[tclug-list] info request

Mon Feb 10 17:34:43 CST 2020

On Mon, Feb 10, 2020 at 12:10 PM Andrew Lunn <andrew at lunn.ch> wrote:

> > > How well do you have your local IP addresses under control? Does your
> > > DHCP server just have a pool and gives out addresses from that? Or
> > > have you got it configured to give out specific IP addresses for
> > > configured MAC addresses?
> >
> > Now I'm thinking the bright shiny Maserati just blew by me - - - - grin!
> >
> > This is what I'm trying to learn. I think I'm a few steps behind what you're
> > talking about here.
> > Any suggestions as to some pages for studying and learning and
> > implementing own DHCP and monitoring local IP addys etc?
>
> I'm assuming your DD-WRT box is your DHCP server? If so, see if these
> help:
>
> https://wiki.dd-wrt.com/wiki/index.php/Static_DHCP
> https://wiki.dd-wrt.com/wiki/index.php/DNSMasq_as_DHCP_server
>
> You want to configure static leases. In the first example, the device
> in your network which has MAC address 00:11:22:33:44:55 is always
> given the IP addresss 192.168.1.50. So when you see 192.168.1.50 in
> wireshark, you know what device that is. There is probably a status
> page somewhere in DD-WRT showing the leases it has already given out
> from its pool. It should list the MAC address and the address from the
> pool. So you can get all the MAC addresses from there. The tricky part
> is working out what device the MAC address belongs to. You can get
> some clues, e.g feed the MAC address into:
>
> https://aruljohn.com/mac.pl
>
> and it will tell you which company the MAC address has been assigned
> to.
>
> When you can figure out what a MAC address belongs to, add a static
> lease for it. Then either be patient for its current lease to expire,
> or power cycle it for immediate results. It should then take the fixed
> IP address you have configured for it.
>
> Laptops, tablets, phones, desktops are easy, you can login and see how
> they are configured, get the MAC address with "ip link show",
> etc. Your smart lightbulbs and other IoT devices often don't have a
> nice simple way to give your their MAC address, so you need to do a
> bit more detective work.

None of the IoT stuff here so that part is quite easy!
>
> > > 2) Analyse the frames. Grab the file of captured frames and let
> > > wireshark decode it. You can then look at the traffic, figure out what
> > > source/sink is. Depending on your dhcp/dns setup, it should be able to
> > > give you hostnames, not IP addresses.
> > >
> > I think I have some things to work on before I'm at this step.
>
> You can start without having DHCP and DNS fully under your control. It
> will just make it a bit harder to attribute packets to devices, since
> you have no idea who 192.168.42.42 is in your network. But if you see
> it talking to apple servers, you can guess it is an apple device. If
> it talks to LG servers, it could be your SMART TV, etc.
>
I control everything from the router this way so it wouldn't take long to
figure out what or who 192.168.42.42 is. There are only 8 clients in
total so that I can keep a lid on. Its just that somewhat more often than 4
times over 2 hours (continues except when I'm on the lan) there is a
spike indicating that data has been sent from the lan. (ET is calling
home.) I want to find what is causing this traffic at the very least.

TIA