NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

VerneArase's avatar
VerneArase
Apprentice
May 31, 2020

RBK853 logging

GWell, I finally got emailing logs working - comcast has some wierd rules for SMTP.

 

I've come to a conclusion - RBK853 is definitely a wierd box. Here's a sample log:

 

[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 13:58:06
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 13:57:07
[DHCP IP: (192.168.1.140)] to MAC address E8:EB:11:0D:55:09, Sunday, May 31,2020 13:55:44
[DHCP IP: (192.168.1.3)] to MAC address B8:8A:EC:B3:3C:DB, Sunday, May 31,2020 13:53:22
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 13:52:02
[DHCP IP: (192.168.1.3)] to MAC address B8:8A:EC:B3:3C:DB, Sunday, May 31,2020 13:49:28
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 13:45:57
[DHCP IP: (192.168.1.3)] to MAC address B8:8A:EC:B3:3C:DB, Sunday, May 31,2020 13:45:23
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 13:43:42
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 13:36:41
[DHCP IP: (192.168.1.139)] to MAC address 3C:E1:A1:AB:BC:C9, Sunday, May 31,2020 13:36:06
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 13:35:27
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 13:27:16
[DHCP IP: (192.168.1.139)] to MAC address 3C:E1:A1:AB:BC:C9, Sunday, May 31,2020 13:24:35
[DHCP IP: (192.168.1.3)] to MAC address B8:8A:EC:B3:3C:DB, Sunday, May 31,2020 13:23:44
[DHCP IP: (192.168.1.151)] to MAC address 7C:BB:8A:D3:87:D0, Sunday, May 31,2020 13:22:54
[DHCP IP: (192.168.1.151)] to MAC address 7C:BB:8A:D3:87:D0, Sunday, May 31,2020 13:22:41
[DHCP IP: (192.168.1.151)] to MAC address 7C:BB:8A:D3:87:D0, Sunday, May 31,2020 13:22:28
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 13:20:29
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 13:19:09
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 13:14:22
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 13:11:40
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 13:05:42
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 13:02:42
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 12:58:37
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 12:57:10
[DHCP IP: (192.168.1.140)] to MAC address E8:EB:11:0D:55:09, Sunday, May 31,2020 12:55:45
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 12:54:29
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 12:48:01
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 12:45:26
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 12:41:32
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 12:38:47
[DHCP IP: (192.168.1.121)] to MAC address 5C:AD:76:25:95:10, Sunday, May 31,2020 12:36:23
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 12:33:19
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 12:27:08
[DHCP IP: (192.168.1.3)] to MAC address B8:8A:EC:B3:3C:DB, Sunday, May 31,2020 12:26:08
[DHCP IP: (192.168.1.151)] to MAC address 7C:BB:8A:D3:87:D0, Sunday, May 31,2020 12:24:21
[DHCP IP: (192.168.1.151)] to MAC address 7C:BB:8A:D3:87:D0, Sunday, May 31,2020 12:24:08
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 12:24:06
[DHCP IP: (192.168.1.151)] to MAC address 7C:BB:8A:D3:87:D0, Sunday, May 31,2020 12:22:59
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 12:21:56
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 12:20:01
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 12:16:32
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 12:10:33
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 12:03:42
[DHCP IP: (192.168.1.131)] to MAC address B8:09:8A:BD:E3:3B, Sunday, May 31,2020 12:00:32
[DHCP IP: (192.168.1.140)] to MAC address E8:EB:11:0D:55:09, Sunday, May 31,2020 11:55:45
Thursday, Jan 01,491926 -6:00:00
Thursday, Jan 01,491926 -6:00:00

 

First off, log lines have wierd date/time stamps at the end of the log lines.

 

Secondly, look at DHCP entries: no offers, no ACKs, no NAKs. I administred ISC DHCP for years and never saw anything like this. Multiple log lines for each DHCP request, like it's not taking.

 

Then, at the end of each emailed log segment, it spews a bunch of date/time stamps with no message and a year that's waaayyy out there and a time which is your UCT offset.

 

Does anyone else see this, or is it just me and my setup?

 

-- Thanks, Verne

4 Replies

  • FURRYe38's avatar
    FURRYe38
    Guru
    Jun 02, 2020

    As good forum posting security, it's best not to post MAC addresses of devices listed in logs or files in a public forum. The MAC address is tied to a device which nefarious users could attempt to do nefarious things too. 

     

     

    • VerneArase's avatar
      VerneArase
      Apprentice
      Jun 13, 2020
      FURRYe38 wrote:

      As good forum posting security, it's best not to post MAC addresses of devices listed in logs or files in a public forum. The MAC address is tied to a device which nefarious users could attempt to do nefarious things too. 

       

       

      Yeah, yeah, but it's my local network and if Netgear does their job, no one's getting in.

       

      I don't turn of ICMP responses, so if someone actually did penetrate my network they could ping sweep my probable address range and get that information easily.

       

      Once you've gotten an address from the DHCP server you can use your IP address and subnet mask to infer the entire address range. After you've ping sweeped the entire address range, you can pick up the MAC addresses from the ARP table entries.

       

  • FarmerBob1's avatar
    FarmerBob1
    Luminary
    Jun 13, 2020

    I've been doing eMail Logs since the moment the "feature" was made available and now with the RBK850 have been getting hundreds a week. They consist of all kinds of incidents that should be occasional, thus a report needing to be sent. But I was getting them many times a day. When I get logs like you show, I have found that usually means that the RBR has reset. I compare the uptimes of the RBR against the RBSs and the RBR is always days behind. That action shown, in my previous routers is the router resetting and the "Reservation Assigned" devices being reassigned as the unit completes the start up process. OF WHICH I'd rarely get reports. Not so with the RBR.