Cable Modem Activity - Network

This is a discussion on Cable Modem Activity - Network ; What is causing thee activity on my cable modem when my computer is not doing anything on the network. The modem is connected to a Linksys router. In particular, the RCV light is constantly blinking on the modem as is ...

+ Reply to Thread
Results 1 to 15 of 15

Thread: Cable Modem Activity

  1. Cable Modem Activity

    What is causing thee activity on my cable modem when my computer is
    not doing anything on the network.

    The modem is connected to a Linksys router. In particular, the RCV
    light is constantly blinking on the modem as is the ACT light on the
    router. But the LINK/.ACT light on the router is not blinking. There
    is no SEND activity.

    What is sending those packets to my modem? Are they addressed only to
    my IP address or are they part my Class C subnet from my ISP?


    --

    "Beer is proof that God loves us and wants us to be happy."
    --Benjamin Franklin

  2. Re: Cable Modem Activity

    In article <46bbd16e.140469609@newsgroups.comcast.net>, spam@uce.gov
    says...
    > What is causing thee activity on my cable modem when my computer is
    > not doing anything on the network.
    >
    > The modem is connected to a Linksys router. In particular, the RCV
    > light is constantly blinking on the modem as is the ACT light on the
    > router. But the LINK/.ACT light on the router is not blinking. There
    > is no SEND activity.
    >
    > What is sending those packets to my modem? Are they addressed only to
    > my IP address or are they part my Class C subnet from my ISP?


    The traffic you see are Address Resolution Protocol (ARP) packets.
    They are used to find the hardware address that resolves to a particular
    IP address. Extremely common, and harmless. Your router only passes
    ARP requests within your sub-net.

    --Gene

  3. Re: Cable Modem Activity

    In article ,
    Gene S. Berkowitz wrote:

    > In article <46bbd16e.140469609@newsgroups.comcast.net>, spam@uce.gov
    > says...
    > > What is causing thee activity on my cable modem when my computer is
    > > not doing anything on the network.
    > >
    > > The modem is connected to a Linksys router. In particular, the RCV
    > > light is constantly blinking on the modem as is the ACT light on the
    > > router. But the LINK/.ACT light on the router is not blinking. There
    > > is no SEND activity.
    > >
    > > What is sending those packets to my modem? Are they addressed only to
    > > my IP address or are they part my Class C subnet from my ISP?

    >
    > The traffic you see are Address Resolution Protocol (ARP) packets.
    > They are used to find the hardware address that resolves to a particular
    > IP address. Extremely common, and harmless. Your router only passes
    > ARP requests within your sub-net.
    >


    Or malware probes. My router logs between 1,000 and 2,500 bogus
    connection attempts per day (about 90% for ports 1026, 1027, and 1028).
    Multiply that by the number of subscribers on the loop and you have a
    substantial load.

    --
    Tom Stiller

    PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF

  4. Re: Cable Modem Activity

    On Thu, 9 Aug 2007 23:59:07 -0400, Gene S. Berkowitz
    wrote:

    >> What is sending those packets to my modem? Are they addressed only to
    >> my IP address or are they part my Class C subnet from my ISP?


    >The traffic you see are Address Resolution Protocol (ARP) packets.
    >They are used to find the hardware address that resolves to a particular
    >IP address. Extremely common, and harmless.


    Good to know.

    >Your router only passes ARP requests within your sub-net.


    Do you mean "your ISP's" router?

    My router is the Linksys and it is downstream from the cable modem.
    There is a provision on the Linksys router called "Block WAN Requests"
    which presumably means packets such as you describe.


    --

    "Beer is proof that God loves us and wants us to be happy."
    --Benjamin Franklin

  5. Re: Cable Modem Activity

    On Fri, 10 Aug 2007 07:20:38 -0400, Tom Stiller
    wrote:

    >> The traffic you see are Address Resolution Protocol (ARP) packets.
    >> They are used to find the hardware address that resolves to a particular
    >> IP address. Extremely common, and harmless. Your router only passes
    >> ARP requests within your sub-net.


    >Or malware probes. My router logs between 1,000 and 2,500 bogus
    >connection attempts per day (about 90% for ports 1026, 1027, and 1028).


    I have used WallWatcher with my Linksys and have also seen such
    traffic.

    >Multiply that by the number of subscribers on the loop and you have a
    >substantial load.


    My question is whether I am seeing traffic sent to my specific IP
    address only or if I am seeing traffic that is sent to the whole
    address range of the subnet I am on.

    Your comment implies that my modem is seeing traffic that is sent to
    the whole address range of the subnet I am on.


    --

    "Beer is proof that God loves us and wants us to be happy."
    --Benjamin Franklin

  6. Re: Cable Modem Activity

    In article <46bc4b66.171694250@newsgroups.comcast.net>,
    spam@uce.gov (Citizen Bob) wrote:

    > On Fri, 10 Aug 2007 07:20:38 -0400, Tom Stiller
    > wrote:
    >
    > >> The traffic you see are Address Resolution Protocol (ARP) packets.
    > >> They are used to find the hardware address that resolves to a particular
    > >> IP address. Extremely common, and harmless. Your router only passes
    > >> ARP requests within your sub-net.

    >
    > >Or malware probes. My router logs between 1,000 and 2,500 bogus
    > >connection attempts per day (about 90% for ports 1026, 1027, and 1028).

    >
    > I have used WallWatcher with my Linksys and have also seen such
    > traffic.
    >
    > >Multiply that by the number of subscribers on the loop and you have a
    > >substantial load.

    >
    > My question is whether I am seeing traffic sent to my specific IP
    > address only or if I am seeing traffic that is sent to the whole
    > address range of the subnet I am on.
    >
    > Your comment implies that my modem is seeing traffic that is sent to
    > the whole address range of the subnet I am on.


    I'm not sure how the provider distributes the traffic, but the cable is
    a shared medium. The modem has to see all the traffic on its loop in
    order to select and pass on that which is intended for a particular
    subscriber.

    --
    Tom Stiller

    PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF

  7. Re: Cable Modem Activity

    On Fri, 10 Aug 2007 10:57:37 -0400, Tom Stiller
    wrote:

    >> Your comment implies that my modem is seeing traffic that is sent to
    >> the whole address range of the subnet I am on.


    >I'm not sure how the provider distributes the traffic, but the cable is
    >a shared medium. The modem has to see all the traffic on its loop in
    >order to select and pass on that which is intended for a particular
    >subscriber.


    Indeed it does but the question now is

    Does the RCV light indicate incoming packets to the modem or does it
    reflect packets that pass thru the modem. The reason is because the
    router ACT light keeps pace which tells me that the modem's blinking
    RCV light is for only those packets it passes thru. IOW RCV means
    received for this modem and only for this modem.

    If most of these packets are ARP then why are they passed thru to my
    Linksys router. I would expect them to be processed internally by the
    modem and not passed thru, ARP doesn't care about what's on the other
    side of the modem.




    --

    "Beer is proof that God loves us and wants us to be happy."
    --Benjamin Franklin

  8. Re: Cable Modem Activity

    On Fri, 10 Aug 2007 16:00:56 GMT, spam@uce.gov (Citizen Bob) wrote:

    >On Fri, 10 Aug 2007 10:57:37 -0400, Tom Stiller
    > wrote:
    >
    >>> Your comment implies that my modem is seeing traffic that is sent to
    >>> the whole address range of the subnet I am on.

    >
    >>I'm not sure how the provider distributes the traffic, but the cable is
    >>a shared medium. The modem has to see all the traffic on its loop in
    >>order to select and pass on that which is intended for a particular
    >>subscriber.

    >
    >Indeed it does but the question now is
    >
    >Does the RCV light indicate incoming packets to the modem or does it
    >reflect packets that pass thru the modem. The reason is because the
    >router ACT light keeps pace which tells me that the modem's blinking
    >RCV light is for only those packets it passes thru. IOW RCV means
    >received for this modem and only for this modem.
    >
    >If most of these packets are ARP then why are they passed thru to my
    >Linksys router. I would expect them to be processed internally by the
    >modem and not passed thru, ARP doesn't care about what's on the other
    >side of the modem.


    Since the modem is basically just a bridge, it makes sense to me that
    ARP traffic would be passed through. ICBW, of course.

    --
    Bill

  9. Re: Cable Modem Activity

    In article <46bc8ad4.187931640@newsgroups.comcast.net>,
    spam@uce.gov (Citizen Bob) wrote:

    > On Fri, 10 Aug 2007 10:57:37 -0400, Tom Stiller
    > wrote:
    >
    > >> Your comment implies that my modem is seeing traffic that is sent to
    > >> the whole address range of the subnet I am on.

    >
    > >I'm not sure how the provider distributes the traffic, but the cable is
    > >a shared medium. The modem has to see all the traffic on its loop in
    > >order to select and pass on that which is intended for a particular
    > >subscriber.

