Question on identifying cable-modem activity

When my cable modem is connected only to power and cable, the "Activity" light flickers irregularly several times per second, indefinitely. This seems odd, since (I presume) no activity has been requested.

Is this normal? If so, what is this activity? If not, is there a good way to learn about the activity? The cable modem is a Linksys BEFCMU10 ver 3. I've learned (thanks to Usenet, no thanks to any documentation) that it serves HTTP requests at 192.169.100.1, but I haven't found any summary of message traffic, packet types, sources, destinations, or the like.

The best way I can think of to address this question is to snoop the ethernet at the cable-modem's port, but that seems like overkill and would be slightly disruptive. Still, I'll do it if nobody has a better suggestion.

Reply to
Peter Pearson
Loading thread data ...

Most likely, the steady stream of attacks any host on the internet receives.

Don't fear the sniffing. :-) It shouldn't be disruptive. Any chance to use wireshark makes for a good day. :-)

I might crack out the ole hub and give it a whirl myself.

Reply to
Todd H.

I'm on Comcast. They hit my system with literally 1,700 ARP requests per minute, every minute of every day. That's probably what you're seeing.

Reply to
clifto

Amazing. Will ARP requests show up on my side of the cable modem? (I should have mentioned that Charter Communications is my cable provider.)

Reply to
Peter Pearson

That would certainly make interesting reading.

Ah, the motto of the mongoose family: Run and find out! I like it.

The disruption would not be the sniffing itself, but the interruption to my housemates' internet life (including our telephone service) during the recabling process. Also, I only have a slow, old hub. Also, I have no clue how the cable modem will react to either (1) DHCP requests from

*both* my Linux computer and our VoIP telephone adapter, or (2) my Linux computer using a 192.168.1.x IP address. As you can see, I'm overflowing with ignorance, particularly regarding the cable modem's duties.

Thanks for your attention.

Reply to
Peter Pearson

Yes, that's how I know about them. I use the linux 'nstats' program to count them.

I'll bet they do the same. Don't know how to tell using Windows, though.

Reply to
clifto

The Activity/Data light on the modem is only what is being passed through to your (hopefully) router. You can see the same WAN port activity on the router as you do on the modem. The router will block most of that activity. If you don't have a router, you might consider getting one - they're pretty inexpensive when you consider the added protection to your system(s). $40 will pick up a wireless G router from Netgear (actually only $27 + shipping at Frys.com -

formatting link
) and another $10 will get you a Linksys if you prefer. Both have a 4-port switch so you can use wires if you prefer.

Reply to
$Bill

??? How slow are ya? Plus the power into the plus a short cable into the hub. Hold it's other end in your left hand. Hold cable that's in the cable modem's ethernet jack in right hand. Unplug cable modem line, put it in the router, plug that cable in your right hand into the cable modem, downtime less than 1 second. No one would notice unless you've got active ssh users.

Cable modems still aren't faster than an old hub with only one device talking. Your sniffer machine that you plug intot he hub could be configured to not even have an IP address, adn quietly sit there and sniff the wire.

The old hub is probably still faster than cable modem speeds.

Unless I'm misunderstanding your setup, we have:

Before:

cable modem -----natrouter/switch--- all yer computers

After: cable modem --HUB--natrouter/switch--all yer other computers | +--- 1 computer without an IP assigned running wireshark

Everything looks the same to the cable modem right down to the physical layer. A cable gets replaces with 2 cables and a hub. At most the cable modem starts talking 10mbps half duplex vs 10mbps full duplex over its ethernet interface. It doesn't see any additional machines or dhcp requests or anything it wasn't before.

Instead of wireshark, what'd be more itneresting to run on the sniffing computer would be snort, an intrustion detection system that will tell you spedifically what attacks are coming in:

formatting link

Best Regards,

Reply to
Todd H.

You're right, it's probably not an issue, if I can just be a little smarter about it than I've managed to be so far. I was thinking that minutes spent with the slow hub in the chain would be minutes of discomfort for my housemates, but as you point out, even my slow hub is unlikely to be slower than the cable.

[snip]

Good guess. There's a VoIP telephone adapter between the (putative) hub and the natrouter/switch, but that changes nothing.

So . . . is the strategy to keep my wireshark computer (actually ethereal) from trying to talk to the cable modem by not assigning it an IP? That's a trick I'm glad to know. The default configuration tools on this system (Ubuntu Dapper: System / Administration / Networking / Network settings / Ethernet connection / Properties) don't let me "OK" a non-DHCP configuration without an IP address. Is there a more direct way to do it? "0.0.0.0" ?

Thanks for your patience.

Reply to
Peter Pearson

Bad idea to run old out of date packet sniffers with known security vulnerabilities. :-)

Wireshark replaced/supercedes ethereal. Download the latest. :-)

formatting link

Promiscuous mode is the word ya want.

formatting link

formatting link

This is probably overkill for your situation, and the cable modem isn't going to care if it sees some packets from your machine, but if you're interested in being as certain as possible you aren't changing anything, this would be the way to go.

Reply to
Todd H.

Thank you for helpfully goading me out of procrastination mode. For the benefit of other lost souls wandering these parts, this sequence of commands seemed to make my Linux box disinclined to transmit:

sudo ifconfig eth1 down sudo ifconfig eth1 hw ether 00:00:00:00:00:00 promisc sudo ifconfig eth1 0.0.0.0 sudo ifconfig eth1 -arp up

and this sequence of commands restored normal network access:

sudo ifconfig eth1 down sudo ifconfig eth1 hw ether 00:15:F2:3D:9D:C9 -promisc sudo ifconfig eth1 arp sudo ifconfig eth1 192.168.1.99 (restore normal IP address) sudo route add default gw 192.168.1.1 (restore normal gateway route)

As for the fun part, the data, five minutes of sniffing caught

3431 messages, about 3100 of which were like this:

Cisco_e4:4f:5d Broadcast ARP Who has 68.189.121.12? Tell 68.189.121.1 Cisco_e4:4f:5d Broadcast ARP Who has 68.185.88.154? Tell 68.185.88.1 Cisco_e4:4f:5d Broadcast ARP Who has 68.185.93.107? Tell 68.185.88.1

So clifto's prediction of ARP traffic was exactly right.

There were also several dozen messages between Vonage sites and my telephone adapter. Logical.

Inevitably, traces of mischief: two ping requests from 122.25.177.46, = p2046-ipad201aobadori.miyagi.ocn.ne.jp

Reply to
Peter Pearson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.