QB450 traffic capture

Michael2 · ‎2021-12-02

We are using QB450 with the latest firmware and have found that it is sending out a UDP message on the WAN (over the air) interface to 225.0.1.37 source and destination port 285, Is this a backend trio poll??

Joel_Weder · ‎2021-12-06

Hello again Michael,

I queried the Trio engineers and got this reply:

-----------------

225.0.1.37 source and destination port 285 is a multicast address used by an authenticator to periodically update all its supplicants when Radio Access Control is enabled. The user can see this coming from the WAN using the customer wireshark air capture tool.

------------------

Joel Weder
Remote Operations Specialist
Schneider Electric

See Answer In Context

Joel_Weder · ‎2021-12-03

Hello Michael,

I am not familiar with any activity in the Q radio that might generate such traffic. We can ask the engineers about it however. Please let us know exactly what firmware version you are using. Also, as it may be related to the radio's configuration please save and upload a copy of the config file here along with your response. We'll try to get an answer to you within a few days.

Joel Weder
Remote Operations Specialist
Schneider Electric

BevanWeiss · ‎2021-12-05

I've never heard of a protocol on UDP 285, so that's definitely a bit unusual.

225.0.1.37 is a multicast IP address, an unknown port number and a multicast IP address like that would have me a bit suspicious that there might be some malware present on a device on the network.

What devices do you have behind the radios?

Do you have any means of monitoring the traffic at each radio (i.e. a managed switch with a mirroring port so that you can capture all the traffic on the network)? I'd recommend doing this and running wireshark to monitor the traffic.

You could also activate some of the firewall functionality available in the Trio radios to limit any spread of malicious activity on the network.

Lead Control Systems Engineer for Alliance Automation (VIC).
All opinions are my own and do not represent the opinions or policies of my employer, or of my cat..

Joel_Weder · ‎2021-12-06

Hello again Michael,

I queried the Trio engineers and got this reply:

-----------------

225.0.1.37 source and destination port 285 is a multicast address used by an authenticator to periodically update all its supplicants when Radio Access Control is enabled. The user can see this coming from the WAN using the customer wireshark air capture tool.

------------------

Joel Weder
Remote Operations Specialist
Schneider Electric