Hi.

My WL-500g continues to make traffic from WAN when I have all PC's shuted down and no wireless devices.

In Portugal we only have 1gb of international download and the router generate about 150mb per day.

Anyone can help ?

Tanks in advance

Someones probably stealling bandwith with a wireless conection to your router, activate wep on it and deactivate ssid broadcast.

Ja pensaste q provavelmente tens alguem a aceder à tua rede wireless e a roubar-te o trafego da net? :rolleyes:
mete wep activo nisso, o router nao te gera trafego nenhum por ele proprio...

Cumps

Edit: In English please next time :rolleyes:

That fact ocorred me.

I have WEP and SSID block and the router has just been installed...
How someone could guess that I have a wireless router ?

I don't use Windows so it's difficult to have any ad-ware installed and when the PC is off that programs shouldn't work...

But why I see my Activiy Light on the modem flashing and the WAN led of the router flashing too?

Hmm

Could it be inbound Trafic from the internet ? Filesharing systems create quite high "blind" load on dynamic ip connections because someone before you hat this ip and its still in the cache of the others. But this should end some hours after you got the ip.

I think you should look inside the data with tcpdump or some other tool, but i cant tell you more on how to use it with the asus because of the firewall.

You can log all incomming connection with:


iptables -I INPUT -d [your WAN ip address] -i "$1" -j LOG


(Don't know exactly if this command is correct, but its in the right direction)

It logs all incomming connection to your syslog. The custom firmware 1.7.5.9 CR5 rotates this logfile so it won't consume all your RAM.

When I tried this a few days ago, I discovered that dozens of connections are incomming every second...

But 150mb per day?? :eek:
I just went on vacations and left the router and cable modem on, and on the provider traffic logs there was no registry of activity, and i often use p2p.
Did you change your admin password also?

But 150mb per day?? :eek:
Don't know, I don't have traffic counters on because I don't have traffic constraints from my ISP :). But 150 Mb/day sounds like a lot of traffic.


I just went on vacations and left the router and cable modem on, and on the provider traffic logs there was no registry of activity
Hmm, if they don't have any traffic in their logs, how can they say you use 150Mb/day.


and i often use p2p.
Like WlanMan said: P2P attracts a lot of connections to your computer.

Did you change your admin password also?Yes, I changed the admin username AND admin password AND I'm using SSL telnet on the WAN side.

What im saying is that, probably coolzero checked his logs and there was traffic activity, in my logs there is no activity.

http://wl500g.info/attachment.php?attachmentid=117&stc=1

You can see the days without traffic. The rest of the days is eMule :D

Regards.

Sep 13 20:27:33 user.warn klogd: ALERTIN=eth1 OUT= MAC=00:0e:a6:9f:06:64:00:04:28:26:6c:a8:08:00 SRC=81.84.235.239 DST=81.84.47.52 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=14132 DF PROTO=TCP SPT=2622 DPT=4662 WINDOW=64240 RES=0x00 SYN URGP=0
Sep 13 20:27:34 user.warn klogd: ALERTIN=eth1 OUT= MAC=00:0e:a6:9f:06:64:00:04:28:26:6c:a8:08:00 SRC=81.193.159.206 DST=81.84.47.52 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=43135 DF PROTO=TCP SPT=2780 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0
Sep 13 20:27:36 user.warn klogd: ALERTIN=eth1 OUT= MAC=00:0e:a6:9f:06:64:00:04:28:26:6c:a8:08:00 SRC=81.84.28.106 DST=81.84.47.52 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=37280 DF PROTO=TCP SPT=1208 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Sep 13 20:27:37 user.warn klogd: ALERTIN=eth1 OUT= MAC=00:0e:a6:9f:06:64:00:04:28:26:6c:a8:08:00 SRC=213.78.59.127 DST=81.84.47.52 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=41545 DF PROTO=TCP SPT=1601 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Sep 13 20:27:39 user.warn klogd: ALERTIN=eth1 OUT= MAC=00:0e:a6:9f:06:64:00:04:28:26:6c:a8:08:00 SRC=83.37.121.56 DST=81.84.47.52 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=54964 DF PROTO=TCP SPT=4197 DPT=445 WINDOW=59584 RES=0x00 SYN URGP=0


There's a extract of my System Log of the WL-500g...

I have no idea from where are that source's IP's...
My IP is the same at a long time ago... and it should be dynamic :(

Help

Another wierd thing!


When I connect the modem directly to the network card I always get a different IP but when I connect it to the router I always get the same...

Is there any way that two PCs share the same IP? So that the packets that will be sent to the other will be stealed by me.

Help

The connections remains because there are computers trying to connect to ports 4662 and 445.

4662 is a port for the eMule/eDonkey network. If you run such a P2P client, there will be incoming connections for hours after you've closed your client. This behaviour is normal for P2P networks.

445 is a port used for NETBIOS over TCP/IP which you should allways disable on your WAN side because its a MAJOR security risk. Even if you have disabled this, there are a lot of virus infected computers trying to connect to this port on random IP addresses. There is nothing you can do about these incoming connections. Your NAT conversion or your firewall will drop these incoming connections.

I have no idea why the Asus router allways gets the same IP and you PC gets different IP addresses, but changing your IP could solve some of the problems (the eMule traffic most likely). You can also ask your ISP what traffic will be counted.

Yes, I use aMule but I'm connected to national servers, so all traffic should be national, right?

Today I'm testing not the make any traffic and tomorrow I'll check the traffic counter.

Where do I deactivate the NETBIOS?

Tanks

Yes, I use aMule but I'm connected to national servers, so all traffic should be national, right?
No, thats not true. All your requests will be handled by the server you are connected to, but anyone in the world can download your files and you can download files from all over the world.

Today I'm testing not the make any traffic and tomorrow I'll check the traffic counter.
That should prove it allright.

Where do I deactivate the NETBIOS?
When using Windows 2000 or XP its in the Internet Protocol settings of your LAN connection.

When using Windows 2000 or XP its in the Internet Protocol settings of your LAN connection.

Ah, allright! I think that was on the router...
I'm using Linux but I know how to deactive the protocol..

Tanks a lot

You can log all incomming connection with:


iptables -I INPUT -d [your WAN ip address] -i "$1" -j LOG


Could you please say how to enter the command and maybe what are the other options for logging?

I have noticed a lot of traffic too, recently - it even lead to frequent crashes.

found how to enter the command via admin page. :) check!
entering the command...

Could you please say how to enter the command and maybe what are the other options for logging?

found how to enter the command via admin page. :) Try using telnet if you have a custom firmware, that works more easilly.

iftop, nettop or ntop would be a great quick way to find out. I need it now too.


What is the easiest way to find why my ping to yahoo is 1000ms?