Advice for investigating unknown device

[o0larry0o]

Hello
I know this topic has been discuted before, but I can't find any advice.

I have added my RT-AC86U to home assistant to better display my active devices, since the network map is ^$ùù^$ .....

This led me to find out an unknown device on the network, that seems to connect and disconnect very often.

• First info, the vendor is Expressif.Inc, which is the vendor used by Shelly IoT device (I have several of them).
  So I guess I might be a shelly, but my pellet oven is also Expressif Inc.
• Secondly, if can see in the syslog the device connecting and disconnecting (after 1 second) on Eth5, which is the wifi interface (nvram get sta_phy_ifnames --> eth5 eth6)
• home assistant is showing that it has a static ip, which mean ether static or MAC binding (it does not see the difference)
  all my device are MAC binded, so I can check pretty easily, and I never setup a DHCP bind on this @MAC, so this one should have a real static IP

What is see in the syslog:

Dec 19 10:10:35 wlceventd: wlceventd_proc_event(530): eth5: Auth 8C:CE:4E:D6:5C:C8, status: Successful (0), rssi:0
Dec 19 10:10:35 wlceventd: wlceventd_proc_event(559): eth5: Assoc 8C:CE:4E:D6:5C:C8, status: Successful (0), rssi:0
Dec 19 10:10:36 wlceventd: wlceventd_proc_event(511): eth5: Disassoc 8C:CE:4E:D6:5C:C8, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8), rssi:0

And this happend every ..well A LOT

Odly, the hostame and vendor name reported are the same.

I would really like to get the hostname so I can pinpoint if it's a shelly or not.
how can I do that ?

In the meantime, I blocked the @MAC on my router.
But I would really love to have any advince to identify this thing.


Thx a lot !!!

-

 

[martinr]

Have you tried disconnecting suspect devices one by one, oe reconnecting one by one, at least to identify the offending item to start with?

 

[bennor]

First, you may want to move your post (if you can) out of the add-ons subforum and either to the Asus Merlin subforum if you are using that firmware or to the general AC router subforum since your issue doesn't appear to deal with add-ons. Further you have not indicated what firmware version you are running nor any add-on scripts being used if using Asus-Merlin firmware.

Many devices, like Apple iPhones and similar now randomize their MAC address so the device may show up unknown or with a generic name and not receive a manually reserved IP address. As the previous poster indicated, one way to isolate the offending device is to disconnect the devices one by one to find the offender.

 

[dave14305]

If you’re running Merlin and use Entware, you should install tcpdump from Entware and watch for any traffic from that MAC address.

opkg update
opkg install tcpdump
tcpdump -i br0 -ne ether host 8C:CE:4E:D6:5C:C8

 

[o0larry0o]

Hello @bennor oups it's a mistake from a previous thread open :/ I don't know how to move it.

I'm using Merlin 386.12
Concerning the issue, the thing is this device is never connected as the log shows, and I have no known device that is offline everything work as it should.
but it's worth a shot

I don't use Entware, i'll look into that, thx for the tips, haven't been used tcpdump for 10 years, this should be fun ^^

thx for your help

 

[o0larry0o]

I just launched a tcpdump, do you know how to run it in background ? since i will need to let it run for several hours.

Thx a lot

 

[o0larry0o]

I had a breakthrough ^^
It's a Govee WIFI Thermometer that is outside, I forgot that it was wifi connected since its also connected to my home assistant via bluetooth.
The thing connect every 10min, sends data unencrypted (port 80) to an AWS bucket of some kind

I changed the wifi SSID to connect it to an android hotspot, and saw it on the connected to the hotspot

I quite sad I didn't need to export my tcpdump to wireshark .... haha

thx a lot for your help