unusual traffic on my AP
hello, I was wondering if you could help me understand what is happening.
Ive been using kismit for about 2 weeks now, to monitor traffic on my wireless network. last night, there was a change in the usual pattern of traffic.
Its difficult to explain (as Im new to this), but, as far as I can tell, there was traffic being transmitted from my AP, and when looking at my AP 'Network List Details' section of Kismit, I noticed that the AP is producing alot of 'LLC' packets, and I dont know what these are. there was some data packets (although not many, they probably total 10 kb in 1 hour).
so I continued monitoring while I went to sleep, and when I returned to the computer in the morning, the 'LLC packets' were still being produced, but the total traffic seen on the network was 100MB.
I was wondering what these 'LLC' packets are?
the 'network list details' for my AP are as follows:
in the Kismit 'client list' for my network, I see the MAC code of my AP (00:1D:68:EB:5F:EE, printed on the label of the AP), but Im also seeing a similar MAC code (00:1D:68:EB:5F:EF). *EDIT, if I go into my AP config, it says 'Physical Address: 00:1D:68:EB:5F:EF'.*
BSSID : 00:1D:68:EB:5F:EF (which is confusing, because I thought my AP's MAC was 5F:EE, as printed on the underside of the AP
ENCRYPT: TKIP WPA PSK AES-CCM CCMP (not sure why TKIP is here, Im only using WPA2 ?
LLC: 322874 (usually 0)
WEAK: 46 (usually 0)
DUPE IV: 145562 (usually 0)
the 'client list' looks like this:
its confusing to me why there are 2 MAC codes which are so similar?
s FF:FF:FF:FF:FF:FF data=0 crypt=0 size=0
S 01:00:5E:7F:FF:FA data=0 crypt=0 size=0
S 01:00:5E:00:00:16 data=0 crypt=0 size=0
I 00:1D:68:EB:5F:EF data=18 crypt=0 size=2
F 00:1D:68:EB:5F:EE data=108850 crypt=10885 size=109M
Well Ive been trying to do a little research into this and LLC stands for Logical Link Control. These packets handle multiplexing and are standard over most data protocols. Basically these guys manage the link between your AP and a client so that multiple streams of data can be moved quickly and efficiently over a single connection.
So when data is created on your computer different programs and protocols and whatnot all stream out their data in different formats. When this data needs to go through a bottleneck such as a network cable or Wifi signal it needs to be combined and translated into a single stream of data that can be understood by other NICs. The LLC packets make sure that everyone is talking in the same language, that the rate of transmission isn't overwhelming the rate of reception, and that the data is being sent is complete and not corrupted by packet loss. Once everything makes it across the bottleneck it can be separated into its individual streams again and processed.
Now the LLCs come in two forms
(Type 1) "Unacknowledged connectionless-mode" This is sort of a broadcast mode where the data has no specific connection, it is simply packed into a readable format and sent out to who ever can intercept it. The LLC makes sure that anyone can read the data with the proper hardware/software
(Type 2) "Connected mode" This is where the data is packed up and sent to a specific connected client (usually encrypted) The LLC makes sure that the data goes to its specific location and not to other places where it shouldn't while still handling the multiplexing.
Please understand that I am a complete newb and that this is simply my understanding of how it works, if I am wrong about this I would love a correction.
For more information id advise checking out "The OSI model" http://en.wikipedia.org/wiki/OSI_model
This is the real meat and potatoes of how data is transfered between computers.
The Dupe IVs are what I'd be concerned with. Something young'ns like to do is fake a MAC that closely resembles an authorized MAC in an attempt to slip past an admins attention. What you are looking at here is most likely a probe/attack of some sort on your WPA. Although, rethinking my own statement, IVs aren't necessary in WPA attacks....
Okay, so I've come to the conclusion that I have no idea what is causing that traffic minus an 'evil-twin' attack which is, quite frankly, not likely.
For the simple reason that AP's have at least two MACs. There is a MAC for each physical Ethernet port. One is the MAC of the wireless side, and one is the MAC of the wired port. This is the way TCP/IP works done at Layer 2 (Data Link Layer) of the OSI model.
Originally Posted by targus
Both of these MACs are probably from your own AP.
The numbers are similar, because of the way MACs work. The first six digits are assigned to the manufacturer of the electronics. In this case we can do a quick check of the OUI list of the IEEE, and find that the device was manufactured by:
Thomson Telecom Belgium
Prins Boudewijnlaan 47 B
Edegem Antwerp B-2650
Keep in mind this may not be the maker of the AP, but is the maker of the actual internal electronic devices used in the AP that are used to transmit and receive Ethernet traffic.
The remaining 6 digits of the MAC are assigned by the manufacturer to the Ethernet ports in each device, and they tend to be sequential. In this case we have EB:5F:EF and EB:5F:EE which are in makes sense, as EF follows EE in logical order.
If you have a device with multiple ports such as an wireless router (e.g. WRT54g), then you have one for each port. In the case of a WRT54g, there would be 6 MACs. One each for the wireless, one for the WAN port, and four MACs for the four switch ports.
thanks guys, you've put my mind at ease somewhat.
Revelati, thanks for that explaination of LLC packets. I tried googling it but didnt get much info. thanks also for the link to the OSI model wikipedia page too, Im going to sit down and read that tomorrow.
Thorn, thanks for your explaination on the 2 MAC codes. now it makes sense.
also, there is an ethernet cable running from the AP to a television & set-top box, so maybe those devices account for the (S) send-to MACS? I'll pull the plug on their power tomorrow and see.
just a quick update.
it seems other networks close by are now starting to generate/recieve large numbers of these LLC packets too, although there are a couple of networks that are not affected.