Chatty IoT device on LAN

gniting

Looks like I have a chatty IoT device on the network. What tool can I use to understand what it is sending/receving?

pfTop: Up State 1-9/9 (431), View: default, Order: bytes
PR        DIR SRC                           DEST                                   STATE                AGE       EXP     PKTS    BYTES
udp       In  192.168.7.14:40311            198.16.70.186:10001              MULTIPLE:MULTIPLE     00:50:07  00:00:47      156    13656
udp       In  192.168.7.14:40311            198.255.24.202:10001             MULTIPLE:MULTIPLE     00:38:57  00:00:47      120    10560
udp       In  192.168.7.14:40311            103.16.26.246:10001              MULTIPLE:MULTIPLE     00:38:57  00:00:47      119    10472
udp       In  192.168.7.14:40311            114.67.71.104:10001              MULTIPLE:MULTIPLE     00:38:57  00:00:47       65     5720
udp       In  192.168.7.14:32837            8.8.8.8:33435                  NO_TRAFFIC:SINGLE       00:00:34  00:00:26        2      104
udp       In  192.168.7.14:32837            8.8.8.8:33436                  NO_TRAFFIC:SINGLE       00:00:34  00:00:26        2      104
udp       In  192.168.7.14:32837            8.8.8.8:33437                  NO_TRAFFIC:SINGLE       00:00:34  00:00:26        2      104
udp       In  192.168.7.14:32837            8.8.8.8:33438                  NO_TRAFFIC:SINGLE       00:00:34  00:00:26        2      104
udp       In  192.168.7.14:32837            8.8.8.8:33439                  NO_TRAFFIC:SINGLE       00:00:34  00:00:26        2      104

whois 114.67.71.104 returns Beijing Jingdong 360 Degree E-commerce Co., Ltd.
whois 103.16.26.246 returns Hong Kong Serverworks Limited
whois 198.16.70.186 returns FDCSERVERS
The connection to 8.8.8.8 looks like a traceroute but it is running all the time!

noplan

@ibbetsion
method A
set a firewall rule and activate log all on that rule and read the log

method B
package caputre on pfs and read output

brNP

NogBadTheBad

@ibbetsion said in Chatty IoT device on LAN:

114.67.71.104

What actually are the devices sat on your LAN ?

johnpoz

What specific iot device is this?

Not sure if I would call 156 pkts in 50 mins "chatty" ;)

Which is more strange to me is the yeah seems like a traceroute to 8.8.8.8.. Curious what some iot device would want/need with a traceroute?

If your curious to what the traffic is - firewall log not really going to give you much info other than what IP and port. You would need to do a packet capture (sniff) to see what is being sent/recv'd

gniting

@johnpoz said in Chatty IoT device on LAN:

What specific iot device is this?

Not sure if I would call 156 pkts in 50 mins "chatty" ;)

Which is more strange to me is the yeah seems like a traceroute to 8.8.8.8.. Curious what some iot device would want/need with a traceroute?

If your curious to what the traffic is - firewall log not really going to give you much info other than what IP and port. You would need to do a packet capture (sniff) to see what is being sent/recv'd

It's a network video recorder for the security cameras.

Downloading wireshark...

johnpoz

while wireshark is great for viewing the details of the capture. You can do the capture right on pfsense under diagnostic menu. And then just download and open with wireshark..

gniting

@johnpoz said in Chatty IoT device on LAN:

while wireshark is great for viewing the details of the capture. You can do the capture right on pfsense under diagnostic menu. And then just download and open with wireshark..

will do that, thanks!

johnpoz

BTW - if you want example of some chatty beasts ;)

That is just a couple of lightbulbs - like every few seconds a broadcast.. And people ask why you might want to isolate iot to their own vlans..

Well for starters to keep their noise isolated to that L2...

I have like 16 of of those little beasts just broadcasting a way ;)

gniting

@johnpoz said in Chatty IoT device on LAN:

BTW - if you want example of some chatty beasts ;)

That is just a couple of lightbulbs - like every few seconds a broadcast.. And people ask why you might want to isolate iot to their own vlans..

Well for starters to keep their noise isolated to that L2...

I have like 16 of of those little beasts just broadcasting a way ;)

Wowza! I'm def not in that camp... yet.

Can't do vlans cause I have a unmanaged switch. Otherwise I'd def put all the "junk" in its own little world.

johnpoz

Its great that your interested in what your devices are doing though..

Most of the devices share hardware and code even.. So its quite possible you can find details of what some of this stuff is even if not your specific make model of device.

For example - way back when when first started putting lightbulbs on the network, and looking into their traffic patterns..

Here is a link to the broadcast traffic they are doing, for my example.. You could prob find similar sort of write ups on your info - if your google fu is up to it ;)

https://revspace.nl/WifiLamp

edit: BTW, just remember that the S in IoT stands for "security" ;) hehehehhe

provels

@johnpoz said in Chatty IoT device on LAN:

edit: BTW, just remember that the S in IoT stands for "security" ;) hehehehhe

Just another reason to not let my dishwasher talk to my refrigerator.