Netonix Forums

Hello
Does anyone know why I'm starting to get some devices (CPE's) standing and use data without the user is on the unit.
And the when I turn WDS off from the CPE side and leave it enabled on the AP side, it falls to normal again.
Hope someone can shine som light on it


PLEASE READ DOWN THROUGH THIS THREAD FOR A TOOL TO HELP FIGURE THIS OUT!!! - SIRHC

Hej Morten!

WDS preserves the MAC, so it's a layer2 link. non-WDS does not. Basically, the WDS will pass data that non-WDS just ignores or drops. I doubt this is the radio link, but probably something doing layer2 discovery.

Hello Rebelwireless
thanks for your answer.
Just think that it is crazy that a device that is not being used can use up to 1.5 Mbps on doing nothing, and when I turn off WDS on the CPE side it falls to 30-50 kbit.
what would you do , just turn WDS off from the CPE side or just leave it and let it use data.

Mola9850 wrote:what would you do , just turn WDS off from the CPE side or just leave it and let it use data.

I would keep WDS on and figure out the source of that traffic. You can plug into the radio with a laptop and capture packets with wireshark. Then you can see whats going on.

How do you know the device is not being used?

Could be a virus, update, some kind of network share.

ok I'll try to take the data out whit wireshark
ty .
I know it is not use, i have to talk to the customer and can also see that the data output has changed, after i turn off WDS from the customer devices.
I don't hope it is a virus

Outline for our MIRROR port to IP which is a NEW feature we are developing in v1.3.0
1) These packets should be separate from other normal packets the switch is getting from the core including the following:
BPDU
RSTP
LOOP Protection
UI / CLI packets - DO NOT WANT THE CLI TO BECOME UNRESPONSIVE.
This stream should be limited as is at 1K pps to protect the CPU from loops or packet storms.
2) The other stream containing the MIRRORED packets should be limited by CPU ability meaning it should allow as many packets per second as it can up until the CPU becomes too loaded, say 90% utilization. When the CPU gets to 90% utilization it limits the pipe for the MIRROR.

3) Being able to then filter that MIRRORED stream based on IP or maybe even MAC - THAT WOULD BE FANTASTIC

Example of use:
A WISP sees weird behavior on a port feeding an AP that services 30+ customers so they mirror that port to their computer running WireShark to capture the stream (Yes Wireshark supports this)

The WISP then looks through the garbage looking for something of interest to a specific customer IP so they stop the MIRROR and then add an IP or MAC Filter and restart the MIRROR. Now they am able to determine that the customer is running a bittorrent, or maybe they must have a worm or something of that nature. Or in this case figure out what this strange amount of data is.

Being a WISP for 16 years I can tell you that this feature would be invaluable.

Another thing that would make this feature fast and convent is to mirror the packets to a window on the MIRROR tab negating the need for Wireshark for quick and dirty peaks without all the advanced features Wireshark provides to sort the data.

This is a PRIME EXAMPLE of where this function would be AWESOME.

If people think this feature is a great idea please comment in this thread.

mhoppes wrote:How do you know the device is not being used?

Could be a virus, update, some kind of network share.

I could be a router/other network device infected with something. Looks like DDoS or similar....

have tried to capture some data from one of the devices, but do not know if I'm doing it right or what to look for

any one??