Page 1 of 1

eth. protocol 8864 (pppoe) hitting physical interface

Posted: Tue Nov 06, 2012 12:25 am
by geebs
Hello,

We run a large wireless network which connects back to an rb1200 terminating pppoe sessions.
Basically all clients have a router (in many cases a mikrotik routerboard), and they connect via pppoe.
Radios connect to ETH1 and then we run pppoe interface on that, this is standard across the board.
Radios used are pretty much the default settings, they range from Ubiquitis, Skypilots and Motorolas.

Recently, we've noticed some strange large continuous traffic spikes being broadcast around the network, hitting certain parts of the wireless network, not isolated to any particular parts, just random.
These traffic spikes saturate the client links but they do not hit the pppoe client interface, they hit the physical interface only.
I'm scratching my head on this one, I'm sure it's something simple I've missed, I'd appreciate if anyone could give me some clues as to what this can be.

Attached is a screen shot of a client affected router, you can see that traffic hitting the physical connected interface ETH1, but not the pppoe interface.
Capture.GIF
thanks.

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Sat Mar 02, 2013 5:02 am
by boardman
Does anybody found an answer to this issue? We are experiencing exactly the same...

Regards

J. Boardman

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Sat Mar 02, 2013 6:59 pm
by boardman
Anyone?

Regards

J. Boardman

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Sat Mar 02, 2013 7:09 pm
by CelticComms
Can you grab some of the traffic to a pcap file?

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Sat Mar 02, 2013 7:43 pm
by boardman
It's going to be complicated but I'll try.

JB

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Sat Mar 02, 2013 7:54 pm
by Chupaka
complicated? just run Packet Sniffer on necessary interface with saving to file :)

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Sat Mar 02, 2013 8:03 pm
by boardman
complicated? just run Packet Sniffer on necessary interface with saving to file :)
Oh, not technically complicated, what is complicated is this network segment is inside Mexico's customs building, in a very sensitive area, what's complicated is to obtain all the necessary permits to access the premises.

Regards

J. Boardman

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Sat Mar 02, 2013 8:05 pm
by boardman
complicated? just run Packet Sniffer on necessary interface with saving to file :)
Oh, not technically complicated, what is complicated is this network segment is inside Mexico's customs building, in a very sensitive area, what's complicated is to obtain all the necessary permits to access the premises.

Regards

J. Boardman

Mmhh!! Damn.

You mean with the routerboard itself, sorry it's Saturday... I'll get in a few minutes.

Jorge

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Sat Mar 02, 2013 8:34 pm
by boardman
Can you grab some of the traffic to a pcap file?
Here is a Packet Sniffer file pcap_all.zip with all MAC protocol filter disabled on ether1


pcap_pppoe_disc.zip is a a Packet Sniffer file with all MAC protocol filter enabled except pppoe-discovery on ether1

pcap_pppoe_sess.zip is a a Packet Sniffer file with all MAC protocol filter enabled except pppoe-session on ether1

I manually added .zip extensions, please remove it first, forum won't let me upload with different extensions but the files are exactly as they were downloaded from the Routerboard.


Thanks for the help

J. Boardman

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Sat Mar 02, 2013 9:46 pm
by CelticComms
Little PPPoE discovery traffic. PPPoE session traffic dominated by exchanges involving a Dell, Fortinet and TP-Link device. Does that make sense? Use my email if easier to explain situation.

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Sun Mar 03, 2013 2:07 am
by geebs
I should have reported what we found.

It was a rogue router on the network generating that traffic.
When we disconnected it, the traffic disappeared.
From memory it was a D-link, apparently a firmware upgrade fixed the issue.

Sorry to be so vague, that's all I really recall.

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Sun Mar 03, 2013 8:21 pm
by boardman
Little PPPoE discovery traffic. PPPoE session traffic dominated by exchanges involving a Dell, Fortinet and TP-Link device. Does that make sense? Use my email if easier to explain situation.
Hi, thanks for offering your help,

Yes I, somehow found what you are mentioning, a Dell, a Fortinet and TP-Link device, yesterday we were able to identify the Fortinet and the TP-Link, so we disconnected those two customers and the traffic went down a lot, not quite to zero (still the Dell that we haven’t found yet) but quite lot less, any idea how can I block those?

Or do you believe there’s something wrong with those devices? Poor configuration?, defectives? What can I tell the customers in order to point them in the right direction to get their stuff fixed…

Thanks a lot.

Jorge E. Boardman

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Sun Mar 03, 2013 8:23 pm
by boardman
I should have reported what we found.

It was a rogue router on the network generating that traffic.
When we disconnected it, the traffic disappeared.
From memory it was a D-link, apparently a firmware upgrade fixed the issue.

Sorry to be so vague, that's all I really recall.
Thanks a lot for the help, what is a rogue router?

Hi, thanks for offering your help,

Somehow we found what you are mentioning, a Dell, a Fortinet and TP-Link devices, so we disconnected those customers and the traffic went down,

Thanks a lot.

Jorge E. Boardman

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Fri Mar 20, 2015 12:52 am
by markos808
i have the same problem here :) but i didnt find any rogue router on the network any suggestion ?

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Wed May 20, 2015 11:24 am
by Afidz
i have the same problem, can somebody help me ?

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Wed May 20, 2015 2:23 pm
by Chupaka
i have the same problem, can somebody help me ?
your pppoe client receives 5 Mbps of traffic - use Torch on it, not on ether1
also, 5 Mbps on pppoe-out1 = 3 Mbps on ether2 + 2 Mbps on ether4. what's the problem?

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Sat May 23, 2015 8:50 pm
by soueidan
Having exactly the same problem with no solution!! I've searched everywhere, can someone explain what is this ?

Having 2 sxt both set to AP bridge mode, however, one receives such traffic (8864) on ethernet and Trasmits them through WLAN, and the other one receives the traffic without transmitting them to WLAN!

What could be wrong ? I've searched everything, and both having the same configuration!

Please help!

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Thu May 28, 2015 7:34 am
by Afidz
sorry I was wrong upload files, i should upload this file..

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Thu May 28, 2015 9:03 pm
by Chupaka
sorry I was wrong upload files, i should upload this file..
Anyway,
your pppoe client receives 5 Mbps of traffic - use Torch on it, not on ether1

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Fri May 29, 2015 10:43 am
by Afidz
I've torch on pppoe interface, or interfaces eth1, but eth. 8864 protocol (pppoe) is still visible when I torch interface pppoe or ether1.
whether it occurs because the broadcast pppoe?

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Fri May 29, 2015 5:26 pm
by Chupaka
I've torch on pppoe interface, or interfaces eth1, but eth. 8864 protocol (pppoe) is still visible when I torch interface pppoe or ether1.
whether it occurs because the broadcast pppoe?
it's because you have traffic on pppoe interface. that traffic is encapsulated in 8864 protocol (pppoe) and is visible on ethernet interface. so if you see traffic on pppoe and no traffic on LAN - seems like your router is used as proxy or for amplification attack. Torch on pppoe interface will show exact traffic

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Thu Jan 11, 2018 1:00 pm
by santoshk
Hi
we face same problem here.i am running pppoe server on mikrotik router when i check ap device interface port by tourch so i received unused traffic.kindly provide solution ...

Re: eth. protocol 8864 (pppoe) hitting physical interface

Posted: Thu Jan 11, 2018 1:25 pm
by Chupaka
Please move your "Torch" window a bit down - I cannot switch to "Interface List" window for some reason