strange tcpdump output on interface br0 on R7000..(SOLVED)

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Mon Jan 09, 2023 18:07    Post subject: strange tcpdump output on interface br0 on R7000..(SOLVED) Reply with quote
Hi guys...R7000 on 51275
its about strange output of tcpdump -nnS -i br0 !'port 22'

I was doing some network adjustments and decided to monitor br0 interface on my R7000
R7000 has a segmented LAN ports with x3 vlan's, each on its own subnet and bridge
and the last switch port is left by default at br0 along with 2.4ghz WiFi...(port is not in use)
it also has a VPN with SmartDNS...but this is not important...

So...the output of tcpdump -nnS -i br0 !'port 22' contains no only IP communication but some odd wifi frames..where i can see those have some payload and on the payload i can see the local WiFi AP the neighbours WiFi's Razz , and sometimes some even more odd payloads...so, my question is..
Once br0 goes in promiscuous mode(tcpdump), is it sniffing some of the wifi frames around...
may be it could be a function related the Broadcom WiFi driver... Rolling Eyes as i dont see any output on
any of my Atheros based units...
Why i see those frames and sometimes they have some very odd payload like vendors and not related
to my network devices..
Why those are there ...at the first place...

things i already tried:
-reset and manually rebuild
-checked for rouge clients /none
-same command on some other Atheros based units-no strange frames
-ive no STP or IGMP Snooping
-i read here ... https://success.alienvault.com/s/article/Why-does-a-TCPdump-of-my-monitor-interface-return-ethertype-Unknown and there https://serverfault.com/questions/608947/tcpdump-ethertype-unknown but still not clear why those ware there...in br0...i know tcpdump was updated but..could it be the reason Razz

can anyone try to see the output of tcpdump -nnS -i br0 !'port 22' on R7000 or similar Broadcom ??

