[rescue] What is this traffic?

Jonathan Katz jon at jonworld.com
Thu Oct 29 06:54:27 CDT 2015

On Thu, Oct 29, 2015 at 12:45 PM,  <microcode at zoho.com> wrote:
> I have no evidence of anything getting to any of the boxes on my LAN. iptraf
> Is there any way to see what the traffic between the router and the switch
> is without extra equipment? Does anybody have any idea what this could be?

The extra equipment part is difficult. If you're willing to sacrifice
network performance in the short-term dust off an old 10Mbit hub in
the closet and put that between the ADSL router and the switch and
then run snoop or tcpdump on something plugged into the hub.

How dumb is your TP-Link switch? Could it take dd-wrt or similar? That
could allow you to mirror the interface between the switch and the
ADSL router and you can snoop traffic that way.

Alternately, does it happen at a set interval? Like every "N" hours
after the ADSL modem has been rebooted? I'm wondering if it is some
kind of standard ARP broadcast/mapping that is going on as a part of
spanning tree. Like the ADSL port keeps a cache of the MAC addresses
that it expects to find beyond the switch port it is plugged into.

