29 May
2017
29 May
'17
5:13 p.m.
Hello Brian,
Is the goal here to identify and get these packets stopped or is the
group softening their stance of accepting the receipt/response of MNDP
(Miktotik), Avahi (Linux)/Bonjour(Apple), LLDP (standard routing link
advertisements), CDP, etc?
--David
KI6ZHD
On 05/29/2017 01:12 PM, Brian Kantor wrote:
(Please trim inclusions from previous messages)
_______________________________________________
An interesting idea. I'm already capturing and storing those packets
in pcap files as part of the router error logging, under the heading of
'inner destination broadcast address'. I think it would be a relatively
simple thing to do to separate them out by the UDP port number.
However, there aren't all that many gateways sending them. (In the last
day, there have only been 8 hosts sending broadcast destination packets
to the UCSD gateway, and I don't know how many of them are sending to
port 5678.) I suppose that some sort of post-capture-analysis could
examine the already-generated error pcap files and separate those MNDP packets out and
put them into a separate file.
I don't know if it would be worth the effort to decode them into a text
file since they are already available for download.
What information is in them that might be of general interest?
- Brian
On Mon, May 29, 2017 at 09:41:29PM +0200, Rob Janssen wrote:
Maybe one of the interesting "things to
do" would be to write a small daemon
that captures those UDP packets to 255.255.255.255 port 5678 (MNDP) and
stores the latest one received from each source. It would have to have access
to the outer IPIP header to do that.
Then, it could regularly dump the collected "latest packets" in a tabulated
text
file with the fields that there are in these packets each in a column. When you
look in wireshark (which knows about this format) you see it is quite easy to do.
This table would present an overview of the MikroTik routers in use, and could
help identify possible problems with the tunneling they do.
You could also stop handling them as an error condition.
How would such a daemon have to be written so it can run at the gateway?
Could it just do a pcap with the appropriate filter?
Rob
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net