Unexplained network activity
-
There are no devices connected to Guest41 VLAN, yet there are 64 B/s spikes recorded in the traffic graph for this interface. These spikes appear to be occurring in the other interfaces also. I’ve tried disconnecting various devices from the network to identify the source without success.
I’ve used pfTop and ntopng, but can’t identify the source of these packets (possibly due to my inexperience, and not knowing how to correlate the traffic graphs with the outputs from these analysis programmes).
I’d like to find out the source of this network activity…does anyone have any idea what would be causing this and how I might find out?
Many thanks
-
@monkey-music Those probably are pings, perhaps from the managed switch you presumably are using to distribute ports to your VLANs. Try a packet capture (diagnostics/packet capture) on the Guest41 VLAN interface (select it under "interface") on the packet capture page. Select "full" under "level of detail" and run the capture for a few minutes. Then stop it and look at the packets. If they're pings, they'll be type ICMP echo request/reply.
-
@bpsdtzpw Thank you for helping. You are correct, I have a managed switch distributing ports to the VLANS with trunked ports connected to the pfSense router and WAPs.
The packet capture has revealed packets being sent every 2 seconds, and all appear identical to what's pasted below:
21:46:50.327589 00:1d:e6:ef:b5:09 > 01:00:0c:cc:cc:cd, 802.3, length 50: LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Cisco (0x00000c), pid PVST (0x010b), length 42: STP 802.1d, Config, Flags [none], bridge-id 8029.00:1d:e6:ef:b5:00.8009, length 42
message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 15.00s
root-id 8029.00:1d:e6:ef:b5:00, root-pathcost 0As you suggested, the packets do seem to be originating from the managed switch. I was not aware of this behaviour on the network previously. The only recent change I made to the network was to add another VLAN with a single wired port for an IP camera (with firewall rules to block WAN access and access to LAN and other VLANS).
Any idea about what I should do next?
-
@monkey-music said in Unexplained network activity:
Any idea about what I should do next?
Just ignore it? It's probably harmless, pfSense will be doing nothing with it.
Looks like the switch sending something encapsulated. Try downloading the pcap and opening it in Wireshark, see what it makes of it.
Steve
-
Ya, I'm not sure what the switch is doing, but managed switches do generate various traffic to, e.g., find and break loops, locate other managed switches, etc. You might visit the switch-maker's tech support website for more clues. Also you could consider disabling any features on the switch that you don't use. I, for example, disabled loop-finding, because I have a simple network and really don't like the continuous traffic.
-
Looks like default Cisco Spanning Tree:
PVST -
Thanks for all the input. It was indeed PVST. I've disabled spanning tree for each VLAN on the switch and the activity has disappeared from the traffic graph.
