Ask Your Question
0

Why can I see non-broadcast traffic for other computers on LAN interface?

asked 2022-12-07 21:03:04 +0000

Sharknado438 gravatar image

updated 2022-12-08 11:12:37 +0000

I have a simple setup of 3 computers connected with LAN cables to the same Asus RT-AX55 router.

I started a trace on computer2 but I can see traffic from the router intended for computer1. I am capturing on the standard Ethernet interface, the only one it has. The traffic isn't broadcast, in fact this is what one packet looks like:

Source          Src Port    Destination Dst Port    Protocol    Length  Info
119.23.52.119   51413       computer1   55764       TCP         60      51413 → 55764 [ACK] Seq=1 Ack=1 Win=11944 Len=0

In the Ethernet part of the packet I can see the source is the router's MAC address.

How is this possible?

edit retag flag offensive close merge delete

Comments

What is the "router", ideally the model number?

grahamb gravatar imagegrahamb ( 2022-12-08 09:47:44 +0000 )edit

@grahamb, sorry - Asus RT-AX55, I'll add it to the question, as well.

Sharknado438 gravatar imageSharknado438 ( 2022-12-08 11:12:15 +0000 )edit

So that's a home gateway, with WiFI access point, single WAN port and quad switched LAN ports. So from your perspective you're looking at a switch.

Jaap gravatar imageJaap ( 2022-12-08 12:06:49 +0000 )edit

@Jaap, that doesn't make sense to me. The router is configured to be in a wireless router mode (I don't even know if it can be configured as a switch) and the total amount of packets, meant for computer1, that I've captured on computer2 is a tiny, insignificant fraction of the amount computer1 sent and received during the capture time.

Sharknado438 gravatar imageSharknado438 ( 2022-12-08 17:35:51 +0000 )edit

Asus open source their code, if you really want to dig into what's happening.
The MERLIN project doesn't support the RT-AX55 but does list other RT-AX devices.

Chuckc gravatar imageChuckc ( 2022-12-09 16:28:44 +0000 )edit
see more comments

2 Answers

Sort by » oldest newest most voted
0

answered 2022-12-08 20:12:59 +0000

Jaap gravatar image

... and the total amount of packets, meant for computer1, that I've captured on computer2 is a tiny, insignificant fraction of the amount computer1 sent and received during the capture time.

Thus proving my point that the four LAN ports are internally connected to a switch. Mind you this is a common architecture of a home gateway (what you call a wireless router). Such gateways consists of a WAN uplink (either cable modem, optical modem, (A)DSL modem or simply Ethernet from a separate network demarcation point), a NAT / firewall combination, some local network interfaces (ie. WiFi access point, possibly a SIP client and Ethernet). To orderly connect multiple wired LAN devices the Ethernet interface connected through a switch and that is what you see. The switch is learning where each device is, but before it learns the traffic is flooded to all switch ports. That learning usually takes very little time (until a packet comes into the port so that the switch can learn the MAC address of the connected host(s)), therefore the amount of traffic you received is a tiny amount.

edit flag offensive delete link more

Comments

Oh, I see. I didn't know routers also did some of the work of a switch. Do you have any idea if there is a way to staticly set which IP is connected on which interface?

Sharknado438 gravatar imageSharknado438 ( 2022-12-08 20:28:49 +0000 )edit

Oh, I see. I didn't know routers also did some of the work of a switch.

Not quite. Think of a 'home gateway' as several devices in one box. So the router is internally connected with 1 LAN interface to the switch which has 4 external ports.

Do you have any idea if there is a way to statically set which IP is connected on which interface?

Switches operate on Ethernet level, not IP (routers does). So no you can't.
However you should be able to use the DHCP service to always assign the same IP to a host (based on MAC address). That has the same effect.

André gravatar imageAndré ( 2022-12-08 20:58:57 +0000 )edit

@André, but I already did that. All my computers have an IP assigned to them, based on their MAC. Seeing as the home gateway is still sending some packets to all interfaces makes me think something is not quite right.

Sharknado438 gravatar imageSharknado438 ( 2022-12-08 22:35:38 +0000 )edit

What are the destination IP and MAC addresses when you see these broadcasts?

BigFatCat gravatar imageBigFatCat ( 2022-12-09 17:37:28 +0000 )edit

Seeing as the home gateway is still sending some packets to all interfaces makes me think something is not quite right.

Now both answers contains the answer to this question.

In short: when a switch does not know on which port a MAC address can be reached, it will send the packet to all ports (like a hub). And learns the port when a response comes in; this is temporary cached,

André gravatar imageAndré ( 2022-12-09 18:33:35 +0000 )edit
add a comment
0

answered 2022-12-09 12:51:14 +0000

SYN-bit gravatar image

One packet will not tell the truth, the whole truth and nothing but the truth... but, one can imagine this is a normal valid packet if:

  • There was a session from host computer1:55764 to 119.23.52.119:51413 before (or there is a port forwarder that forwards outside traffic on a certain port to computer1:55764)
  • and computer1 was active for a while, resulting in the router having an arp entry in its arp table that did not yet time out
  • and computer1 is now not connected anymore for a short while, resulting in the forwarding entry on the switch to have timed out

This would mean the router sends the incoming packet to the mac address of computer1, but since the (internal) switch does not know where the mac lives, it needs to flood the packet out of all ports.

One can think of other variants of this story to explain why there is a unicat packets seen on a host it was not meant to be. If there are a lot of packets that don't seem to follow normal switching rules, that is something to investigate. If there are a couple, still interesting to investigate, but you will probably find very logical causes :-)

edit flag offensive delete link more

Comments

Thank you for your answer! Unfortunately the router seemed to bug out and I had to send it for repair but will look into it more afterwards.

Sharknado438 gravatar imageSharknado438 ( 2022-12-12 18:35:51 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2022-12-07 21:03:04 +0000

Seen: 424 times

Last updated: Dec 09 '22

Related questions

Can i capture traffic from IP camera on my network ?

Robot cleaner from China, LAN ip 10.10.4.2, how to capture packets to and from

Capture incoming packets from remote web server

How to set packet metadata in realtime?

Monitor device

Why would I be getting "LEN 1 (Malformed Packet)"... "(Malformed Packet: RTCP)" on UDP Packets

What is wrong with my internets?!

How do I dissect multiple packets?

How do I get relative ack number greater than sequence number?

cannot find "Compare two capture files"

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2