Curiosity: weird UDP requests from android devices

Hi,

This is just a weird thing I noticed few days ago. Do you guys have any clue about these android behaviors?

The Mikrotik is behind a NAT (192.168.1.0/24), there are no clients there, just a gateway on 192.168.1.1
The devices are connecting to the Mikrotik on 192.168.20.0/24

I’m seeing some random UDP requests against random IP addresses on the upper NAT:

may/29 19:17:19 firewall,info forward: in:ether4-hotspot out:ether1-WAN, src-mac 10:08:b1:a0:b1:91, proto UDP, 192.168.20.19:15996->192.168.1.54:12936, len 132
may/29 19:17:19 firewall,info forward: in:ether4-hotspot out:ether1-WAN, src-mac 10:08:b1:a0:b1:91, proto UDP, 192.168.20.19:15996->192.168.1.54:12936, len 132
may/29 19:17:20 firewall,info forward: in:ether4-hotspot out:ether1-WAN, src-mac 10:08:b1:a0:b1:91, proto UDP, 192.168.20.19:15996->192.168.1.54:12936, len 132
may/29 19:17:20 firewall,info forward: in:ether4-hotspot out:ether1-WAN, src-mac 10:08:b1:a0:b1:91, proto UDP, 192.168.20.19:15996->192.168.1.54:12936, len 132
may/29 19:17:20 firewall,info forward: in:ether4-hotspot out:ether1-WAN, src-mac 10:08:b1:a0:b1:91, proto UDP, 192.168.20.19:15996->192.168.1.54:12936, len 132
Then it stops.

It’s a kind of mystery, there is nothing on 192.168.1.54 thus It does not really make sense.

¯_(ツ)_/¯

I can’t promise it is this case, but I know sometime apps remember IP of device from different network with same subnet and continue sending packets to same IP in desperate attempts to recover connection. 192.168.1.0/24 is pretty common so it may be the case.

For curiosity, I would firstly find out which device is doing the stuff (you have src IP and MAC)
Also I would run packet sniffer to check what data does it contain. However. This might be hard, if the requests stopped and you cannot replicate the situation.