    >
    > Indeed it does but the question now is
    >
    > Does the RCV light indicate incoming packets to the modem or does it
    > reflect packets that pass thru the modem. The reason is because the
    > router ACT light keeps pace which tells me that the modem's blinking
    > RCV light is for only those packets it passes thru. IOW RCV means
    > received for this modem and only for this modem.
    >
    > If most of these packets are ARP then why are they passed thru to my
    > Linksys router. I would expect them to be processed internally by the
    > modem and not passed thru, ARP doesn't care about what's on the other
    > side of the modem.


    The LED showing the activity on my Terayon modem is labeled "Data" and
    the manual says:
    "Dark when no data is passing through modem or power is Off.
    Flashing when data is passing through modem."

    However, I don't think "through" is the same as "passed on the the
    customer side". My router only logs connection attempts aimed at my IP
    address.

    --
    Tom Stiller

    PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF

  10. Re: Cable Modem Activity

    Gene S. Berkowitz wrote:
    > The traffic you see are Address Resolution Protocol (ARP) packets.
    > They are used to find the hardware address that resolves to a particular
    > IP address. Extremely common, and harmless.


    But why so many thousand per second? (I forget what tool I used to count
    them.) Do they need to know which millisecond I switched a network card?

    --
    If you really believe carbon dioxide causes global warming,
    you should stop exhaling.

  11. Re: Cable Modem Activity

    In article <46bc4a74.171452046@newsgroups.comcast.net>, spam@uce.gov
    says...
    > On Thu, 9 Aug 2007 23:59:07 -0400, Gene S. Berkowitz
    > wrote:
    >
    > >> What is sending those packets to my modem? Are they addressed only to
    > >> my IP address or are they part my Class C subnet from my ISP?

    >
    > >The traffic you see are Address Resolution Protocol (ARP) packets.
    > >They are used to find the hardware address that resolves to a particular
    > >IP address. Extremely common, and harmless.

    >
    > Good to know.
    >
    > >Your router only passes ARP requests within your sub-net.

    >
    > Do you mean "your ISP's" router?
    >
    > My router is the Linksys and it is downstream from the cable modem.
    > There is a provision on the Linksys router called "Block WAN Requests"
    > which presumably means packets such as you describe.


    Your router. The modem will likely pass along practically everything
    received. Your router will generally only pass along packets that are
    responding to the IP and port that the router translates; i.e. your PC
    is assigned an IP within the subnet (typically 192.168.0.xxx). All
    packets routed to the WAN are translated to the IP assigned to your
    modem by the ISP, using various port #'s to keep the various requests
    originating from the IP addresses in your subnet sorted out.

    If you have more than one PC attached to your router, you WILL see
    "local" (192.x.x.x) ARP requests as those PCs locate each other.

    --Gene




  12. Re: Cable Modem Activity

    In article ,
    Gene S. Berkowitz wrote:

    > In article <46bc4a74.171452046@newsgroups.comcast.net>, spam@uce.gov
    > says...
    > > On Thu, 9 Aug 2007 23:59:07 -0400, Gene S. Berkowitz
    > > wrote:
    > >
    > > >> What is sending those packets to my modem? Are they addressed only to
    > > >> my IP address or are they part my Class C subnet from my ISP?

    > >
    > > >The traffic you see are Address Resolution Protocol (ARP) packets.
    > > >They are used to find the hardware address that resolves to a particular
    > > >IP address. Extremely common, and harmless.

    > >
    > > Good to know.
    > >
    > > >Your router only passes ARP requests within your sub-net.

    > >
    > > Do you mean "your ISP's" router?
    > >
    > > My router is the Linksys and it is downstream from the cable modem.
    > > There is a provision on the Linksys router called "Block WAN Requests"
    > > which presumably means packets such as you describe.

    >
    > Your router. The modem will likely pass along practically everything
    > received.


    I'm sure the modem won't pass any traffic that isn't addressed to it by
    MAC address. If it did, I could monitor my neighbor's traffic by
    bypassing my router and running tcpdump.

