Allen Weiner wrote:
> My home computing setup consists of a single multiboot PC (primarily
> running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
> (supplied by Verizon).
>
> I've observed a bizarre pattern of packets being issued by the Westell
> 6100. Can someone here hazard a guess as to what the router is trying to
> do?
>
> Roughly every 20 seconds the router issues an HTTP connection request to
> Port 80 on my PC. The first request after boot logged by iptables in
> /var/log/messages has a source port of 1032. The source port increases
> by one for every subsequent request, e.g. 1197, 1198, 1199... Along with
> each connection request, the router issues an NBNS NBSTAT packet
> (NetBIOS), plus some other packets. This goes on continuously for as
> long as the PC is up and regardless of whether I'm doing anything on the
> PC.
>
> [snip]

My Efficient/Siemens 5100b (supplied by SBC/AT&T) does a similar thing.
It pings my PC every minute and attempts to connect on udp/137 (NBNS)
every hour. I allow the ping, but block the NBNS (although there's
nothing that would answer, anyway).

I figure the modem just wants to know the PC is still alive.

The udp source port numbers increase because each connection attempt is
a unique connection, and that's how ports work for just about any
protocol (although random is better).

Allen Weiner wrote:
> My home computing setup consists of a single multiboot PC (primarily
> running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
> (supplied by Verizon).

> I've observed a bizarre pattern of packets being issued by the Westell
> 6100. Can someone here hazard a guess as to what the router is trying to do?

I suspect that's the wrong question, the question should probably be
"What's Verizon trying to do?" The answer to that is almost certainly
"It's trying to detect any server you might be operating."
...

> I don't run a server.

And Verizon wants to make sure you don't ever do so.

--
Clifford Kite
/* The wealth of a nation is created by the productive labor of its
* citizens. */

Clifford Kite wrote:
> Allen Weiner wrote:
>> My home computing setup consists of a single multiboot PC (primarily
>> running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
>> (supplied by Verizon).
>
>> I've observed a bizarre pattern of packets being issued by the Westell
>> 6100. Can someone here hazard a guess as to what the router is trying to do?
>
> I suspect that's the wrong question, the question should probably be
> "What's Verizon trying to do?" The answer to that is almost certainly
> "It's trying to detect any server you might be operating."
> ...
>
>> I don't run a server.
>
> And Verizon wants to make sure you don't ever do so.
>
Your explanation would make sense to me if the packets were coming from
the Internet (say, from Verizon ).

Is your explanation consistent with the fact that the packets are coming
from the router itself? (Source IP address is 192.168.1.1). If I was
running a server, would my Westell 6100 "phone home"?

FWIW, I "hardened" the Westell 6100 firewall by installing a set of
rules I picked up from a forum on dslreports.com. These rules include
dropping all unsolicited inbound requests. This made no difference
whatsoever in the traffic I'm seeing.

Clifford Kite wrote:
> Allen Weiner wrote:
>> My home computing setup consists of a single multiboot PC (primarily
>> running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
>> (supplied by Verizon).
>
>> I've observed a bizarre pattern of packets being issued by the Westell
>> 6100. Can someone here hazard a guess as to what the router is trying to do?
>
> I suspect that's the wrong question, the question should probably be
> "What's Verizon trying to do?" The answer to that is almost certainly
> "It's trying to detect any server you might be operating."
> ..

Unlike cable "modems," DSL modems don't have a separate (management)
address that only the ISP can access, so the ISP isn't doing anything.
It's all in the modem and whatever it's ROM tells it to do.

>> I don't run a server.
>
> And Verizon wants to make sure you don't ever do so.

Allen Kistler wrote:
> Unlike cable "modems," DSL modems don't have a separate (management)
> address that only the ISP can access, so the ISP isn't doing anything.
> It's all in the modem and whatever it's ROM tells it to do.

Not in my experience. Maybe the USA is different to the UK in this
respect.

Chris

Allen Kistler wrote:

> Unlike cable "modems," DSL modems don't have a separate (management)
> address that only the ISP can access, so the ISP isn't doing anything.
> It's all in the modem and whatever it's ROM tells it to do.

