Heavy use client on Traffic Analyzer but not on the network map client list

[DETstru]

I set up an ASUS ZenWifi mesh in my family's home a couple years ago. Recently they got a message from their ISP saying that they ran through their data allotment (1.3 TB). I was very surprised by that. Prior to the last month, they've been typically topping out at 500 GB/month, with a couple outliers running a bit higher.

I turned on the Traffic Analyzer within the router interface and have been checking it for them for the last week.

There is one client showing up on the Traffic Analyzer (with MAC address provided) that appears to be generating 75%-ish of all their traffic. Screenshot below of some of the top "apps" from the client.

The part that confuses me is that this MAC address is nowhere to be found on the network map client list. So I have no idea what device is generating all this traffic, nor can I do anything about it.

Anyone know what I can do to figure out what this device is?

 

[ColinTaylor]

Tell us what the client device and MAC address is (it's not sensitive information).

 

[DETstru]

From the Traffic Analyzer:

Client Name: 42:7C:3F:A6:174

This MAC address doesn't show up in the network map.

 

[DETstru]

Sorry not sure where the emoji came from

42:7C:3F:A6:17 : D4

 

[ColinTaylor]

From the Traffic Analyzer:

Client Name: 42:7C:3F:A6:174

This MAC address doesn't show up in the network map.

Do you have any wireless repeaters or extenders on your network?

 

[DETstru]

Well the mesh system has 2 nodes. The first is connected to the modem. The second is connected to the first via a dedicated 5 GHz backhaul.

But the MAC address of either router doesn't match the MAC address in question.

Other than that, there aren't any repeaters/extenders.

 

[ColinTaylor]

Do you see the MAC address in the System Log - Wireless Log page? It might come and go if it's not connected all the time.

 

[DETstru]

I do!

The first one is in the stations list (bolded) but the last digit does not match. Not sure what to make of that.

I see it again on Stations list at the bottom (also bolded). I'm beyond my understanding of what this stuff means though.

Stations List
------------------------------------------------------------------------------------
idx              MAC               PhyMode         RSSI TX_RATE RX_RATE Connect Time
Main             C0:B5:D7:B1:32:25 11NG_HT20        -55     86M     96M     05:18:09
Main             64:52:99:1E:C5:B0 11NG_HT20        -61     65M     65M     05:17:53
Main             D8:6C:63:47:9D:8D 11NG_HT20        -60     72M     26M     05:17:49
Main             EC:5C:68:79:F2:D0 11NG_HT20        -44     72M     72M     05:17:48
Main             2C:AA:8E:53:1D:10 11NG_HT20        -74     43M      1M     05:17:44
Main             2C:AA:8E:15:25:65 11NG_HT20        -67     72M      6M     05:17:43
Main             2C:AA:8E:6E:61:3B 11NG_HT20        -79     43M      5M     05:17:42
Main             B0:68:E6:99:00:E9 11NG_HT20        -40    144M    117M     05:14:51
Main             D8:6C:63:55:B1:61 11NG_HT20        -76     57M     39M     05:02:15
Main             D0:3F:27:14:2B:62 11NG_HT20        -79     52M      5M     04:21:19
Main             B6:EC:73:BB:B6:62 11NG_HT20        -67     72M     58M     02:20:32
Main             42:7C:3F:A6:17:D0 11NG_HT20        -60      0M      6M     01:34:40
Main             1C:57:DC:74:6D:7C 11NG_HT20        -80     58M      6M     01:24:44

5 GHz radio is disabled

=======================================================================================
OP Mode        : AP
SSID        : 945716A14F3A308319B6253A0E7851BA
BSSID        : 3C:7C:3F:A6:17:CC
MAC address    : 3C:7C:3F:A6:17:CC
Phy Mode    : 11a/n/ac
Bit Rate    : 1.7333 Gb/s
Channel        : 149

Stations List
------------------------------------------------------------------------------------
idx              MAC               PhyMode         RSSI TX_RATE RX_RATE Connect Time
Main             42:7C:3F:A6:17:D4 11AC_VHT80 -62 1170M 1170M 05:18:12

 

[DETstru]

I don't know how to get rid of the emojis bit wherever a ": D" is, it's being replaced.

Fixed, thanks!

 

[ColinTaylor]

I don't know how to get rid of the emojis bit wherever a ": D" is, it's being replaced.

Use the CODE (</>) block function shown at the top of your edit window.

Those two MAC addresses being 4 apart (17:D0 vs 17:D4) is suspiciously the same as what Asus uses for dual band Wi-Fi. Try turning off your wireless AiMesh node and seeing if the entries disappear.

 

[DETstru]

So you're thinking the router itself is generating the traffic, or that it's somehow double or triple counting the traffic?

 

[ColinTaylor]

So you're thinking the router itself is generating the traffic, or that it's somehow double or triple counting the traffic?

I hadn't really thought that far ahead. I don't use Traffic Analyzer so am not familiar with the information it displays.

 

[DETstru]

Ok thanks. I'm thinking there is some double counting happening. I think all the traffic that comes through the node is being counted as the node, then again with each device that is sending it. That's my hunch anyway. I went to the AiMesh page under General and found a bunch of MAC addresses associated with the various frequencies for fronthaul and backhaul.

Node connected to the modem

Ethernet
MAC (BSSID) 3C:7C:3F:A6:17:C8

Wireless - 2.4GHz
MAC (BSSID) 3C:7C:3F:A6:17:C8

Wireless - 5GHz
MAC (BSSID) 3C:7C:3F:A6:17:CA

Wireless - 5GHz-2
MAC (BSSID) 3C:7C:3F:A6:17:CC

Wireless node:

Backhaul
Wireless - 5GHz
MAC (BSSID) 3C:7C:3F:A6:17:C8

Ethernet
MAC (BSSID) 3C:7C:3F:A6:17:D0

Wireless - 5GHz
MAC (BSSID) 3C:7C:3F:A6:17:D2

Wireless - 5GHz-2
MAC (BSSID) 3C:7C:3F:A6:17:D4

There are a lot of shared characters here with the "offending" MAC address that I originally posted about. It must have something to do with it. Seems like the traffic analyzer isn't all that useful if it turns out there's a lot of double counting.

 

[ColinTaylor]

There are a lot of shared characters here with the "offending" MAC address that I originally posted about. It must have something to do with it.

It's a common trick to get around an inherent limitation of wireless repeaters to modify their MAC address by flipping a couple of bits in the first octet. I'm not familiar with ZenWifi devices but it looks like that's what's happening here. The node is changing the first octet of it's client-side link from 3C: to 42:.

So that identifies that device but doesn't really help you solve the root of your traffic problem. As you say, it appears to be double counting stuff.

 

[DETstru]

Thanks for your help. I appreciate it!

I'll leave the traffic analyzer on for now. At the end of the month I'll see how it compares to the ISP's reported total data usage.