Results 1 to 6 of 6

Thread: unusual traffic on my AP

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Oct 2008
    Posts
    8

    Default unusual traffic on my AP

    hello, I was wondering if you could help me understand what is happening.

    Ive been using kismit for about 2 weeks now, to monitor traffic on my wireless network. last night, there was a change in the usual pattern of traffic.

    Its difficult to explain (as Im new to this), but, as far as I can tell, there was traffic being transmitted from my AP, and when looking at my AP 'Network List Details' section of Kismit, I noticed that the AP is producing alot of 'LLC' packets, and I dont know what these are. there was some data packets (although not many, they probably total 10 kb in 1 hour).

    so I continued monitoring while I went to sleep, and when I returned to the computer in the morning, the 'LLC packets' were still being produced, but the total traffic seen on the network was 100MB.

    I was wondering what these 'LLC' packets are?

    the 'network list details' for my AP are as follows:

    Code:
    BSSID : 00:1D:68:EB:5F:EF  (which is confusing, because I thought my AP's MAC was 5F:EE, as printed on the underside of the AP
    CLIENTS: 6
    ENCRYPT: TKIP WPA PSK AES-CCM CCMP (not sure why TKIP is here, Im only using WPA2 ?
    PACKETS: 750332
      DATA: 213845
      LLC: 322874 (usually 0)
      CRYPT: 213825
      WEAK: 46 (usually 0)
      DUPE IV: 145562 (usually 0)
    DATA: 122M
    in the Kismit 'client list' for my network, I see the MAC code of my AP (00:1D:68:EB:5F:EE, printed on the label of the AP), but Im also seeing a similar MAC code (00:1D:68:EB:5F:EF). *EDIT, if I go into my AP config, it says 'Physical Address: 00:1D:68:EB:5F:EF'.*

    the 'client list' looks like this:

    Code:
    s FF:FF:FF:FF:FF:FF  data=0 crypt=0 size=0
    S 01:00:5E:7F:FF:FA data=0 crypt=0 size=0
    S 01:00:5E:00:00:16 data=0 crypt=0 size=0
    I 00:1D:68:EB:5F:EF data=18 crypt=0 size=2
    F 00:1D:68:EB:5F:EE data=108850 crypt=10885 size=109M
    its confusing to me why there are 2 MAC codes which are so similar?

  2. #2
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    Well Ive been trying to do a little research into this and LLC stands for Logical Link Control. These packets handle multiplexing and are standard over most data protocols. Basically these guys manage the link between your AP and a client so that multiple streams of data can be moved quickly and efficiently over a single connection.

    So when data is created on your computer different programs and protocols and whatnot all stream out their data in different formats. When this data needs to go through a bottleneck such as a network cable or Wifi signal it needs to be combined and translated into a single stream of data that can be understood by other NICs. The LLC packets make sure that everyone is talking in the same language, that the rate of transmission isn't overwhelming the rate of reception, and that the data is being sent is complete and not corrupted by packet loss. Once everything makes it across the bottleneck it can be separated into its individual streams again and processed.

    Now the LLCs come in two forms

    (Type 1) "Unacknowledged connectionless-mode" This is sort of a broadcast mode where the data has no specific connection, it is simply packed into a readable format and sent out to who ever can intercept it. The LLC makes sure that anyone can read the data with the proper hardware/software

    (Type 2) "Connected mode" This is where the data is packed up and sent to a specific connected client (usually encrypted) The LLC makes sure that the data goes to its specific location and not to other places where it shouldn't while still handling the multiplexing.

    Please understand that I am a complete newb and that this is simply my understanding of how it works, if I am wrong about this I would love a correction.

    For more information id advise checking out "The OSI model" http://en.wikipedia.org/wiki/OSI_model
    This is the real meat and potatoes of how data is transfered between computers.
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

  3. #3
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    The Dupe IVs are what I'd be concerned with. Something young'ns like to do is fake a MAC that closely resembles an authorized MAC in an attempt to slip past an admins attention. What you are looking at here is most likely a probe/attack of some sort on your WPA. Although, rethinking my own statement, IVs aren't necessary in WPA attacks....

    Okay, so I've come to the conclusion that I have no idea what is causing that traffic minus an 'evil-twin' attack which is, quite frankly, not likely.



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  4. #4
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by targus View Post
    its confusing to me why there are 2 MAC codes which are so similar?
    For the simple reason that AP's have at least two MACs. There is a MAC for each physical Ethernet port. One is the MAC of the wireless side, and one is the MAC of the wired port. This is the way TCP/IP works done at Layer 2 (Data Link Layer) of the OSI model.

    Both of these MACs are probably from your own AP.

    The numbers are similar, because of the way MACs work. The first six digits are assigned to the manufacturer of the electronics. In this case we can do a quick check of the OUI list of the IEEE, and find that the device was manufactured by:

    Thomson Telecom Belgium
    Prins Boudewijnlaan 47 B
    Edegem Antwerp B-2650
    BELGIUM

    Keep in mind this may not be the maker of the AP, but is the maker of the actual internal electronic devices used in the AP that are used to transmit and receive Ethernet traffic.

    The remaining 6 digits of the MAC are assigned by the manufacturer to the Ethernet ports in each device, and they tend to be sequential. In this case we have EB:5F:EF and EB:5F:EE which are in makes sense, as EF follows EE in logical order.

    If you have a device with multiple ports such as an wireless router (e.g. WRT54g), then you have one for each port. In the case of a WRT54g, there would be 6 MACs. One each for the wireless, one for the WAN port, and four MACs for the four switch ports.
    Thorn
    Stop the TSA now! Boycott the airlines.

  5. #5
    Just burned his ISO
    Join Date
    Oct 2008
    Posts
    8

    Smile

    thanks guys, you've put my mind at ease somewhat.

    Revelati, thanks for that explaination of LLC packets. I tried googling it but didnt get much info. thanks also for the link to the OSI model wikipedia page too, Im going to sit down and read that tomorrow.

    Thorn, thanks for your explaination on the 2 MAC codes. now it makes sense.

    also, there is an ethernet cable running from the AP to a television & set-top box, so maybe those devices account for the (S) send-to MACS? I'll pull the plug on their power tomorrow and see.

  6. #6
    Just burned his ISO
    Join Date
    Oct 2008
    Posts
    8

    Default

    just a quick update.

    it seems other networks close by are now starting to generate/recieve large numbers of these LLC packets too, although there are a couple of networks that are not affected.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •