Crazy high bandwidth usage on WAN (vlan2) and eth0

Discussion in 'Tomato Firmware' started by ominously, Dec 10, 2013.

  1. ominously

    ominously Reformed Router Member

    Tomato Firmware 1.28.0000 MIPSR2-115 K26 USB AIO

    I've been seeing this happen lately -- the bandwidth monitor shows about 12mbit ~ 20mbit of traffic, when there is nothing connected to the router. I am not sure what to make of this. I've tried changing the MAC address to get a new IP, thinking it could be external. It doesn't change.

    Here's what it looks like:



    Any ideas on what this could be is greatly appreciated. Thanks!
  2. koitsu

    koitsu Network Guru Member

    br0 is the wireless interface, so looks to me like someone may be using your wireless connection illegitimately.

    Change your SSID and wireless password (and use WPA2 Personal + AES if at all possible) and see if the issue goes away.

    Otherwise, given the large amount of traffic on the WAN interface that was marked RX (receive) but very little TX (transmit), someone may be sending you tons of traffic to your WAN IP without you asking for it. This is sometimes referred to as a DoS attack, although it could just be someone has misconfigured something and is sending crap (a lot of it) to you by accident.

    The only way to find out what's coming across the interfaces is to sniff/snoop on them using tcpdump on the router.
  3. ominously

    ominously Reformed Router Member

    I am aware that br0, eth1 and eth2 are the wireless interfaces. I had put them there for a comparison. I just checked it again, and it climbed to over 30mbit. I'll check out tcpdump and see what is going on.

    What is strange, though, is that if it's a DDoS attack, it really isn't affecting me that much. Internet is still lightning fast, and barely any latency if at all.

    Thanks for the reply :)


    EDIT: I got a hold of tcpdump, and ran it. It appears to be a buttload of UDP traffic. Here's a sample:



    After a bit more investigation, I think I have come to a conclusion. We get our internet via FTTH by our local TelCo. Not only that, but we get TV and phone through the same company as well. When they installed it, all they did was splice a some fiber, and put a media converter to convert to Ethernet. They then took the ethernet, and put it into a switch. From that switch, is the WAN. Also on that switch is the TV receivers.

    I captured a bunch of packets to a file, and analyzed the file with WireShark, and it's definitely video that's hitting the router, but why would it do that?!

    Note: My IP is not in the picture above. That, above, is the output of:

    >>tcpdump -i vlan2

    Maybe they use VLANs too, and they're clashing?!
    Last edited: Dec 21, 2013
  4. koitsu

    koitsu Network Guru Member

    UDP port 5500 traffic is usually VoIP.

    The source address is in space, which is IANA reserved, i.e. for private network or LAN or NAT use. The destination address is in space, which is IANA reserved, commonly used for multicasting.

    It doesn't look like you're responding to the traffic (from the screenshot); it looks like it's mostly inbound.

    You need to talk to your ISP about this. Show them the packet captures, or give them the packet captures (tcpdump -w filename.pcap -s 0 -l -n then provide them with filename.pcap). Tier 1 will almost certainly not be able to solve this; you are going to need tier 2 or more likely actual engineers who have familiarity with their networking setup. They may have something seriously misconfigured on their side. I have never heard of a VoIP telephone call taking up 24,000kbit/sec of traffic (that's about 3.0MBytes/second).

    Good luck, as I can assure you this will take a lot of effort on your part and theirs to solve. And trust me -- that amount of traffic is not normal, whatever they tell you. That is a TREMENDOUS amount of network I/O happening constantly. And if it really is coming across your FTTH connection from your ISP, then they need to know that ASAP because you might not be the only one affected (especially if this is destined to multicast space).
  5. ominously

    ominously Reformed Router Member

    I didn't get a chance to contact my ISP today, but I did look a bit more into what WireShark is reporting.

    I did mention that they do TV over IP, and apparently it works via multicasting. I was reading a manual earlier for a Cisco managed switch, and it said something about multicast traffic being forwarded to all ports or something. This could be all the traffic I am seeing. When I pull up the .pcap file in WireShark, it shows the UDP packets being MPEG video stream. This is just monitoring the eth0 interface. I'll need to analyze the WAN interface a bit more.