    > Your router will generally only pass along packets that are
    > responding to the IP and port that the router translates; i.e. your PC
    > is assigned an IP within the subnet (typically 192.168.0.xxx). All
    > packets routed to the WAN are translated to the IP assigned to your
    > modem by the ISP, using various port #'s to keep the various requests
    > originating from the IP addresses in your subnet sorted out.
    >
    > If you have more than one PC attached to your router, you WILL see
    > "local" (192.x.x.x) ARP requests as those PCs locate each other.
    >
    > --Gene
    >
    >
    >


    --
    Tom Stiller

    PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF

  13. Re: Cable Modem Activity

    In article ,
    tomstiller@comcast.net says...
    > In article ,
    > Gene S. Berkowitz wrote:
    >
    > > In article <46bc4a74.171452046@newsgroups.comcast.net>, spam@uce.gov
    > > says...
    > > > On Thu, 9 Aug 2007 23:59:07 -0400, Gene S. Berkowitz
    > > > wrote:
    > > >
    > > > >> What is sending those packets to my modem? Are they addressed only to
    > > > >> my IP address or are they part my Class C subnet from my ISP?
    > > >
    > > > >The traffic you see are Address Resolution Protocol (ARP) packets.
    > > > >They are used to find the hardware address that resolves to a particular
    > > > >IP address. Extremely common, and harmless.
    > > >
    > > > Good to know.
    > > >
    > > > >Your router only passes ARP requests within your sub-net.
    > > >
    > > > Do you mean "your ISP's" router?
    > > >
    > > > My router is the Linksys and it is downstream from the cable modem.
    > > > There is a provision on the Linksys router called "Block WAN Requests"
    > > > which presumably means packets such as you describe.

    > >
    > > Your router. The modem will likely pass along practically everything
    > > received.

    >
    > I'm sure the modem won't pass any traffic that isn't addressed to it by
    > MAC address. If it did, I could monitor my neighbor's traffic by
    > bypassing my router and running tcpdump.


    Have you tried it? Depending on the architecture of the cable system,
    you may be able to do just that.

    The modem reports, via the activity LED, lots and lots of traffic.
    The question is, does this get passed along, or not? If the router LED
    is showing activity that is in sync with the modem LED, the answer is
    "definitely maybe".

    --Gene

  14. Re: Cable Modem Activity

    In article ,
    Gene S. Berkowitz wrote:

    > In article ,
    > tomstiller@comcast.net says...
    > > In article ,
    > > Gene S. Berkowitz wrote:
    > >
    > > > In article <46bc4a74.171452046@newsgroups.comcast.net>, spam@uce.gov
    > > > says...
    > > > > On Thu, 9 Aug 2007 23:59:07 -0400, Gene S. Berkowitz
    > > > > wrote:
    > > > >
    > > > > >> What is sending those packets to my modem? Are they addressed only
    > > > > >> to
    > > > > >> my IP address or are they part my Class C subnet from my ISP?
    > > > >
    > > > > >The traffic you see are Address Resolution Protocol (ARP) packets.
    > > > > >They are used to find the hardware address that resolves to a
    > > > > >particular
    > > > > >IP address. Extremely common, and harmless.
    > > > >
    > > > > Good to know.
    > > > >
    > > > > >Your router only passes ARP requests within your sub-net.
    > > > >
    > > > > Do you mean "your ISP's" router?
    > > > >
    > > > > My router is the Linksys and it is downstream from the cable modem.
    > > > > There is a provision on the Linksys router called "Block WAN Requests"
    > > > > which presumably means packets such as you describe.
    > > >
    > > > Your router. The modem will likely pass along practically everything
    > > > received.

    > >
    > > I'm sure the modem won't pass any traffic that isn't addressed to it by
    > > MAC address. If it did, I could monitor my neighbor's traffic by
    > > bypassing my router and running tcpdump.

    >
    > Have you tried it? Depending on the architecture of the cable system,
    > you may be able to do just that.


    Yeah. I captured 1164 messages in just under 40 seconds.
    88% of them were ARPs
    8% of them were various requests initiated by my computer
    (CUPS, AARP, etc.)
    The remainder were various other "broadcast" requests (e.g. DHCP)
    >
    > The modem reports, via the activity LED, lots and lots of traffic.
    > The question is, does this get passed along, or not? If the router LED
    > is showing activity that is in sync with the modem LED, the answer is
    > "definitely maybe".


    So much of the traffic is broadcast data and does get passed through.

    --
    Tom Stiller

    PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF

  15. Re: Cable Modem Activity

    clifto wrote:
    >
    > But why so many thousand per second? (I forget what tool I used to count
    > them.) Do they need to know which millisecond I switched a network card?


    There are so many of them because they're broadcasts, so you don't just
    see the ones that are specifically for you, you see all of them for your
    network segment.

    -Larry Jones

    I hope Mom and Dad didn't rent out my room. -- Calvin

+ Reply to Thread