Phantom IP Traffic

Discussion in 'Tomato Firmware' started by Planiwa, Oct 5, 2013.

  1. Planiwa

    Planiwa Network Guru Member

    I just noticed that IP Traffic history shows activity for a device that was nowhere near the network at the time, and was in fact sleeping, elsewhere in the city.

    NB: This image shows upstream activity at 01:30.
    But the image for the entire LAN shows no such upstream activity at that time.

    Tomato v1.28.9013 MIPSR2-RAF-v1.2i K26 USB
    t_model_name=Asus RT-N66U


    EDIT Update: The Phantom has Time-travelled:

    Last edited: Oct 5, 2013
  2. koitsu

    koitsu Network Guru Member

    No way to know what it was aside from using tcpdump to monitor the WAN interface and watch all packets coming in/out and capture them to a file (preferably on a USB stick or CIFS share) using tcpdump -p -i `nvram get wan_ifname` -l -s 16384 -n -w /usbstick/capture.pcap, wait for the event to happen, and then post the packet capture here for analysis (if you cannot do it yourself). You will need Entware installed with the tcpdump package installed (opkg install tcpdump) to accomplish this reliably.

    You also need to disclose what timezone your router is in (01:30, for example, means nothing to me unless I know what your timezone is / more specifically what your UTC offset is).
  3. Planiwa

    Planiwa Network Guru Member

    In this particular case it is clear that there is a bug in the IP-Traffic subsystem. It is also clear that the Phantom persists, i.e. that it appears in the same "place" on the "last 24h" timeline "forever". (Until FW is restarted.)

    If one wanted to look at data, for a clue as to what might be going on, one might want to look at Iptables data, or perhaps cstats data.

    Tcpdump on the WAN port? Very interesting . . . ;-)

    The following further particulars may also be helpful in tracking down the problem:

    1. Static ARP binding was in effect from before the original traffic until after that traffic appeared (and re-appeared) as a Phantom, later.

    2. Enable Auto-Discovery (automatically include new IPs in monitoring as soon as any traffic is detected) was in effect in /admin-iptraffic.asp.

    3. The original traffic had happened between 12:07 and 14:30, the day before I noticed the phantom and first captured it at 11:17 and again at 15:23. The Phantom persisted until I made a Static IP change (which reset the FW).

    (I have those records in my logs, because this 2.5 hour episode was a visit to the site, and the users was myself.)
    Last edited by a moderator: Oct 8, 2013
  4. Malitiacurt

    Malitiacurt Networkin' Nut Member

    IPTraffic will pick up unencrypted wireless traffic for other devices that are in the same subnet, counting them as yours.

    Eg. I had one tomato router with a guest subnet (with WPA2) on It was only temporary for one person but I noticed alot of traffic recorded for other ip's in the same subnet. Since were no other devices connected on that guest wifi/subnet, my assumption was some neighbours unencrypted wifi was being picked up by mine. (And the ghost traffic for the .0 subnet was no longer being picked up when I removed that subnet from my router.)
  5. Planiwa

    Planiwa Network Guru Member

    I thought it would be obvious enough that this Phantom has nothing whatsoever to do with any unidentified traffic. Neither from the WAN, nor from another WLAN, nor from my WLAN.

    I thought it would be obvious enough that I know exactly what happened originally, when it happened, how it happened, and who made it happen

    I thought it would be obvious enough that we are dealing with a bug in the IP-Traffic subsystem.

    Every time I say "bug", there are oodles of people who say "you're wrong", or "you must be doing something wrong", or "you don't know what you are talking about", or "you should do such and such", etc.
    Last edited by a moderator: Oct 8, 2013
  6. Marcel Tunks

    Marcel Tunks Networkin' Nut Member

    Earthlings communicate more effectively in person. It's easy to misunderstand the tone or intention of a forum post, especially one that is international.

    It also sometimes rubs people the wrong way when a person who used to post a mix of help to junior users and requests to devs now posts almost exclusively requests and bug reports. Though it is clearly not your intention, it can sound like whining and complaining rather than collaborative discussion (see paragraph 1).

    Many of the responses seem to be requests for clarification or pointing out the silly mistakes that we all make from time to time. There's no need to take things so personally. As Victek always says, it's a hobby.
  7. Marcel Tunks

    Marcel Tunks Networkin' Nut Member

    Though I think that hobbies can be either personal or a collaborative effort, I otherwise agree. I also understand your frustration that the work you are putting into testing and making observations seemingly goes unnoticed. It does not go unnoticed.

    With respect to the phantom ip traffic, I had seen it in my home network a few months ago but didn't report it since it doesn't have much impact in the home setting. I should have been more vocal after your first post in the thread - my apologies.

    Also noted that you edited your second-last post to be a bit more pleasant - thank you.
    Last edited: Oct 7, 2013
  8. Victek

    Victek Network Guru Member

    @Planiwa is BW limiter working fine?
    About the comments, simply send a PM to the person you think was the developer of the feature, not all posts are read by all guys in the forum, It's pity to read inner sad comments without answer, don't be ambiguous, contact them. ;)

    Edit: Do you have logs, tcpdump or wireshark sessions? send it. I can't reproduce cause I have traffic always.
    Last edited: Oct 7, 2013
  9. Planiwa

    Planiwa Network Guru Member

    @Victek BW limiter was working fine last time I checked, in 1.2i. It's disabled for now, because I am testing new VDSL2 modems and need to encourage much traffic.

    (As for tcpdump, etc. -- if one actually reads what I wrote, without being distracted by what others wrote, one may reconsider that notion. FWIW, the site where this happens probably has much more traffic than yours does. The single user that was selected (me) was a rare site-visit. Of course there were several GB of traffic by a dozen devices on that day.)

    As for "direct to developer" -- I still believe in the possibility of collaborative work, and I still believe that this forum has not yet become totally dysfunctional. If this forum did not exist, I would contact the developer, or perhaps more appropriately, the responsible maintainer. (Perhaps that might be Teaman/Augusto -- for IP-Traffic)

    But I regard another process more in line with group collaboration:

    1. Problem-Discoverers post reports with data, ideally minimally reproducible scenarios.
    2. But even if one is unable to give reproducible directions, one should feel invited to share what one does know.
    3. Now others may become aware that there may be a problem.
    4. If others encounter an instance of that problem, they may be able to post further observations and *new* data.
    5. Problem-Searchers may be inspired to track the problem to its source.
    6. Maintainers, coders, developers may examine design and implementation to understand the problem.
    7. Developers can us this understanding to repair the problem, hopefully without introducing new problems.
    8. Other problems may be discovered during this process, and there is an opportunity to repair those too.

    As Marcel wrote, he too noticed that problem.
    Last edited by a moderator: Oct 8, 2013
  10. Planiwa

    Planiwa Network Guru Member

    Perhaps I should keep IP-Traffic histories.

    It seems to me that cstats and iptables records might be of value. Suggestions welcome.
  11. Victek

    Victek Network Guru Member

    tcpdump timestamp capturing packets to the ghost IP ... we need some neutral inspector...

    About other comments... I disagree with you from the starting point. The people visit the forum to suck one firmware for their router, if it works then perfect and goodbye. If doesn't work then they complaint at first, when I ask for evidences they don't answer in many cases or the test I ask is not done... and finally they show what they tried to do with scripts and modifications difficult to reproduce. Few issues are related to standard configurations....
    Last edited: Oct 7, 2013
    mito likes this.
  12. RMerlin

    RMerlin Network Guru Member

    The Tomato project (like many other open source projects) is simply understaffed. You have a very small number of developers being sent in all directions, being asked to debug/troubleshoot/fix all kind of things, half of which they didn't develop in the first place. Sometimes it's code we have never even looked at. And that code is almost never commented by its original author.

    Most of the Tomato code was written by people who totally disappeared over time. That means that when a bug gets reported on a specific sub-system, we have to spend hours first analyzing the code to figure out how it works. And then we can start looking for the reported bug - without an actual test case, this is very difficult.

    That's why developers of such small projects can sound hard when it comes to bug report. Tracking down those bugs require so many hours of analysis that, without an actual test case to prove that it's really a bug, we're not always inclined to devote all those hours to something that may or may not be a genuine bug.

    I've been through this myself last year. I'm the guy who decided to dive into IPTraffic, figure out how it worked, figure out how the Netfilter module it used worked, figure out how Netfilter in itself worked (so I could understand the module, and in turn understand IPTraffic). After all these hours on this, I managed to fix various bugs that had been there since its original author disappeared. I fixed every single bug I was able to reproduce. If there were any left, that's because I never got a specific test case that would allow me to track it down.

    (The fact it was IPTraffic is just a coincidence anyway, I was using this as a general example.)

