What is causing thee activity on my cable modem when my computer is not doing anything on the network.
The modem is connected to a Linksys router. In particular, the RCV light is constantly blinking on the modem as is the ACT light on the router. But the LINK/.ACT light on the router is not blinking. There is no SEND activity.
What is sending those packets to my modem? Are they addressed only to my IP address or are they part my Class C subnet from my ISP?
The traffic you see are Address Resolution Protocol (ARP) packets. They are used to find the hardware address that resolves to a particular IP address. Extremely common, and harmless. Your router only passes ARP requests within your sub-net.
--Gene
Or malware probes. My router logs between 1,000 and 2,500 bogus connection attempts per day (about 90% for ports 1026, 1027, and 1028). Multiply that by the number of subscribers on the loop and you have a substantial load.
Good to know.
Do you mean "your ISP's" router?
My router is the Linksys and it is downstream from the cable modem. There is a provision on the Linksys router called "Block WAN Requests" which presumably means packets such as you describe.
I have used WallWatcher with my Linksys and have also seen such traffic.
My question is whether I am seeing traffic sent to my specific IP address only or if I am seeing traffic that is sent to the whole address range of the subnet I am on.
Your comment implies that my modem is seeing traffic that is sent to the whole address range of the subnet I am on.
I'm not sure how the provider distributes the traffic, but the cable is a shared medium. The modem has to see all the traffic on its loop in order to select and pass on that which is intended for a particular subscriber.
Indeed it does but the question now is
Does the RCV light indicate incoming packets to the modem or does it reflect packets that pass thru the modem. The reason is because the router ACT light keeps pace which tells me that the modem's blinking RCV light is for only those packets it passes thru. IOW RCV means received for this modem and only for this modem.
If most of these packets are ARP then why are they passed thru to my Linksys router. I would expect them to be processed internally by the modem and not passed thru, ARP doesn't care about what's on the other side of the modem.
Since the modem is basically just a bridge, it makes sense to me that ARP traffic would be passed through. ICBW, of course.
The LED showing the activity on my Terayon modem is labeled "Data" and the manual says: "Dark when no data is passing through modem or power is Off. Flashing when data is passing through modem."
However, I don't think "through" is the same as "passed on the the customer side". My router only logs connection attempts aimed at my IP address.
Since my router is getting the same blink rate (on what appears to be the WB interface LED) as the Terayon modem Data LED, it has to be passing all those packets on to the router.
You could be right. I don't know and I'm not going to connect the cable modem directly to one of my computers to examine the traffic tonight. Maybe I'll have a look tomorrow.
But why so many thousand per second? (I forget what tool I used to count them.) Do they need to know which millisecond I switched a network card?
Your router. The modem will likely pass along practically everything received. Your router will generally only pass along packets that are responding to the IP and port that the router translates; i.e. your PC is assigned an IP within the subnet (typically 192.168.0.xxx). All packets routed to the WAN are translated to the IP assigned to your modem by the ISP, using various port #'s to keep the various requests originating from the IP addresses in your subnet sorted out.
If you have more than one PC attached to your router, you WILL see "local" (192.x.x.x) ARP requests as those PCs locate each other.
--Gene
I'm sure the modem won't pass any traffic that isn't addressed to it by MAC address. If it did, I could monitor my neighbor's traffic by bypassing my router and running tcpdump.
Have you tried it? Depending on the architecture of the cable system, you may be able to do just that.
The modem reports, via the activity LED, lots and lots of traffic. The question is, does this get passed along, or not? If the router LED is showing activity that is in sync with the modem LED, the answer is "definitely maybe".
--Gene
Yeah. I captured 1164 messages in just under 40 seconds. 88% of them were ARPs 8% of them were various requests initiated by my computer (CUPS, AARP, etc.) The remainder were various other "broadcast" requests (e.g. DHCP)
So much of the traffic is broadcast data and does get passed through.
There are so many of them because they're broadcasts, so you don't just see the ones that are specifically for you, you see all of them for your network segment.
-Larry Jones
I hope Mom and Dad didn't rent out my room. -- Calvin
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.