Router system log explanation

[Anthony5]

Can anyone explain what the following line in my router system log means? I have loads of those lines in my log, something like every few seconds. The router is an Asus DSL-AC52U

 

[warining] kernel: DROP IN=ppp0 OUT= MAC= SRC=95.90.213.91 DST=180.183.5.248 LEN=129 TOS=0x00 PREC=0x00 TTL=46 ID=58998 DF PROTO=UDP SPT=47733 DPT=6881 LEN=109  2016-09-09 11:20:23

 

Someone in another thread suggested it was a port scan, but I have now connected an old Netgear router, which also logs DoS attacks and port scans, and there are none  of those lines in that log

Edited September 9, 2016 by Anthony5

[mtls2005]

Every router has it's own log protocol. Different models may not present the same level of detail, in the same format.

 

You'll need to search the interwebs for detail on the exact make/model; look in networking forums. Or contact the manufacturer, and ask them.

 

Whatever you do, try to supply as much information as possible.

 

[Anthony5]

16 minutes ago, mtls2005 said:

Every router has it's own log protocol. Different models may not present the same level of detail, in the same format.

 

You'll need to search the interwebs for detail on the exact make/model; look in networking forums. Or contact the manufacturer, and ask them.

 

Whatever you do, try to supply as much information as possible.

 

 

Thanks for the suggestion to contact the manufacturer, but have you ever contacted Asus.

 

I did a few times in the past few years, Asus Global or Asus Singapore, they just close the ticket without answering.

[thedemon]

A packet was dropped that came to the ppp0 device 180.183.5.248 (seems to be your dynamically assigned 3BB dsl IP) from 95.90.213.91 (some random home computer in Germany?). The packet arrived on UDP port 6881.

 

Just looked up port 6881 and it is apparently a port commonly used by utorrent. So might be your machine running a torrent application or if not, the last 3BB subscriber assigned that address.

 

As mtls2005 says, the other router that you connected probably doesn't log dropped packets.

 

Since you have a public IP address, don't worry. It is just your firewall doing it's job. You might as well switch off logging for dropped packets unless you are trying to diagnose something. It is just consuming resources on your router.

[Anthony5]

34 minutes ago, thedemon said:

the last 3BB subscriber assigned that address.

 

Thanks for the explanation.

 

I don't run torrents ever, but what you mean with the last 3BB subscriber?

 

This is a new connection, my private modem router, so can you please explain how another 3BB subscriber can have any influence in this?

 

As I say those warnings come from IP addresses all over the world, when a package dropped, I assume that translates to a package dropped from a port scan. Is that correct?

 

So since the other router logs port scans, wouldn't it list those IP addresses in the log?

 

As for your answer in the other thread, suggesting a 5 port Gigabit switch, would that fix my problem with the LAN drop outs or should I give a router replacement a try first?

 

If one router has a conflict with a specific switch does that mean that all routers of that type number will have the issue with that switch?

 

 

[thedemon]

I was just guessing that it was related to a torrent application since that otherwise random port number is often used by utorrent but it was only a guess.

 

Each time you make a PPPoE connection to your ISP they dynamically assign you an IP address and generally that IP address changes each time you reconnect. Those dynamic IP addresses are recycled and then assigned to other subscribers. My theory (wild guess) was that the last subscriber using that IP address was running torrents so that IP address could be known by hundreds of machines around the world that were peering with it. If one of those machines attempts to reconnect to that dynamic IP address (which has subsequently been assigned to you) then your router won't recognize the packet so will drop (or reject) it.

 

But yes, maybe the dropped packet was the result of a port scan. I don't know.

 

I'm not sure whether consumer grade routers are able to determine whether an unsolicited packet is the result of a port scan or not. Certainly more advanced firewalls can but that is over my head.

 

It is just the nature of the internet that when there are billions of devices sending out trillions of packets, some go to the wrong place whether that is malicious or not. I have been bamboozled by those logs myself in the past and decided that it is futile trying to trace them all. If my router's firewall is rejecting those packets then no need to know.

 

Regarding the router/switch issue, since you already know that swapping the switch does solve the time-out problem then in my opinion it is a pretty safe bet that a different switch will also play nicely with the ASUS router. In any case for the sake of a few hundred Baht, since both the router and your PC are gigabit capable, why not put a gigabit switch in between them?

 

 

[Anthony5]

8 minutes ago, thedemon said:

I was just guessing that it was related to a torrent application since that otherwise random port number is often used by utorrent but it was only a guess.

 

Each time you make a PPPoE connection to your ISP they dynamically assign you an IP address and generally that IP address changes each time you reconnect. Those dynamic IP addresses are recycled and then assigned to other subscribers. My theory (wild guess) was that the last subscriber using that IP address was running torrents so that IP address could be known by hundreds of machines around the world that were peering with it. If one of those machines attempts to reconnect to that dynamic IP address (which has subsequently been assigned to you) then your router won't recognize the packet so will drop (or reject) it.

 

But yes, maybe the dropped packet was the result of a port scan. I don't know.

 

I'm not sure whether consumer grade routers are able to determine whether an unsolicited packet is the result of a port scan or not. Certainly more advanced firewalls can but that is over my head.

 

It is just the nature of the internet that when there are billions of devices sending out trillions of packets, some go to the wrong place whether that is malicious or not. I have been bamboozled by those logs myself in the past and decided that it is futile trying to trace them all. If my router's firewall is rejecting those packets then no need to know.

 

Regarding the router/switch issue, since you already know that swapping the switch does solve the time-out problem then in my opinion it is a pretty safe bet that a different switch will also play nicely with the ASUS router. In any case for the sake of a few hundred Baht, since both the router and your PC are gigabit capable, why not put a gigabit switch in between them?

 

 

 

 

The reason I never considered a Gigabit switch is because I have no source on my network that can generate a data stream higher than 100Mb. My internet is 15 Mb at best, a full HD Blueray movie from a personal server takes about 10Mb to stream at most. But I agree that if it solves my problem for a few hundred Baht it should be considered.

 

JIB has an 8-port TP-Link switch for 850 Baht, so will get one soon.

 

I have also been reading about switch and hub, and don't get the difference, as I think they are the same actually.

 

I notice from the image that Mtls2005 posted that one use a straight cable while the other uses a crossover cable to connect to each other.

 

So I assume that if I buy a gigabit switch I will need a crossover cable to connect it to  my other switch. Is that correct.

 

Now, is there a chance that a crossover cable from my router to my current switch solves my issue?

 

My router has an E-wan port, but I have no idea what that is used for since the manual is a total of 2 small pages which says how to plug the router into the power socket. Is that e-WAN useful to connect to my switch?