Cable Modem Activity
Citizen Bob
not doing anything on the network.
The modem is connected to a Linksys router. In particular, the RCV
light is constantly blinking on the modem as is the ACT light on the
router. But the LINK/.ACT light on the router is not blinking. There
is no SEND activity.
What is sending those packets to my modem? Are they addressed only to
my IP address or are they part my Class C subnet from my ISP?
--
"Beer is proof that God loves us and wants us to be happy."
--Benjamin Franklin
Gene S. Berkowitz
says...
> What is causing thee activity on my cable modem when my computer is
> not doing anything on the network.
>
> The modem is connected to a Linksys router. In particular, the RCV
> light is constantly blinking on the modem as is the ACT light on the
> router. But the LINK/.ACT light on the router is not blinking. There
> is no SEND activity.
>
> What is sending those packets to my modem? Are they addressed only to
> my IP address or are they part my Class C subnet from my ISP?
The traffic you see are Address Resolution Protocol (ARP) packets.
They are used to find the hardware address that resolves to a particular
IP address. Extremely common, and harmless. Your router only passes
ARP requests within your sub-net.
--Gene
Tom Stiller
Or malware probes. My router logs between 1,000 and 2,500 bogus
connection attempts per day (about 90% for ports 1026, 1027, and 1028).
Multiply that by the number of subscribers on the loop and you have a
substantial load.
--
Tom Stiller
PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF
Citizen Bob
<first...@comcast.net> wrote:
>> What is sending those packets to my modem? Are they addressed only to
>> my IP address or are they part my Class C subnet from my ISP?
>The traffic you see are Address Resolution Protocol (ARP) packets.
>They are used to find the hardware address that resolves to a particular
>IP address. Extremely common, and harmless.
Good to know.
>Your router only passes ARP requests within your sub-net.
Do you mean "your ISP's" router?
My router is the Linksys and it is downstream from the cable modem.
There is a provision on the Linksys router called "Block WAN Requests"
which presumably means packets such as you describe.
Citizen Bob
<tomst...@comcast.net> wrote:
>> The traffic you see are Address Resolution Protocol (ARP) packets.
>> They are used to find the hardware address that resolves to a particular
>> IP address. Extremely common, and harmless. Your router only passes
>> ARP requests within your sub-net.
>Or malware probes. My router logs between 1,000 and 2,500 bogus
>connection attempts per day (about 90% for ports 1026, 1027, and 1028).
I have used WallWatcher with my Linksys and have also seen such
traffic.
>Multiply that by the number of subscribers on the loop and you have a
>substantial load.
My question is whether I am seeing traffic sent to my specific IP
address only or if I am seeing traffic that is sent to the whole
address range of the subnet I am on.
Your comment implies that my modem is seeing traffic that is sent to
the whole address range of the subnet I am on.
Tom Stiller
sp...@uce.gov (Citizen Bob) wrote:
I'm not sure how the provider distributes the traffic, but the cable is
a shared medium. The modem has to see all the traffic on its loop in
order to select and pass on that which is intended for a particular
subscriber.
Citizen Bob
<tomst...@comcast.net> wrote:
>> Your comment implies that my modem is seeing traffic that is sent to
>> the whole address range of the subnet I am on.
>I'm not sure how the provider distributes the traffic, but the cable is
>a shared medium. The modem has to see all the traffic on its loop in
>order to select and pass on that which is intended for a particular
>subscriber.
Indeed it does but the question now is
Does the RCV light indicate incoming packets to the modem or does it
reflect packets that pass thru the modem. The reason is because the
router ACT light keeps pace which tells me that the modem's blinking
RCV light is for only those packets it passes thru. IOW RCV means
received for this modem and only for this modem.
If most of these packets are ARP then why are they passed thru to my
Linksys router. I would expect them to be processed internally by the
modem and not passed thru, ARP doesn't care about what's on the other
side of the modem.
Tom Stiller
sp...@uce.gov (Citizen Bob) wrote:
The LED showing the activity on my Terayon modem is labeled "Data" and
the manual says:
"Dark when no data is passing through modem or power is Off.
Flashing when data is passing through modem."
However, I don't think "through" is the same as "passed on the the
customer side". My router only logs connection attempts aimed at my IP
address.
clifto
> The traffic you see are Address Resolution Protocol (ARP) packets.
> They are used to find the hardware address that resolves to a particular
> IP address. Extremely common, and harmless.
But why so many thousand per second? (I forget what tool I used to count
them.) Do they need to know which millisecond I switched a network card?
--
If you really believe carbon dioxide causes global warming,
you should stop exhaling.
Gene S. Berkowitz
says...
> On Thu, 9 Aug 2007 23:59:07 -0400, Gene S. Berkowitz
> <first...@comcast.net> wrote:
>
> >> What is sending those packets to my modem? Are they addressed only to
> >> my IP address or are they part my Class C subnet from my ISP?
>
> >The traffic you see are Address Resolution Protocol (ARP) packets.
> >They are used to find the hardware address that resolves to a particular
> >IP address. Extremely common, and harmless.