here some output
18:59:02.161046 myrouter MAC address > myrouter MAC address, ethertype Unknown (0x886c), length 306:
0x0000: 8001 0150 0000 1018 0001 0002 0000 0000 ...P............
0x0010: 002c 0000 0000 0000 0000 0000 0000 0000 .,..............
0x0020: 00e8 646e 694b 5a5e 6574 6831 0000 0000 ..dniJZ^eth1....
0x0030: 0000 0000 0000 0000 0000 4000 0000 ffff ..........@.....
0x0040: ffff ffff 646e 694b 5a5e ffff ffff ffff ....dniJZ^......
0x0050: e077 000e 5450 2d4c 494e 4b5f 3834 3934 .w..TP-LINK_8494
0x0060: 4632 0108 8284 8b96 1224 486c 3204 0c18 F2.......$Hl2...
0x0070: 3060 2d1a ef11 1fff ff00 0001 0000 0000 0`-.............
0x0080: 0000 0000 0000 0000 0c1c 46a7 0800 7f01 ..........F.....
0x0090: 00dd 7c00 50f2 0410 4a00 0110 103a 0001 ..|.P...J....:..
0x00a0: 0020 0800 0222 8810 4700 104c d7f2 f65b ....."..G..L...[
0x00b0: 7a51 6090 a20e 3c6c acc0 8d10 5400 0800 zQ`...<m....T...
0x00c0: 0700 50f2 0400 0110 3c00 0103 1002 0002 ..P.....<.......
0x00d0: 0000 1009 0002 0000 1012 0002 0000 1021 ...............!
0x00e0: 0008 4d65 6469 6174 656b 1023 0006 4d54 ..Mediatek.#..MT
0x00f0: 3736 7878 1024 0001 3110 1100 084d 6564 76xx.$..1....Med
0x0100: 6961 7465 6b10 4900 0600 372a 0001 20dd iatek.I...7*....
0x0110: 1150 6c9a 0902 0200 2500 0605 0058 5804 .Po.....%....XX.
0x0120: 5101 0000 Q...
18:59:07.338721 myrouter MAC address > myrouter MAC address, ethertype Unknown (0x886c), length 317:
0x0000: 8001 015b 0000 1018 0001 0002 0000 0000 ...[............
0x0010: 002c 0000 0000 0000 0000 0000 0000 0000 .,..............
0x0020: 00f3 505b c26e 9675 6574 6831 0000 0000 ..P[.n.ueth1....
0x0030: 0000 0000 0000 0000 0000 4000 0000 ffff ..........@.....
0x0040: ffff ffff 505b c26e 9675 ffff ffff ffff ....P[.n.u......
0x0050: 30a9 0000 0108 0204 0b16 1224 486c 3204 0..........$Hl2.
0x0060: 8c98 b060 2d1a ef11 13ff ff00 0001 0000 ...`-...........
0x0070: 0000 0000 0000 0000 0000 0c1c 46a7 0800 ............F...
0x0080: 7f01 007f 0400 000a 01dd 8000 50f2 0410 ............P...
0x0090: 4a00 0110 103a 0001 0010 0800 0242 8810 J....:.......B..
0x00a0: 4700 10c8 9914 1038 9a55 1382 6f7d 3d03 G......8.U..o}=.
0x00b0: 3671 d110 5400 0800 0700 50f2 0400 0110 6q..T.....P.....
0x00c0: 3c00 0103 1002 0002 0000 1009 0002 0000 <...............
0x00d0: 1012 0002 0000 1021 0007 5048 494c 4950 .......!..PHILIP
0x00e0: 5310 2300 0651 4d31 3634 4510 2400 0651 S.#..QM164E.$..Q
0x00f0: 4d31 3624 4510 1100 0851 4d31 3658 455f M164E....QM16XE_
0x0100: 4610 4900 0600 372a 0001 20dd 0d50 6f9a F.I...7*.....Po.
0x0110: 0a00 0006 0111 1c33 0032 dd11 506f 9a09 .......D.2..Po..
0x0120: 0202 0025 0006 0500 5858 0451 0100 00 ...%....XX.Q...
18:59:11.626805 myrouter MAC address > myrouter MAC address, ethertype Unknown (0x886c), length 157:
0x0000: 8001 00bb 0000 1018 0001 0002 0000 0000 ................
0x0010: 002c 0000 0000 0000 0000 0000 0000 0000 .,..............
0x0020: 0053 50b7 bf7e 0ebb 6574 6831 0000 0000 .SP..~..eth1....
0x0030: 0000 0000 0000 0000 0000 4000 0000 ffff ..........@.....
0x0040: ffff ffff 50c7 bf7e 0ebb ffff ffff ffff ....P..~........
0x0050: b0b8 000d 5465 6368 5f44 3338 3736 3836 ....Tech_D387686
0x0060: 3601 0882 848b 9612 2448 6c32 040c 1830 6.......$Hl2...0
0x0070: 602d 1aac 0117 ffff 0000 0000 0000 0000 `-..............
0x0080: 0000 0000 0000 0000 0000 0000 0000 00 ...............
18:59:11.836705 myrouter MAC address > myrouter MAC address, ethertype Unknown (0x886c), length 157:
0x0000: 8001 00bb 0000 1018 0001 0002 0000 0000 ................
0x0010: 002c 0000 0000 0000 0000 0000 0000 0000 .,..............
0x0020: 0053 50c7 bf7e 0ebb 6574 6831 0000 0000 .SP..~..eth1....
0x0030: 0000 0000 0000 0000 0000 4000 0000 ffff ..........@.....
0x0040: ffff ffff 50c7 bf7e 0ebb ffff ffff ffff ....P..~........
0x0050: d0b8 000d 5465 6368 5f44 3338 3736 3836 ....Tech_D387686
0x0060: 3601 0882 848b 9612 2448 6c32 040c 1830 6.......$Hl2...0
0x0070: 602d 1abc 0117 ffff 0000 0000 0000 0000 `-..............
0x0080: 0000 0000 0000 0000 0000 0000 0000 00 ...............

if its a VLAN or br0 communication related stuff, than i've no idea why i see those and their payload..and mainly its content...

also after reset there are no vlan's created and its only br0...so its not the case Rolling Eyes

ok, after some more digging i've found some more info about ethertype Unknown (0x886c) and this is related to Broadcom WiFi driver bad code i guess or so... Rolling Eyes

https://forums.raspberrypi.com/viewtopic.php?t=146246

https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html

case closed..!
so, if i need to use wifi capabilities on Broadcom router ill need either a new Atheros based WAP...or nothing or i can just move to a new Atheros based router Razz (i've a spare R7800).. Rolling Eyes Rolling Eyes Laughing

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Sponsor
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum