Constant traffic on WAN RX

I seem to have a constant albeit small amount of traffic on the WAN link of
my router to my home network. While I have been able to identify this, and
can monitor the amount of traffic coming in, I have not been able to fathom
out how to identify where that traffic is coming from. I'm using a netgear
RP114 and XP Pro if that makes any difference?

Hope someone can help?

Paddy McGinty wrote:
> I seem to have a constant albeit small amount of traffic on the WAN link of
> my router to my home network. While I have been able to identify this, and
> can monitor the amount of traffic coming in, I have not been able to fathom
> out how to identify where that traffic is coming from. I'm using a netgear
> RP114 and XP Pro if that makes any difference?

This is almost certainly ARP traffic of other users on the UBR that you
are connected to. You will also see incoming port 80 requests from hosts
still infected with Nimda, maybe some SQL slammer worm traffic and
possibly some blaster/nachi traffic, tho' most of latter has now been
blocked by NTL so this may not be so prevalent now.

Your router will block all of it unless you have set up some port
forwarding, so I'd suggest that you do not concern yourself with it.
Just make sure that 1) you keep your router's firmware up to date, and
2) ensure that anything you are offering services on (www or FTP, for
example) is kept up to date as well.

Cheers Nig ,

I expect there is a certain amount of that about, but later on today I was
receiving lots more on the WAN side, which was having a bad affect on my
connection. I rebooted the router which sorted it, so I'm guessing it was
specific to my external IP? Whatever it is, I'd still like to know how to
track down who is talking to my external IP, just cos I'm nosey that way !
)

"Nig" <(E-Mail Removed)> wrote in message
news:hqUQb.10923$(E-Mail Removed)...
> Paddy McGinty wrote:
> > I seem to have a constant albeit small amount of traffic on the WAN link
of
> > my router to my home network. While I have been able to identify this,
and
> > can monitor the amount of traffic coming in, I have not been able to
fathom
> > out how to identify where that traffic is coming from. I'm using a
netgear
> > RP114 and XP Pro if that makes any difference?
>
> This is almost certainly ARP traffic of other users on the UBR that you
> are connected to. You will also see incoming port 80 requests from hosts
> still infected with Nimda, maybe some SQL slammer worm traffic and
> possibly some blaster/nachi traffic, tho' most of latter has now been
> blocked by NTL so this may not be so prevalent now.
>
> Your router will block all of it unless you have set up some port
> forwarding, so I'd suggest that you do not concern yourself with it.
> Just make sure that 1) you keep your router's firmware up to date, and
> 2) ensure that anything you are offering services on (www or FTP, for
> example) is kept up to date as well.

Paddy McGinty wrote:
> Cheers Nig ,
>
> I expect there is a certain amount of that about, but later on today I was
> receiving lots more on the WAN side, which was having a bad affect on my
> connection. I rebooted the router which sorted it, so I'm guessing it was
> specific to my external IP? Whatever it is, I'd still like to know how to
> track down who is talking to my external IP, just cos I'm nosey that way !
> )

You might want to take a look at linklogger, which has a version that
supports your router:

<http://www.linklogger.com>

Gives a good amount of info on stuff seen at the router. Only a 14 day
eval tho'.

Thats excellent Nig. Exactly what I was looking for.

Thanks very much for your help )

"Nig" <(E-Mail Removed)> wrote in message
news:cEdRb.11273$(E-Mail Removed)...
> Paddy McGinty wrote:
> > Cheers Nig ,
> >
> > I expect there is a certain amount of that about, but later on today I
was
> > receiving lots more on the WAN side, which was having a bad affect on my
> > connection. I rebooted the router which sorted it, so I'm guessing it
was
> > specific to my external IP? Whatever it is, I'd still like to know how
to
> > track down who is talking to my external IP, just cos I'm nosey that way
!
> > )
>
> You might want to take a look at linklogger, which has a version that
> supports your router:
>
> <http://www.linklogger.com>
>
> Gives a good amount of info on stuff seen at the router. Only a 14 day
> eval tho'.

"Paddy McGinty" <(E-Mail Removed)> wrote in message
news:32XQb.29362$(E-Mail Removed)...
> Cheers Nig ,
>
> I expect there is a certain amount of that about, but later on today I was
> receiving lots more on the WAN side, which was having a bad affect on my
> connection. I rebooted the router which sorted it, so I'm guessing it was
> specific to my external IP? Whatever it is, I'd still like to know how to
> track down who is talking to my external IP, just cos I'm nosey that way !
> )
>
> "Nig" <(E-Mail Removed)> wrote in message
> news:hqUQb.10923$(E-Mail Removed)...
> > Paddy McGinty wrote:
> > > I seem to have a constant albeit small amount of traffic on the WAN
link
> of
> > > my router to my home network. While I have been able to identify this,
> and
> > > can monitor the amount of traffic coming in, I have not been able to
> fathom
> > > out how to identify where that traffic is coming from. I'm using a
> netgear
> > > RP114 and XP Pro if that makes any difference?
> >
> > This is almost certainly ARP traffic of other users on the UBR that you
> > are connected to.

i put an expert sniffer on the cable to see what was going on - all the
traffic which wasnt directly for me seems to be ARP.

Sniffer even raised an alert every so often when the broadcast level went
over 100 / sec

however they are coming from several different subnets - either the cable
carries several subnets, or there are some misconifgured machines on my
local segement.

You will also see incoming port 80 requests from hosts
> > still infected with Nimda, maybe some SQL slammer worm traffic and
> > possibly some blaster/nachi traffic, tho' most of latter has now been
> > blocked by NTL so this may not be so prevalent now.

Also - a lot of it is sequential address ARP scans - which is classic
MS-blast.

I suspect that even if NTL block it at the router with a filter, i will
still see any infections from others on the same segment - the cable segment
is shared across a bunch of customers.

> >
> > Your router will block all of it unless you have set up some port
> > forwarding, so I'd suggest that you do not concern yourself with it.
> > Just make sure that 1) you keep your router's firmware up to date, and
> > 2) ensure that anything you are offering services on (www or FTP, for
> > example) is kept up to date as well.
>
--
Regards

Stephen Hope - remove xx from email to reply