Newbie question about what I see in my log

frodo

Hello,

In the firewall logs of my pfsense I see a log-line like these every second:

Jan 10 12:04:58	LAN	Default deny rule IPv4 (1000000103)	  0.0.0.0:11113	  255.255.255.255:11111	UDP
Jan 10 12:04:59	LAN	Default deny rule IPv4 (1000000103)	  0.0.0.0:11113	  255.255.255.255:11111	UDP

I did packet inspection and found the MAC-address:

13:07:10.418997 34:21:09:8f:72:78 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 159: (tos 0x0, ttl 64, id 1947, offset 0, flags [none], proto UDP (17), length 145)
    0.0.0.0.11113 > 255.255.255.255.11111: [udp sum ok] UDP, length 117

The MAC-address is one of my three Jensen Omni mesh WIFI-units. It's the one connected to LAN (via a switch to pfsense) and it has IP-address 192.168.0.190.

Should I worry about this? An IP address of 0.0.0.0 in the log does not look good to me.

NogBadTheBad

@frodo it's broadcast packets, I wouldn't worry about it.

It could be some sort of network discovery that the Jensen is trying to do.

johnpoz

@nogbadthebad said in Newbie question about what I see in my log:

I wouldn't worry about it.

Not so sure I would do that out of hand.

That port is also known trojan.. Could be something looking for something that is part of that?

That is a horrible port for them to use for discovery if that is the case..

I would open up the sniff in wireshark, and look to what the payload actually is. Could give you more clue to what is actually looking for or doing.

Its also registered port for VCE, but seems odd your mesh devices would be using that protocol?

Your only seeing it from the 1 mac? You said you have more, why would they not being sending as well? Can you disconnect all clients from that node, if you turn off that node does it start coming from a different node?

Every freaking second is a pretty aggressive discovery..

NogBadTheBad

Maybe get in touch with the vendor, looking at their web page they rebrand stuff.

https://www.jensenofscandinavia.com/

frodo

@johnpoz Thanks for the suggestions. I will check with Wireshark tonight. I have two more WIFI-mesh nodes but they are not connected to ethernet, they are WIFI-only. Also I have contacted Jensen and they said I should not have a switch between my router (pfsense) and the mesh unit so I will try with a different (5 port) switch tonight. Also I have two more ports on the NIC in pfsense so I can try a separate port for the Jensen Mesh.

johnpoz

@nogbadthebad yup that would be good idea..

My smart lightbulbs are noisy, but even they only send out the noise every few seconds.

07:53:01.319019 IP 192.168.4.58.64723 > 255.255.255.255.6667: UDP, length 172
07:53:01.333775 IP 192.168.4.59.52451 > 255.255.255.255.6667: UDP, length 172
07:53:01.397973 IP 192.168.4.50.51102 > 255.255.255.255.6667: UDP, length 172
07:53:01.402895 IP 192.168.4.55.50027 > 255.255.255.255.6667: UDP, length 172
07:53:01.567488 IP 192.168.4.63.62513 > 255.255.255.255.6667: UDP, length 172
07:53:01.701444 IP 192.168.4.61.62512 > 255.255.255.255.6667: UDP, length 172
07:53:01.807597 IP 192.168.4.51.50172 > 255.255.255.255.6667: UDP, length 172
07:53:01.835795 IP 192.168.4.57.52382 > 255.255.255.255.6667: UDP, length 172

But this is documented and easy to find info on..

Its like status info if they are on or off from my take..

NogBadTheBad

@frodo "Also I have contacted Jensen and they said I should not have a switch between my router (pfsense) and the mesh unit."

Why on earth would they say this, what happens if you want wired and wireless clients on the same network segment ?

johnpoz

@nogbadthebad said in Newbie question about what I see in my log:

Why on earth would they say this

Because they are clueless.. And have no clue to anything other than stupid home user setups where they plug everything into their home router, which guess what that port they are plugging into is a "switch" its just in the same box as the "router"..

My question would of been WTF does that have to do with the traffic it looks like your device is sending.. Can you provide me info if your device does this, or not?

Most home users would never actually see this traffic because their "router" does not provide info, nor normally provide any sort of log at all other than "hey we blocked something bad" we won't give you any actual info on it, but it was bad attack, and we stopped it - see we are doing good job.. But like port/protocol and IP it came from - you have no need to see that ;)

And your typical home user isn't launching wireshark and looking at the broadcast traffic on their network ;)

frodo

@johnpoz I captured some packets and loaded them into wireshark. Below is a screenshot of one packet with most details shown. Most packets are of the same length as this one but some bytes are different.

johnpoz

@frodo problem is you don't know what disector to use, or you need to write one to be able to view the details of that payload you see there in DATA..

You would need help from the vendor, or you need someone that does that sort of thing.. That could be completely benign and be just some info in a json file, or it might not be..

With the noise for example I showed you there are lots of people that have dug into that and listing what is being sent, etc.

For that - You could try decoding it as different stuff in wireshark.

https://ask.wireshark.org/question/20679/how-to-decodedecrypt-udp-packet-data/