NetworkManager ESTAB an udp connection to gateway and keeps it open

klapauzius · 2020-01-10 10:51:31

NetworkManager establishes and udp connection to my router and keeps it constantly open.

# watch 'ss -tunarp | column -t --output-separator "|"'
[..]
udp  |ESTAB     |0     |0     |machine%wlan0:68|_gateway:67                                          |users:(("NetworkManager",pid=720,fd=23))|            |
[..]

Is this the expected behaviour?

I have wiresharked the traffic with the following display rule:

ip.addr==10.10.10.1 && udp.port==67

Wireshark gives me tons of "Standard query 0xXXXX PTR X.X.X.X.in-addr.arpa". That doesn't make much sense to me. None of my software is supposed to do reverse lookups all the time (continuously).

My tech-paranoia says: that would be a wonderful way to exfiltrate data, i.e. keystrokes.

In case you use Networkmanager - do you observe similar traffic?

edit: must have made a mistake...

wireshark and

ip.addr==10.10.10.1 && udp.port==53

gives me tons of traffic, when I change the filter to

udp.port==67

I see none.

Last edited by klapauzius (2020-01-10 12:13:05)

klapauzius · 2020-01-10 11:37:23

When I omit the -r flag for ss

# watch 'ss -tunap | column -t --output-separator "|"'

traffic is reduced significantly. Which makes sense.

However, why is ss telling me networkmanager has an ESTAB connection with my router?

Last edited by klapauzius (2020-01-10 12:38:57)

Arch Linux

#1 2020-01-10 10:51:31

NetworkManager ESTAB an udp connection to gateway and keeps it open

#2 2020-01-10 11:37:23

Re: NetworkManager ESTAB an udp connection to gateway and keeps it open

Board footer