This is an except from a pdf for a 2wire 5100 DSL modem which I researched
but never followed through with a purchase:

Advanced - Configure Services Page

Note: To access this page, your organization must have the Remote
Management feature enabled. If the feature is not enabled, an error
message will display when you click the link to access this page.

I would expect the same thing to apply to most DSL modems and their
providers, aka "organizations," perhaps even with some things that
are well-hidden. It may just be that I have an overly suspicious mind
although I don't believe that to be the case - until proven wrong of
course.

Cheers-
--
Clifford Kite
/* I gave up on politics when no matter who I voted for, I regretted it.
* -- Pepper...and Salt, WSJ */

alweiner7@hotmail.com wrote:
> My home computing setup consists of a single multiboot PC (primarily
> running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
> (supplied by Verizon).
>
> I've observed a bizarre pattern of packets being issued by the Westell
> 6100. Can someone here hazard a guess as to what the router is trying to do?
>
> Roughly every 20 seconds the router issues an HTTP connection request to
> Port 80 on my PC. The first request after boot logged by iptables in
> /var/log/messages has a source port of 1032. The source port increases
> by one for every subsequent request, e.g. 1197, 1198, 1199... Along with
> each connection request, the router issues an NBNS NBSTAT packet
> (NetBIOS), plus some other packets. This goes on continuously for as
> long as the PC is up and regardless of whether I'm doing anything on the PC.
> ...

Same modem, same thing. More actually. The modem/router does a slow "sweep"
through the private IP address space. It does an ARP request on each
address. If it is set to 10.0.0.1, it does "Who has 10.0.0.2?", then "Who
has 10.0.0.3?", etc all the way up to 254. It does one address every 1.2
seconds, in groups of 10. Whenever it finds a live box it probes it with
HTTP and NBSTAT, multiple times - it keeps returning to that system between
ARP'ing other addresses. As far as I can tell, this is Westell's idea of a
good way to "auto-discover" the local network. The HTTP and NBTSTAT probes
are apparently trying to determine the PC name, perhaps operating system
type. I don't see that it gets used, except to display the "My Network"
thing in the modem's management page.

I think it is harmless, annoying, and pointless, and I see no way to turn
it off.

ljb wrote:
> alweiner7@hotmail.com wrote:
>> My home computing setup consists of a single multiboot PC (primarily
>> running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
>> (supplied by Verizon).
>>
>> I've observed a bizarre pattern of packets being issued by the Westell
>> 6100. Can someone here hazard a guess as to what the router is trying to do?
>>
>> Roughly every 20 seconds the router issues an HTTP connection request to
>> Port 80 on my PC. The first request after boot logged by iptables in
>> /var/log/messages has a source port of 1032. The source port increases
>> by one for every subsequent request, e.g. 1197, 1198, 1199... Along with
>> each connection request, the router issues an NBNS NBSTAT packet
>> (NetBIOS), plus some other packets. This goes on continuously for as
>> long as the PC is up and regardless of whether I'm doing anything on the PC.
>> ...
>
> Same modem, same thing. More actually. The modem/router does a slow "sweep"
> through the private IP address space. It does an ARP request on each
> address. If it is set to 10.0.0.1, it does "Who has 10.0.0.2?", then "Who
> has 10.0.0.3?", etc all the way up to 254. It does one address every 1.2
> seconds, in groups of 10. Whenever it finds a live box it probes it with
> HTTP and NBSTAT, multiple times - it keeps returning to that system between
> ARP'ing other addresses. As far as I can tell, this is Westell's idea of a
> good way to "auto-discover" the local network. The HTTP and NBTSTAT probes
> are apparently trying to determine the PC name, perhaps operating system
> type. I don't see that it gets used, except to display the "My Network"
> thing in the modem's management page.
>
> I think it is harmless, annoying, and pointless, and I see no way to turn
> it off.

I had a similar thread in one of the forums at dslreports.com. A former
telco tech conjectured that the traffic was from the router doing
network mapping. But unlike your reply, he didn't explain how the http
and nbstat packets fit in. Thanks very much for your explanation.

I too saw ARP packets with an ascending address pattern in my Wireshark
snapshots. I didn't analyze them in any where near the level of detail
that you have done.