Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Strange trafffic between router and ADSL modem

We have a network with a Catalyst 500 switch and a 871 Ethernet router. The router has been configured ,with SDM, a SDM default medium security firewall. We observe that there is continuous traffic between the router and the internet(DSL modem). I don't see this traffic on any of the hosts. The firewall is moderately active filtering incoming traffic, but the logging that I have been able to set up does not show the activity that i see on the router and modem front panels. Could this be an indication that the router is infected?

1 REPLY
New Member

Re: Strange trafffic between router and ADSL modem

It is unlikely that the router is infected, and I have not heard yet of a virus that did infect a router. There are exploits and bugs which could cause the router to generate unwanted traffic, but not infect it. The first step would be to identify the traffic you are worried about. There could be legitimate traffic, or at least non-threatening, between the Internet and your router which you would not see on the hosts (e.g. NTP, DHCP, or the router responding to ping echo requests).

I would start with enabling IP accounting (step 1 below) on the WAN interface, and if you see source-destination IP address-pairs which you can not explain, I would try to debug these IP addresses in detail by setting up an access-list and debugging using this access list (step 2 below).

1) Configure on the WAN interface

Then, use to view the output.

2) Configure an access-list:

access-list 101 permit ip

and debug:

debug ip packet detail 101

From the debug output you should be able to see what protocol is used, and you can find more details on the nature and volumne of the traffic, and whether it is malicious ot nor.

HTH, Thomas

87
Views
0
Helpful
1
Replies