cancel
Showing results for 
Search instead for 
Did you mean: 

Analysing router logs

N/A

Analysing router logs

I have just changed from a modem to a router and am trying to work out what everything means. Below is a copy of my router's security log. I can see media up/ media down. I that when the router loses synch? Also dial on demand? I thought it was supposed to keep a constant connection? Smurf? I thought they were little blue creatures Smiley

Any help analysing is appreciated.

Thanks

Mark


Log info edited out
12 REPLIES
N/A

Analysing router logs

Hmm, didn't get a response to the last, hopefully someone will be able to tell me if the following is a problem?

03/11/2006 15:05:48 **fragmentation flood** 212.58.224.52, 38492->> 192.168.2.2, 1368 (from ATM1 Inbound)
03/11/2006 15:05:46 **UDP Flood to Host** 212.58.224.52, 38492->> 192.168.2.2, 1368 (from ATM1 Inbound)

Mark
N/A

Analysing router logs

that is definitely a problem, something is flooding the ip and most routers if they detect the floods will end up blocking the transmissions

what router have you got

wireless or wired

routers can be set to dial on demand, and some are like this as default - if they get no comms for a while they will drop the connection, and will then reinstate once you want something again. this can be very annoying as when transferring files you can easily be booted. remove setting and should be ok

on wireless connections - ensure you set access to authorised mac keys only, also if constantly dropping without DoD then change broadcast channel.

ensure firewall and nat configured correctly.

like i said above pm if need any advice

regards
mike
N/A

Analysing router logs

Thanks for your reply Mike

It is a Belkin wireless router and it is firmly locked down. The router has its own firewall and I also use zone alarm, so there should be no danger of any harm coming to it. I had about 20 of these alarms in the space of about 30 seconds, what actually is it informing me about?

I'm not too worried about the dial on demand thing, I can live with that and I tend to power it down at night when I switch off the pc too. That said, it has been on since the 8th at the moment just so that I can try to make sense of some of the entries.

Mark
N/A

Analysing router logs

Hi didit,

From my networking & comms knowledge I think what your router is reporting as as follows:-

1) 03/11/2006 15:05:48 **fragmentation flood** 212.58.224.52, 38492->> 192.168.2.2, 1368 (from ATM1 Inbound)

ANS: I think this means that your router is receiving an extremely large, we are talking Tsunami like deluge of fragmented data packets. These are NOT whole data packets so its probably scrambled or gabbled data. Or possibly the data is trying to be resent by the server but has been unsuccessful for some unknown reason/s. The packets have been sent from ATM1 and are incoming/inbound data, source of the data is shown as IP 212.58.224.52 on port 3,8492. Received or sent to IP destination 192.168.2.2 (either your router or some internal IP of a PC or machine behined your router i.e. on your internal network?).

2) 03/11/2006 15:05:46 **UDP Flood to Host** 212.58.224.52, 38492->> 192.168.2.2, 1368 (from ATM1 Inbound).

ANS: Its basically a similar story to the above No.1 but this time its telling you that the traffic is protocol specific i.e. UDP or User Datagram Protocol which is a connectionless type of broadcast traffic. i.e. x1 source or server sends out data via UDP to many possible listening machines that might be able to receive it. Also its showing how its trying to send the data this time to IP 192.168.2.2 and the final destination port is 1,368.

**IMO the router is overwhelmed by this traffic so what is important is how your router is handling this tsunami. Will it just block it? shut down and reset itself or something else? I've no idea as I dont know anything about that specific device. But have installed both wired & wirless routers and there all slightly different as you'd expect. Dont know if any of that was helpful or not?

Ivan
N/A

Analysing router logs

PORT 1368 - Information
Port Number: 1368
TCP / UDP: UDP
Delivery: No
Protocol / Name: screencast
Port Description: ScreenCast
Virus / Trojan: No

are you running linux or windows on your machines, with the ScreenSharing Software which is called ScreenCast

look at http://www.infobot.org/factpacks/ports.fact for full list of ports

info regarding screencast
A screencast is a recording of computer screen output, usually containing audio narration typically published as a video file. However, the technology has existed for much longer. Screencasts are typically created to produce software and web application demonstrations. This was mostly done within corporations as a way to facilitate employee training. However, further interest has been sparked through the increased blogging trend, which has eased content publishing.
francoise-hardy
Grafter
Posts: 94
Registered: 30-07-2007

Analysing router logs

Hi Mark, Don't know if this helps

http://portal.f9.net.uk/central/forums/viewtopic.php?t=4487

I had lots of problems of udp flood to host on my 18 month old belkin wireless router. This cured it!
Regards, robinh
N/A

Analysing router logs

Thanks for the imput everyone.

Woodviews: I am running XP. Have never heard of screenshare, but will look it up now. I am wondering if someone else has had this IP address at some time (I am BB+ and on dynamic) and used these services. A possibility as it hasn't happened agai, yet!!

Cyteck: I think my router just blocks it and reports, it certainly hasn't restarted at any time.

robinh: That's a handy little screen to know about, wonder what else they have hidden away?

Mark
francoise-hardy
Grafter
Posts: 94
Registered: 30-07-2007

Analysing router logs

I also use this one for attenuation and sig/noise plus other stats.
http://192.168.2.1/adsl_status_main.stm

I am assuming all belkin use the same page addresses. These certainly work on my son's belkin, which is only about 1 year old.
robinh
N/A

Analysing router logs

That page is especially helpful. I wondered wher I could get all of my stats from Smiley

Mark
francoise-hardy
Grafter
Posts: 94
Registered: 30-07-2007

Analysing router logs

Hi Mark, Just found more belkin info....
I only wish I could understand it all!
At this rate you'll soon be the belkin guru!
http://www.sat.dundee.ac.uk/~arb/belkinadsl/
robinh
N/A

Analysing router logs

Quote
At this rate you'll soon be the belkin guru!


LMAO Cheesy Cheesy Cheesy I wish Smiley . Thanks again for your help. I'm going to have a good long look now.

Mark
N/A

Analysing router logs

The response from Auntie Beeb was:

Quote
That's one of our Real Media servers so you'll get a sustained high
packet rate if you're watching high bandwidth streams.

Why your firewall thinks that's an attack you'll have to take up with
the vendor. One guess is you're trying to run 1500 byte mtu over adsl
and it's being fragmented upstream


No- one in at the time the flood occurred. PC was switched off although router was still online. Curious!!!

Mark