    Point is, bug reports without a test case tend to gather dust on our ToDO lists, because we know we're facing many hours of work if we start diving into it. So if you get angry at developers not giving the same priority you, as a reporter, give to the issues you experience, look at it from our point of view. We're volunteers, with limited time, having to do HOURS of work between whatever free time we can salvage.

    If that's not enough, then by all mean, join us in diving into the code, or encourage someone who knows how to program to do so. Cause we're already giving you all we've got.
    mito and Toxic like this.
  13. Planiwa

    Planiwa Network Guru Member

    Perhaps we have a parsing problem here? Perhaps I should have titled the thread:

    "IP-Traffic Bug: Zombie" instead of "Phantom IP Traffic".

    The problem is *not* that there is unaccounted-for traffic!

    The problem *is* that there is a bug in the IP-Traffic subsystem, which keeps carrying forward some old traffic.

    It seems that some people read some isolated words and make up their own story from those word fragments.

    And few people read the story that I actually wrote. Such is life.

    If I misunderstand why those who suggest tcpdump are doing so, I invite them to say why, given the problem I describe, one would look at the birth (tcpdump) of the person who ends up being a Zombie, rather than looking at what sustains the Zombie (IP-Traffic, Netfilter, etc.) Why?
  14. Victek

    Victek Network Guru Member

    OK Planiwa, I tried to understand the problem but I'm not at your level of knowledge since you know how it works , please post the solution when you find it.

    Last edited by a moderator: Oct 8, 2013
    mito likes this.
  15. PeterT

    PeterT Network Guru Member

    I can't help but wonder if there is some external, periodic function that actually IS attempting to send data to those phantom addresses.
  16. RMerlin

    RMerlin Network Guru Member

    That would be my primary theory as well. For example, if one of these was running a torrent client, and some remote clients were trying to connect back to it, the port forward would still be in place for a given amount of time on the router, during which those packets could be sent to that IP, being logged by IPTraffic (as it will have gone through the FORWARD chain). I would expect such background "noise" to disappear after the port forward have expired (no idea what's the default timeout in Tomato for UDP sessions).
  17. Planiwa

    Planiwa Network Guru Member

    If I say it again, will you read it?:

    On Friday, Oct 4th, I went to the site. I connected two devices for about 2 hours. One thing I ran was a test. Certainly no torrents.

    Then, on Saturday I noticed that those two bits of traffic persisted right in the middle of the IP-Traffic display, continually, in the same place, shifting along, along, along. The exact same Spectre shape! No new traffic. A classic Artifact.

    "that" IP was my notebook and my phone. It ***ONLY*** existed in the IP-Traffic data set. And it persisted until the FW was reset.

    I believe that Marcel understood what I wrote. He said he observed the same thing.

    It's not life-threatening! But why should I be ostracized for sharing it?
    Last edited by a moderator: Oct 8, 2013
  18. RMerlin

    RMerlin Network Guru Member

    The first reply was from someone suggesting ways to further troubleshoot this based on an original post that contained about nothing more than two screenshots and an opening paragraph saying that the graph where showing traffic for a device that wasn't present on the network, and you went on an argumentation about how people reporting bugs should be treated differently.

    I'm sorry if I missed any actual details about your problem in other posts you made after this, but I stopped reading when a skim revealed mostly complains about how bug reports were being unfairly treated by developers. Thus, my reply was in relation to those complaints.

    Re-read your own first post. Then you will see how we've come up to the theories and troubleshooting steps that we suggested. We work with what we're being given. If for you it's nothing but "conjuring all sorts of imaginary things", then I'd love to see you deal with such vague bug reports.
  19. Toastman

    Toastman Super Moderator Staff Member Member

    Guys, I can see this topic developing into something we don't wish to see on the forum.

    A note to posters ... by all means feel free to share your findings on the forum. Those who have something to contribute, will reply if they wish, if nobody replies, then it is because they, for whatever reason, don't wish to. That is the purpose of the forum. If nobody replies, so be it...

    As others have said, feel free to contribute, but tone down the "demands" please.
  20. Toxic

    Toxic Administrator Staff Member

    May i remind everyone here that the administration will remove any content we find offensive. it is one thing to post an issue, but not when individuals make provocative demands and criticisms.

    All this does is infuriate everyone. it is not needed and definitely not welcome here at linksysinfo.

    Please restrain from comments at others and stick to the topic in hand.
    Last edited: Oct 13, 2013
  21. Toxic

    Toxic Administrator Staff Member

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice