NBG334W - Odd behavior with logging

NBG334W - Odd behavior with logging
Links: home · search · speed test · login · more ·

Links: Reply New Topic
Forums » Hardware By Brand » ZyXEL » NBG334W - Odd behavior with logging

Gork @ 26th Sep 11:40AM:
NBG334W - Odd behavior with logging

I have two computers hooked up through the nbg334w, I'll call them computer A and computer B. I recently installed a syslog program on computer B and enabled Syslog Logging on the nbg334w. I inputted the URL of computer B into the router, and since I'm not sure what the "Log Facility" setting is all about, I left it at the default "Local 1." I enabled the logging of System Maintenance, System Errors, Access Control, CDR and PPP. I verifed that the syslog program on computer B was in fact receiving and logging information from the router.

A few days later I noticed a bunch of network activity on computer A. When I checked the ports on the computer I had 30+ ports being accessed one at a time from the URL of the router. I didn't start up the packet sniffer or anything, but disabled Syslog Logging in the router and the traffic ceased.

Is anyone aware of an explanation for this behavior?
reply

nwrickert @ 26th Sep 12:11PM:
Re: NBG334W - Odd behavior with logging

I'm not quite clear on what you did there.

I am using syslog on my linux box to log the NBG334W. I entered the IP address of my linux box into the NBG334W settings. I'm not sure where you would enter a URL for that (or perhaps you just meant an IP address).

I am currently logging System maintenance, System Errors, CDR, PPP and Wireless. The first 4 of those are the defaults. I am not seeing many log messages, but perhaps you get more if you turn on Access Control logging (as you apparently did).

The "Log Facility" is just part of the syslog specification. From the point of view of the NBG334W, it is just a flag it sets in its log packets. The syslog server uses it to sort the log messages and decide which file to log them to.

Each log message is normally sent as a udp packet to port 514. It is possible that the router uses a different router port number for each packet it sends. If what you are seeing is all udp packets to port 514 on computer A, then I would not be concerned about it.

If you were seeing something else, then more information would be useful.
--
AT&T dsl; Speedstream 5100b modem; Zyxel NBG334W router; openSuSE 11.0; firefox 3.0.14
reply

Gork @ 26th Sep 05:06PM:
Re: NBG334W - Odd behavior with logging

IP address, yes, not URL. /sigh

I didn't look closely enough at the information being sent to computer A, but if I have the router set up to send syslog messages to computer B, should computer A be receiving anything?

Thank you muchly, btw, for the explanation of "log facility," Google didn't help me much to figure this one out.
reply

nwrickert @ 26th Sep 05:29PM:
Re: NBG334W - Odd behavior with logging

If computer A is configured to use the NBG334W as its DNS server, then it would be getting DNS query responses.

If you are recognizing the packet source with ethernet addresses, then computer A would be getting all of its internet traffic from the router. If you are recognizing by IP address, then it would not have the router source IP there.

If computer A has just booted, then it would be getting its DHCP lease (the LAN ip address) from the router. I am seeing DHCP lease renewals around every 36 hours for LAN systems, and this involves packets from the router. I think the lease time is 3 days, and Windows boxes renew the lease after it has use 50% of the lease time.

Computer A could be pinging the router, and would get response packets from that. Or it could be running a routing daemon, and getting RIP (routing information protocol) packets. If computer A tries to connect to an unreachable network, it could be getting some "network unreachable" icmp packets from your router.
--
AT&T dsl; Speedstream 5100b modem; Zyxel NBG334W router; openSuSE 11.0; firefox 3.0.14
reply

Gork @ 29th Sep 05:57PM:
Re: NBG334W - Odd behavior with logging

Thanks. Thing is, though, it wasn't just normal traffic. Computer A was being BOMBARDED with traffic from the IP address of the router, to the tune of 30+ connections being opened fast enough the old connections weren't able to drop off. This was going on for 10 mins while I sat watching, and ceased immediately when I disabled logging in the router.

Unless I'm misunderstanding you (which is possible, I'm WAY LOW on the totem pole here), what you're referring to is normal traffic which occurs on a daily basis.
reply

nwrickert @ 29th Sep 06:06PM:
Re: NBG334W - Odd behavior with logging

Without more information on what those packets were, it's pretty hard to know what was going on.

I have turned on Access control logging for my NBG334W, to see if that causes any problems. I don't expect it will, but if I see anything unusual I'll add a comment about that.
--
AT&T dsl; Speedstream 5100b modem; Zyxel NBG334W router; openSuSE 11.0; firefox 3.0.14
reply

Gork @ 29th Sep 06:22PM:
Re: NBG334W - Odd behavior with logging

Well, thanks for checking it out. It sounds like it might just be another "oddity" with the unit. Nothing I can't live with, but somewhat aggravating.
reply