>
> Good to know.
>
> >Your router only passes ARP requests within your sub-net.
>
> Do you mean "your ISP's" router?
>
> My router is the Linksys and it is downstream from the cable modem.
> There is a provision on the Linksys router called "Block WAN Requests"
> which presumably means packets such as you describe.
Your router. The modem will likely pass along practically everything
received. Your router will generally only pass along packets that are
responding to the IP and port that the router translates; i.e. your PC
is assigned an IP within the subnet (typically 192.168.0.xxx). All
packets routed to the WAN are translated to the IP assigned to your
modem by the ISP, using various port #'s to keep the various requests
originating from the IP addresses in your subnet sorted out.
If you have more than one PC attached to your router, you WILL see
"local" (192.x.x.x) ARP requests as those PCs locate each other.
--Gene
Tom Stiller
Gene S. Berkowitz <first...@comcast.net> wrote:
> In article <46bc4a74....@newsgroups.comcast.net>, sp...@uce.gov
> says...
> > On Thu, 9 Aug 2007 23:59:07 -0400, Gene S. Berkowitz
> > <first...@comcast.net> wrote:
> >
> > >> What is sending those packets to my modem? Are they addressed only to
> > >> my IP address or are they part my Class C subnet from my ISP?
> >
> > >The traffic you see are Address Resolution Protocol (ARP) packets.
> > >They are used to find the hardware address that resolves to a particular
> > >IP address. Extremely common, and harmless.
> >
> > Good to know.
> >
> > >Your router only passes ARP requests within your sub-net.
> >
> > Do you mean "your ISP's" router?
> >
> > My router is the Linksys and it is downstream from the cable modem.
> > There is a provision on the Linksys router called "Block WAN Requests"
> > which presumably means packets such as you describe.
>
> Your router. The modem will likely pass along practically everything
> received.
I'm sure the modem won't pass any traffic that isn't addressed to it by
MAC address. If it did, I could monitor my neighbor's traffic by
bypassing my router and running tcpdump.
> Your router will generally only pass along packets that are
> responding to the IP and port that the router translates; i.e. your PC
> is assigned an IP within the subnet (typically 192.168.0.xxx). All
> packets routed to the WAN are translated to the IP assigned to your
> modem by the ISP, using various port #'s to keep the various requests
> originating from the IP addresses in your subnet sorted out.
>
> If you have more than one PC attached to your router, you WILL see
> "local" (192.x.x.x) ARP requests as those PCs locate each other.
>
> --Gene
>
>
>
--
Gene S. Berkowitz
tomst...@comcast.net says...
> In article <MPG.21280a17b...@newsgroups.comcast.net>,
> Gene S. Berkowitz <first...@comcast.net> wrote:
>
> > In article <46bc4a74....@newsgroups.comcast.net>, sp...@uce.gov
> > says...
> > > On Thu, 9 Aug 2007 23:59:07 -0400, Gene S. Berkowitz
> > > <first...@comcast.net> wrote:
> > >
> > > >> What is sending those packets to my modem? Are they addressed only to
> > > >> my IP address or are they part my Class C subnet from my ISP?
> > >
> > > >The traffic you see are Address Resolution Protocol (ARP) packets.
> > > >They are used to find the hardware address that resolves to a particular
> > > >IP address. Extremely common, and harmless.
> > >
> > > Good to know.
> > >
> > > >Your router only passes ARP requests within your sub-net.
> > >
> > > Do you mean "your ISP's" router?
> > >
> > > My router is the Linksys and it is downstream from the cable modem.
> > > There is a provision on the Linksys router called "Block WAN Requests"
> > > which presumably means packets such as you describe.
> >
> > Your router. The modem will likely pass along practically everything
> > received.
>
> I'm sure the modem won't pass any traffic that isn't addressed to it by
> MAC address. If it did, I could monitor my neighbor's traffic by
> bypassing my router and running tcpdump.
Have you tried it? Depending on the architecture of the cable system,
you may be able to do just that.
The modem reports, via the activity LED, lots and lots of traffic.
The question is, does this get passed along, or not? If the router LED
is showing activity that is in sync with the modem LED, the answer is
"definitely maybe".
--Gene
Tom Stiller
Yeah. I captured 1164 messages in just under 40 seconds.
88% of them were ARPs
8% of them were various requests initiated by my computer
(CUPS, AARP, etc.)
The remainder were various other "broadcast" requests (e.g. DHCP)
>
> The modem reports, via the activity LED, lots and lots of traffic.
> The question is, does this get passed along, or not? If the router LED
> is showing activity that is in sync with the modem LED, the answer is
> "definitely maybe".
So much of the traffic is broadcast data and does get passed through.
lawrenc...@ugs.com
>
> But why so many thousand per second? (I forget what tool I used to count
> them.) Do they need to know which millisecond I switched a network card?
There are so many of them because they're broadcasts, so you don't just
see the ones that are specifically for you, you see all of them for your
network segment.
-Larry Jones
I hope Mom and Dad didn't rent out my room. -- Calvin