point, possibly a SIP client and Ethernet). To orderly connect multiple wired LAN devices the Ethernet interface connected through a switch and that is what you see. The switch is learning where each device is, but before it learns the traffic is flooded to all switch ports. That learning usually takes very little time (until a packet comes into the port so that the switch can learn the MAC address of the connected host(s)), therefore the amount of traffic you received is a tiny amount.

edit flag offensive delete link

Comments

Oh, I see. I didn't know routers also did some of the work of a switch. Do you have any idea if there is a way to staticly set which IP is connected on which interface?

Sharknado438 ( 2022-12-08 20:28:49 +0000 )edit

Oh, I see. I didn't know routers also did some of the work of a switch.

Not quite. Think of a 'home gateway' as several devices in one box. So the router is internally connected with 1 LAN interface to the switch which has 4 external ports.

Do you have any idea if there is a way to statically set which IP is connected on which interface?

Switches operate on Ethernet level, not IP (routers does). So no you can't.
However you should be able to use the DHCP service to always assign the same IP to a host (based on MAC address). That has the same effect.

André ( 2022-12-08 20:58:57 +0000 )edit

@André, but I already did that. All my computers have an IP assigned to them, based on their MAC. Seeing as the home gateway is still sending some packets to all interfaces makes me think something is not quite right.

Sharknado438 ( 2022-12-08 22:35:38 +0000 )edit

What are the destination IP and MAC addresses when you see these broadcasts?

BigFatCat ( 2022-12-09 17:37:28 +0000 )edit

Seeing as the home gateway is still sending some packets to all interfaces makes me think something is not quite right.

Now both answers contains the answer to this question.

In short: when a switch does not know on which port a MAC address can be reached, it will send the packet to all ports (like a hub). And learns the port when a response comes in; this is temporary cached,

André ( 2022-12-09 18:33:35 +0000 )edit

add a comment

answered 2022-12-09 12:51:14 +0000

SYN-bit

18528 ●9 ●338 ●255 https://SYN-b.it

One packet will not tell the truth, the whole truth and nothing but the truth... but, one can imagine this is a normal valid packet if:

There was a session from host computer1:55764 to 119.23.52.119:51413 before (or there is a port forwarder that forwards outside traffic on a certain port to computer1:55764)
and computer1 was active for a while, resulting in the router having an arp entry in its arp table that did not yet time out
and computer1 is now not connected anymore for a short while, resulting in the forwarding entry on the switch to have timed out

This would mean the router sends the incoming packet to the mac address of computer1, but since the (internal) switch does not know where the mac lives, it needs to flood the packet out of all ports.

One can think of other variants of this story to explain why there is a unicat packets seen on a host it was not meant to be. If there are a lot of packets that don't seem to follow normal switching rules, that is something to investigate. If there are a couple, still interesting to investigate, but you will probably find very logical causes :-)

edit flag offensive delete link

Comments

Thank you for your answer! Unfortunately the router seemed to bug out and I had to send it for repair but will look into it more afterwards.

Sharknado438 ( 2022-12-12 18:35:51 +0000 )edit

add a comment