    I do agree that it's a tremendous amount of network I/O, but I can't really blame them as it's a small town ISP and I'm pretty sure they have a few bugs here and there in the system.

    Anyway, here's an image of what I see in WireShark.

    Thanks for the replies

    Last edited: Dec 21, 2013
  6. ominously

    ominously Reformed Router Member

    Is it at all possible that the VLANs on the router could be clashing with VLANs my ISP uses? I thought this was the case for a little while, so I changed it to VLAN8 and VLAN9.

    Now looking at the WireShark image again, I can see "801.1Q Virtual LAN, PRI: 0, CFU: 0, ID: 9" in the above image.
  7. koitsu

    koitsu Network Guru Member

    You didn't say anything about using VLANs in your configuration. :/

    If by "I'm using VLANs" you're referring to the existence of vlan2 and vlan2 -- not quite.

    vlan2 on most routers is the default interface for the physical Ethernet port that correlates with the "WAN" interface on the back of your router. The reason this is done is because the actual Ethernet switch IC inside of most routers is a 5-port switch, so there needs to be a way to segregate one port (at the Ethernet level) from the other 4. VLANs, along with switch IC (hardware-level) support, are the way this is accomplished.

    vlan1 is what makes up the remaining 4 Ethernet ports, a.k.a. eth0.

    br0 is the bridge interface that "bonds" eth1 (your wireless network interface) and your vlan1 interface so that the wireless NIC is on the same network (Ethernet-wise) as your LAN ports.

    If you want to verify all of this, you can do so via CLI by doing cat /proc/net/vlan/config and brctl show. I'm sure someone somewhere has a picture diagram of it all that might make more sense though.

    If you're actually using VLAN tagging (this is a separate feature of some TomatoUSB firmwares), then yes that's possible. I would be very surprised if 802.1Q tagged frames are being honoured by the ISP, but anything is possible in this day and age of "roll it out, don't test anything, $$$ is the main focus".

    You can change the VLAN numbers in your configuration and see if the behaviour changes. You're not supposed to use VLAN ID 0, by the way.
    Last edited: Dec 11, 2013
  8. BusyBoxer

    BusyBoxer Networkin' Nut Member

    I am seeing this on my setup as well... it does appear to be the IPTV multicast. The telco I am using does use different source IP and ports than yours, but I can confirm that it is directly related to the IPTV settop boxes (verified by turning settops on and off, high def channels, sd channels etc).

    I am following this thread with interest, there might be a way for us to ignore the traffic to get a more accurate view of the total speed attained by the devices behind our tomato routers.

    here is my setup:

    Last edited: Dec 11, 2013
  9. ominously

    ominously Reformed Router Member

    I apologize for any confusion, koitsu

    Tomato was using the default VLANs it was configured with when I started this thread, vlan1 and vlan2.

    After reading your reply and doing a bit further analysis, I decided to try changing the VLAN numbers to see if that would lower the traffic, which it didn't.

    BusyBoxer, ours is set up is slightly different than yours, but it's still very much the same. Instead of a modem, it's just a regular 10/100 switch.
    Fiber optic from the pole, into the J box outside, into a media converter, and straight to ethernet.

    Here's a visual:

    I'm gonna call them in a few and see if I can get an engineer or something.
    Last edited: Dec 21, 2013
  10. koitsu

    koitsu Network Guru Member

    The traffic is effectively being ignored (by the kernel) -- I see no response packets in the tcpdump capture or the Wireshark screenshot -- but it's still traffic going in/out the WAN port.

    The counters from the WAN port come directly from the Ethernet PHY, so "excluding" certain types of traffic at that level never going to happen. If you were to get on the media converter ("the device that converts fibre to copper") you'd see the same rate of traffic.

    Consider me absolutely amazed at how much traffic is being sent to you folks via multicast. That's absolutely insane.

    Sorry I can't be of more help, but from what I see everything looks normal given the topology. But I'm still in shock over the traffic rate/bandwidth use. Remarkable.
  11. BusyBoxer

    BusyBoxer Networkin' Nut Member

    drats didn't want to hear that....

    Agreed... it used to bug me, but having no real issues with speeds (getting exactly what they are selling) I got used to ignoring it... one thing this has caused me to do is to aim the leds on the switches to the ground as they are ALWAYS blinking (well as long as a tv show is on or being recorded).
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice