TR Forums

credible · Sat May 31, 2014 8:12 am

Forgive me if I have this wrong as I do not have loads of networking experience, I do plan on taking a course to get the basics then I can teach myself the rest with help from fine folks like yourselves and of course Google, on to my question.

For another 2 weeks I am still with Rogers and we have their lovely all in one router, which I have it bridged and I am using the TP-Link Archer C-7, version 2.

About a month or so ago I finally got around to trying different dns servers and tried Google first and then decided to use OpenDns, so I created an account and all that jazz.

Before I drag on too long about something I don't understand this is a screen shot of my OpenDns account and under Domains you can see a rather large number of requests "directed" to http://www.tp-link.com 2692.

Is this normal and only a result of me having the Archer bridged or is there something more sinister going on, not paranoid but after reading awhile back about routers calling home I am more than a little bit curious.

Sat May 31, 2014 8:19 am

Three possibilities:

It is checking for firmware updates.
It is contacting an NTP (time) server maintained by the router vendor to synchronize its clock.
It is "phoning home" for some other reason.

Have you tried looking through the router settings to see if there's anything related to automatic firmware updates or time synchronization?

Deanjo · Sat May 31, 2014 8:27 am

just brew it! wrote:
Three possibilities:
It is checking for firmware updates.
It is contacting an NTP (time) server maintained by the router vendor to synchronize its clock.
It is "phoning home" for some other reason.
Have you tried looking through the router settings to see if there's anything related to automatic firmware updates or time synchronization?

I believe TP-Link also has their own dynamic DNS service which could be another cause.

credible · Sat May 31, 2014 8:47 am

Deanjo wrote:
just brew it! wrote:
Three possibilities:
It is checking for firmware updates.
It is contacting an NTP (time) server maintained by the router vendor to synchronize its clock.
It is "phoning home" for some other reason.
Have you tried looking through the router settings to see if there's anything related to automatic firmware updates or time synchronization?

I believe TP-Link also has their own dynamic DNS service which could be another cause.

Would this at all conflict with using OpenDns and JBI I am pretty sure but I'll check right now.

Deanjo · Sat May 31, 2014 8:51 am

credible wrote:
Deanjo wrote:
just brew it! wrote:
Three possibilities:
It is checking for firmware updates.
It is contacting an NTP (time) server maintained by the router vendor to synchronize its clock.
It is "phoning home" for some other reason.
Have you tried looking through the router settings to see if there's anything related to automatic firmware updates or time synchronization?

I believe TP-Link also has their own dynamic DNS service which could be another cause.

Would this at all conflict with using OpenDns and JBI I am pretty sure but I'll check right now.

It shouldn't conflict with opendns. All it would be doing is sending out IP address updates to their dynamic DNS server.

credible · Sat May 31, 2014 8:54 am

I had a look, definitely there is no auto check for new firmware and so far as the time settings go, there are some but from what I read it looks like it is also not set to auto because the 2 server spots are empty in this picture.

Sorry, I just noticed that it says it will Get GMT automatically if configured correctly, what exactly does that mean and could that be the issue.

Deanjo · Sat May 31, 2014 8:58 am

I notice that at the bottom they say "pre-defined servers". They may hardcode a couple of NTP servers in the code so if it is blank it uses those. One way to figure out is to define a ntp server and see if the requests to TP-Link stops.

http://www.pool.ntp.org/en/

credible · Sat May 31, 2014 9:00 am

Deanjo wrote:
I notice that at the bottom they say "pre-defined servers". They may hardcode a couple of NTP servers in the code so if it is blank it uses those. One way to figure out is to define a ntp server and see if the requests to TP-Link stops.

Which addresses could I put in there, would the ones within the windows time feature work or do you know one I could use, or perhaps I should just Google,lol.

OMG, sorry Dean just saw your link, must wake up.

credible · Sat May 31, 2014 9:07 am

Alrighty, I have added those addresses to my router and will see what the logs say at OpenDns a bit later.

I am far from a privacy freak but when I saw the connection attempts to TP-Link it kind of threw me for a loop and made me wonder a bit, nothing wrong with being curious, it is how I learn,lol.

Sat May 31, 2014 9:11 am

That whole section is ambiguous. It is unclear whether only "Get GMT" uses hard-coded defaults, or whether the hard-coded defaults are always used if the IP addresses are not filled in.

Not sure if the Windows time servers will work for this.

You can go ahead and use my NTP server if you want to test. Its public IP is 64.81.142.110.

credible · Sat May 31, 2014 9:13 am

just brew it! wrote:
That whole section is ambiguous. It is unclear whether only "Get GMT" uses hard-coded defaults, or whether the hard-coded defaults are always used if the IP addresses are not filled in.

Not sure if the Windows time servers will work for this.

You can go ahead and use my NTP server if you want to test. Its public IP is 64.81.142.110.

Thank you, I will add this one and I have a hypothetical question, if indeed the TP-Link router was calling home, would they not be able to hide this fact from something like OpenDns and its logs, I do run the updater from openDns as well.

Flatland_Spider · Sat May 31, 2014 12:00 pm

The easiest way to see what this thing is doing would be to sniff the packets with an intermediate box.

just brew it! wrote:
That whole section is ambiguous. It is unclear whether only "Get GMT" uses hard-coded defaults, or whether the hard-coded defaults are always used if the IP addresses are not filled in.

Some packets really need to be captured to see what this thing is doing.

Not sure if the Windows time servers will work for this.

I'm not following.

Windows Server can be setup to be an NTP server. It takes a trip into group policy objects, but it can be done.

Sat May 31, 2014 1:03 pm

Flatland_Spider wrote:
Not sure if the Windows time servers will work for this.

I'm not following.

Windows Server can be setup to be an NTP server. It takes a trip into group policy objects, but it can be done.

What I meant is, I am not sure if the public time servers that desktop Windows uses by default will work for the router. I *think* they are standard NTP and should work, but it has been a while and I seem to recall having a weird issue with non-Windows clients at some point back in the day.

Hz so good · Sat May 31, 2014 5:15 pm

just brew it! wrote:
Three possibilities:
It is checking for firmware updates.
It is contacting an NTP (time) server maintained by the router vendor to synchronize its clock.
It is "phoning home" for some other reason.
Have you tried looking through the router settings to see if there's anything related to automatic firmware updates or time synchronization?

IIRC, Colubris WLAN controllers would phone home, to make sure they had a valid license.

I really doubt that's the case here, but I'd like see a packet capture. At least then we'd have clearer idea of what type of packets are being sent to TP-Link.

credible · Sat May 31, 2014 7:13 pm

Hz so good wrote:
just brew it! wrote:
Three possibilities:
It is checking for firmware updates.
It is contacting an NTP (time) server maintained by the router vendor to synchronize its clock.
It is "phoning home" for some other reason.
Have you tried looking through the router settings to see if there's anything related to automatic firmware updates or time synchronization?

IIRC, Colubris WLAN controllers would phone home, to make sure they had a valid license.

I really doubt that's the case here, but I'd like see a packet capture. At least then we'd have clearer idea of what type of packets are being sent to TP-Link.

Would it be too much for one of you to show me how I would go about that, must be a program of some sort and if I could post them for you guys to look at, for the moment I logged onto the OpenDns account and blocked the connection to TP-Link, I would imagine I would have to change that back to allow for the capture of the packets assuming it even can block them.

My Johnson · Sat May 31, 2014 7:21 pm

Packet sniffing would be the most truthful way to determine what is happening but a quick and easy way (if they respond) to discover the purpose would be to e-mail TP-Link.

Disclaimer: I have that same router.

Bonus Edit: TP-Link has an emulator here if you want to give this router a whirl.

Bonus Edit: Their forums aren't half bad either.

drsauced · Sun Jun 01, 2014 12:27 am

Well kudos to TP-Link for not suppressing those log entries. It must be a bug.

I agree about packet sniffing. You don't want your device to upload things like traffic history, session information, passwords (I'm looking at you Motorola), and a packet sniffer is a good way to see that. The difficulty is that the device has a modem built-in, so you're not really going to see what's coming out of the RJ11 jack of the box without a second upstream modem. I doubt your ISP will allow such things, naturally. IBM makes some passive devices, but if you have to ask, you can't afford them.

Edit: Hah, I assume wrongly, your box is just a router with a gigabit WAN port. Rock on! Throw together a FreeBSD or pfSense box and tcpdump all the way!

blacktree · Tue Jul 08, 2014 4:25 am

I noticed this problem myself on a TP-Link 841N ... and I have a packet dump from when the router had NO clients attached (WAN OR LAN) connections.

It is doing root DNS queries every 60 seconds and trying to lookup tp-link.com every 2 seconds. I have rechecked the config several times and no auto-updates or "DDNS" services are enabled. I'm running the latest firmware for this router.

Also note, even though I have my own local *172.16.x.x* NTP servers defined in the config, it is using hard coded ones on the internet.

My firewall internal DNS server is 10.0.20.1 with the dedicated WAP internal interface of 172.16.0.1. WAP IP is 172.16.0.254.

21:04:55.466248 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 64)
    172.16.0.254.43515 > 10.0.20.1.53: [udp sum ok] 1234+ A? a.root-servers.net. (36)
   0x0000:  4500 0040 0000 4000 4011 6f9e ac10 00fe  E..@..@[email protected].....
   0x0010:  0a00 1401 a9fb 0035 002c f259 04d2 0100  .......5.,.Y....
   0x0020:  0001 0000 0000 0000 0161 0c72 6f6f 742d  .........a.root-
   0x0030:  7365 7276 6572 7303 6e65 7400 0001 0001  servers.net.....
21:04:55.467056 IP (tos 0x0, ttl 64, id 39975, offset 0, flags [none], proto UDP (17), length 533)
    10.0.20.1.53 > 172.16.0.254.43515: [udp sum ok] 1234 q: A? a.root-servers.net. 1/13/13 a.root-servers.net. [3d3h4m54s] A 198.41.0.4 ns: net. [4h1m47s] NS i.gtld-servers.net., net. [4h1m47s] NS k.gtld-servers.net., net. [4h1m47s] NS l.gtld-servers.net., net. [4h1m47s] NS f.gtld-servers.net., net. [4h1m47s] NS b.gtld-servers.net., net. [4h1m47s] NS h.gtld-servers.net., net. [4h1m47s] NS j.gtld-servers.net., net. [4h1m47s] NS c.gtld-servers.net., net. [4h1m47s] NS a.gtld-servers.net., net. [4h1m47s] NS e.gtld-servers.net., net. [4h1m47s] NS d.gtld-servers.net., net. [4h1m47s] NS g.gtld-servers.net., net. [4h1m47s] NS m.gtld-servers.net. ar: a.gtld-servers.net. [3h7m25s] A 192.5.6.30, a.gtld-servers.net. [3h7m25s] AAAA 2001:503:a83e::2:30, b.gtld-servers.net. [3h7m25s] A 192.33.14.30, b.gtld-servers.net. [3h7m25s] AAAA 2001:503:231d::2:30, c.gtld-servers.net. [3h7m25s] A 192.26.92.30, d.gtld-servers.net. [3h7m25s] A 192.31.80.30, e.gtld-servers.net. [3h7m25s] A 192.12.94.30, f.gtld-servers.net. [3h7m25s] A 192.35.51.30, g.gtld-servers.net. [3h7m25s] A 192.42.93.30, h.gtld-servers.net. [3h7m25s] A 192.54.112.30, i.gtld-servers.net. [3h7m25s] A 192.43.172.30, j.gtld-servers.net. [3h7m25s] A 192.48.79.30, k.gtld-servers.net. [3h7m25s] A 192.52.178.30 (505)
   0x0000:  4500 0215 9c27 0000 4011 11a2 0a00 1401  E....'..@.......
   0x0010:  ac10 00fe 0035 a9fb 0201 8bc0 04d2 8180  .....5..........
   0x0020:  0001 0001 000d 000d 0161 0c72 6f6f 742d  .........a.root-
   0x0030:  7365 7276 6572 7303 6e65 7400 0001 0001  servers.net.....
   0x0040:  c00c 0001 0001 0004 1fd6 0004 c629 0004  .............)..
   0x0050:  c01b 0002 0001 0000 38ab 0011 0169 0c67  ........8....i.g
   0x0060:  746c 642d 7365 7276 6572 73c0 1bc0 1b00  tld-servers.....
   0x0070:  0200 0100 0038 ab00 0401 6bc0 42c0 1b00  .....8....k.B...
   0x0080:  0200 0100 0038 ab00 0401 6cc0 42c0 1b00  .....8....l.B...
   0x0090:  0200 0100 0038 ab00 0401 66c0 42c0 1b00  .....8....f.B...
   0x00a0:  0200 0100 0038 ab00 0401 62c0 42c0 1b00  .....8....b.B...
   0x00b0:  0200 0100 0038 ab00 0401 68c0 42c0 1b00  .....8....h.B...
   0x00c0:  0200 0100 0038 ab00 0401 6ac0 42c0 1b00  .....8....j.B...
   0x00d0:  0200 0100 0038 ab00 0401 63c0 42c0 1b00  .....8....c.B...
   0x00e0:  0200 0100 0038 ab00 0401 61c0 42c0 1b00  .....8....a.B...
   0x00f0:  0200 0100 0038 ab00 0401 65c0 42c0 1b00  .....8....e.B...
   0x0100:  0200 0100 0038 ab00 0401 64c0 42c0 1b00  .....8....d.B...
   0x0110:  0200 0100 0038 ab00 0401 67c0 42c0 1b00  .....8....g.B...
   0x0120:  0200 0100 0038 ab00 0401 6dc0 42c0 cd00  .....8....m.B...
   0x0130:  0100 0100 002b ed00 04c0 0506 1ec0 cd00  .....+..........
   0x0140:  1c00 0100 002b ed00 1020 0105 03a8 3e00  .....+........>.
   0x0150:  0000 0000 0000 0200 30c0 8d00 0100 0100  ........0.......
   0x0160:  002b ed00 04c0 210e 1ec0 8d00 1c00 0100  .+....!.........
   0x0170:  002b ed00 1020 0105 0323 1d00 0000 0000  .+.......#......
   0x0180:  0000 0200 30c0 bd00 0100 0100 002b ed00  ....0........+..
   0x0190:  04c0 1a5c 1ec0 ed00 0100 0100 002b ed00  ...\.........+..
   0x01a0:  04c0 1f50 1ec0 dd00 0100 0100 002b ed00  ...P.........+..
   0x01b0:  04c0 0c5e 1ec0 7d00 0100 0100 002b ed00  ...^..}......+..
   0x01c0:  04c0 2333 1ec0 fd00 0100 0100 002b ed00  ..#3.........+..
   0x01d0:  04c0 2a5d 1ec0 9d00 0100 0100 002b ed00  ..*].........+..
   0x01e0:  04c0 3670 1ec0 4000 0100 0100 002b ed00  ..6p..@......+..
   0x01f0:  04c0 2bac 1ec0 ad00 0100 0100 002b ed00  ..+..........+..
   0x0200:  04c0 304f 1ec0 5d00 0100 0100 002b ed00  ..0O..]......+..
   0x0210:  04c0 34b2 1e                             ..4..
21:04:56.470321 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 64)
    172.16.0.254.39724 > 10.0.20.1.53: [udp sum ok] 1234+ A? www.tp-link.com. (36)
   0x0000:  4500 0040 0000 4000 4011 6f9e ac10 00fe  E..@..@[email protected].....
   0x0010:  0a00 1401 9b2c 0035 002c 511b 04d2 0100  .....,.5.,Q.....
   0x0020:  0001 0000 0000 0000 0377 7777 0774 702d  .........www.tp-
   0x0030:  6c69 6e6b 0363 6f6d 0000 0100 0101 0001  link.com........
21:04:58.478203 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 64)
    172.16.0.254.39724 > 10.0.20.1.53: [udp sum ok] 1234+ A? www.tp-link.com. (36)
   0x0000:  4500 0040 0000 4000 4011 6f9e ac10 00fe  E..@..@[email protected].....
   0x0010:  0a00 1401 9b2c 0035 002c 511b 04d2 0100  .....,.5.,Q.....
   0x0020:  0001 0000 0000 0000 0377 7777 0774 702d  .........www.tp-
   0x0030:  6c69 6e6b 0363 6f6d 0000 0100 0101 0001  link.com........
21:05:00.486209 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 64)
    172.16.0.254.39724 > 10.0.20.1.53: [udp sum ok] 1234+ A? www.tp-link.com. (36)
   0x0000:  4500 0040 0000 4000 4011 6f9e ac10 00fe  E..@..@[email protected].....
   0x0010:  0a00 1401 9b2c 0035 002c 511b 04d2 0100  .....,.5.,Q.....
   0x0020:  0001 0000 0000 0000 0377 7777 0774 702d  .........www.tp-
   0x0030:  6c69 6e6b 0363 6f6d 0000 0100 0101 0001  link.com........
21:05:06.471182 IP (tos 0x0, ttl 64, id 39976, offset 0, flags [none], proto UDP (17), length 61)
    10.0.20.1.53 > 172.16.0.254.39724: [udp sum ok] 1234 ServFail q: A? www.tp-link.com. 0/0/0 (33)
   0x0000:  4500 003d 9c28 0000 4011 1379 0a00 1401  E..=.([email protected]....
   0x0010:  ac10 00fe 0035 9b2c 0029 d0a0 04d2 8182  .....5.,.)......
   0x0020:  0001 0000 0000 0000 0377 7777 0774 702d  .........www.tp-
   0x0030:  6c69 6e6b 0363 6f6d 0000 0100 01         link.com.....
21:05:38.638014 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 64)
    172.16.0.254.44637 > 10.0.20.1.53: [udp sum ok] 1234+ A? a.root-servers.net. (36)
   0x0000:  4500 0040 0000 4000 4011 6f9e ac10 00fe  E..@..@[email protected].....
   0x0010:  0a00 1401 ae5d 0035 002c edf7 04d2 0100  .....].5.,......
   0x0020:  0001 0000 0000 0000 0161 0c72 6f6f 742d  .........a.root-
   0x0030:  7365 7276 6572 7303 6e65 7400 0001 0001  servers.net.....
21:05:38.638850 IP (tos 0x0, ttl 64, id 39977, offset 0, flags [none], proto UDP (17), length 533)
    10.0.20.1.53 > 172.16.0.254.44637: [udp sum ok] 1234 q: A? a.root-servers.net. 1/13/13 a.root-servers.net. [3d3h4m11s] A 198.41.0.4 ns: net. [4h1m4s] NS c.gtld-servers.net., net. [4h1m4s] NS a.gtld-servers.net., net. [4h1m4s] NS b.gtld-servers.net., net. [4h1m4s] NS d.gtld-servers.net., net. [4h1m4s] NS g.gtld-servers.net., net. [4h1m4s] NS k.gtld-servers.net., net. [4h1m4s] NS f.gtld-servers.net., net. [4h1m4s] NS e.gtld-servers.net., net. [4h1m4s] NS l.gtld-servers.net., net. [4h1m4s] NS j.gtld-servers.net., net. [4h1m4s] NS i.gtld-servers.net., net. [4h1m4s] NS h.gtld-servers.net., net. [4h1m4s] NS m.gtld-servers.net. ar: a.gtld-servers.net. [3h6m42s] A 192.5.6.30, a.gtld-servers.net. [3h6m42s] AAAA 2001:503:a83e::2:30, b.gtld-servers.net. [3h6m42s] A 192.33.14.30, b.gtld-servers.net. [3h6m42s] AAAA 2001:503:231d::2:30, c.gtld-servers.net. [3h6m42s] A 192.26.92.30, d.gtld-servers.net. [3h6m42s] A 192.31.80.30, e.gtld-servers.net. [3h6m42s] A 192.12.94.30, f.gtld-servers.net. [3h6m42s] A 192.35.51.30, g.gtld-servers.net. [3h6m42s] A 192.42.93.30, h.gtld-servers.net. [3h6m42s] A 192.54.112.30, i.gtld-servers.net. [3h6m42s] A 192.43.172.30, j.gtld-servers.net. [3h6m42s] A 192.48.79.30, k.gtld-servers.net. [3h6m42s] A 192.52.178.30 (505)
   0x0000:  4500 0215 9c29 0000 4011 11a0 0a00 1401  E....)..@.......
   0x0010:  ac10 00fe 0035 ae5d 0201 a4bf 04d2 8180  .....5.]........
   0x0020:  0001 0001 000d 000d 0161 0c72 6f6f 742d  .........a.root-
   0x0030:  7365 7276 6572 7303 6e65 7400 0001 0001  servers.net.....
   0x0040:  c00c 0001 0001 0004 1fab 0004 c629 0004  .............)..
   0x0050:  c01b 0002 0001 0000 3880 0011 0163 0c67  ........8....c.g
   0x0060:  746c 642d 7365 7276 6572 73c0 1bc0 1b00  tld-servers.....
   0x0070:  0200 0100 0038 8000 0401 61c0 42c0 1b00  .....8....a.B...
   0x0080:  0200 0100 0038 8000 0401 62c0 42c0 1b00  .....8....b.B...
   0x0090:  0200 0100 0038 8000 0401 64c0 42c0 1b00  .....8....d.B...
   0x00a0:  0200 0100 0038 8000 0401 67c0 42c0 1b00  .....8....g.B...
   0x00b0:  0200 0100 0038 8000 0401 6bc0 42c0 1b00  .....8....k.B...
   0x00c0:  0200 0100 0038 8000 0401 66c0 42c0 1b00  .....8....f.B...
   0x00d0:  0200 0100 0038 8000 0401 65c0 42c0 1b00  .....8....e.B...
   0x00e0:  0200 0100 0038 8000 0401 6cc0 42c0 1b00  .....8....l.B...
   0x00f0:  0200 0100 0038 8000 0401 6ac0 42c0 1b00  .....8....j.B...
   0x0100:  0200 0100 0038 8000 0401 69c0 42c0 1b00  .....8....i.B...
   0x0110:  0200 0100 0038 8000 0401 68c0 42c0 1b00  .....8....h.B...
   0x0120:  0200 0100 0038 8000 0401 6dc0 42c0 5d00  .....8....m.B.].
   0x0130:  0100 0100 002b c200 04c0 0506 1ec0 5d00  .....+........].
   0x0140:  1c00 0100 002b c200 1020 0105 03a8 3e00  .....+........>.
   0x0150:  0000 0000 0000 0200 30c0 6d00 0100 0100  ........0.m.....
   0x0160:  002b c200 04c0 210e 1ec0 6d00 1c00 0100  .+....!...m.....
   0x0170:  002b c200 1020 0105 0323 1d00 0000 0000  .+.......#......
   0x0180:  0000 0200 30c0 4000 0100 0100 002b c200  ....0.@......+..
   0x0190:  04c0 1a5c 1ec0 7d00 0100 0100 002b c200  ...\..}......+..
   0x01a0:  04c0 1f50 1ec0 bd00 0100 0100 002b c200  ...P.........+..
   0x01b0:  04c0 0c5e 1ec0 ad00 0100 0100 002b c200  ...^.........+..
   0x01c0:  04c0 2333 1ec0 8d00 0100 0100 002b c200  ..#3.........+..
   0x01d0:  04c0 2a5d 1ec0 fd00 0100 0100 002b c200  ..*].........+..
   0x01e0:  04c0 3670 1ec0 ed00 0100 0100 002b c200  ..6p.........+..
   0x01f0:  04c0 2bac 1ec0 dd00 0100 0100 002b c200  ..+..........+..
   0x0200:  04c0 304f 1ec0 9d00 0100 0100 002b c200  ..0O.........+..
   0x0210:  04c0 34b2 1e                             ..4..
21:05:39.642107 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 64)
    172.16.0.254.41683 > 10.0.20.1.53: [udp sum ok] 1234+ A? www.tp-link.com. (36)
   0x0000:  4500 0040 0000 4000 4011 6f9e ac10 00fe  E..@..@[email protected].....
   0x0010:  0a00 1401 a2d3 0035 002c 4974 04d2 0100  .......5.,It....
   0x0020:  0001 0000 0000 0000 0377 7777 0774 702d  .........www.tp-
   0x0030:  6c69 6e6b 0363 6f6d 0000 0100 0101 0001  link.com........
21:05:41.649999 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 64)
    172.16.0.254.41683 > 10.0.20.1.53: [udp sum ok] 1234+ A? www.tp-link.com. (36)
   0x0000:  4500 0040 0000 4000 4011 6f9e ac10 00fe  E..@..@[email protected].....
   0x0010:  0a00 1401 a2d3 0035 002c 4974 04d2 0100  .......5.,It....
   0x0020:  0001 0000 0000 0000 0377 7777 0774 702d  .........www.tp-
   0x0030:  6c69 6e6b 0363 6f6d 0000 0100 0101 0001  link.com........
21:05:43.650594 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.0.254 tell 172.16.0.1, length 28
   0x0000:  0001 0800 0604 0001 0050 b60f 5f4d ac10  .........P.._M..
   0x0010:  0001 0000 0000 0000 ac10 00fe            ............
21:05:43.650756 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.16.0.254 is-at c0:4a:00:a1:87:a9, length 46
   0x0000:  0001 0800 0604 0002 c04a 00a1 87a9 ac10  .........J......
   0x0010:  00fe 0050 b60f 5f4d ac10 0001 0000 0000  ...P.._M........
   0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
21:05:43.658012 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 64)
    172.16.0.254.41683 > 10.0.20.1.53: [udp sum ok] 1234+ A? www.tp-link.com. (36)
   0x0000:  4500 0040 0000 4000 4011 6f9e ac10 00fe  E..@..@[email protected].....
   0x0010:  0a00 1401 a2d3 0035 002c 4974 04d2 0100  .......5.,It....
   0x0020:  0001 0000 0000 0000 0377 7777 0774 702d  .........www.tp-
   0x0030:  6c69 6e6b 0363 6f6d 0000 0100 0101 0001  link.com........
21:05:49.642942 IP (tos 0x0, ttl 64, id 39978, offset 0, flags [none], proto UDP (17), length 61)
    10.0.20.1.53 > 172.16.0.254.41683: [udp sum ok] 1234 ServFail q: A? www.tp-link.com. 0/0/0 (33)
   0x0000:  4500 003d 9c2a 0000 4011 1377 0a00 1401  E..=.*[email protected]....
   0x0010:  ac10 00fe 0035 a2d3 0029 c8f9 04d2 8182  .....5...)......
   0x0020:  0001 0000 0000 0000 0377 7777 0774 702d  .........www.tp-
   0x0030:  6c69 6e6b 0363 6f6d 0000 0100 01         link.com.....
21:06:02.874066 IP (tos 0x0, ttl 64, id 14968, offset 0, flags [DF], proto UDP (17), length 76)
    172.16.0.254.34267 > 133.100.9.2.123: [udp sum ok] NTPv3, length 48
   Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 4s, precision -6
   Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
     Reference Timestamp:  0.000000000
     Originator Timestamp: 0.000000000
     Receive Timestamp:    0.000000000
     Transmit Timestamp:   3575828707.611756026 (2013/04/25 09:45:07)
       Originator - Receive Timestamp:  0.000000000
       Originator - Transmit Timestamp: 3575828707.611756026 (2013/04/25 09:45:07)
   0x0000:  4500 004c 3a78 4000 4011 c4b4 ac10 00fe  E..L:x@.@.......
   0x0010:  8564 0902 85db 007b 0038 d08d 1b00 04fa  .d.....{.8......
   0x0020:  0001 0000 0001 0000 0000 0000 0000 0000  ................
   0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
   0x0040:  0000 0000 d522 d0e3 9c9c 0a86            ....."......
21:06:03.378079 IP (tos 0x0, ttl 64, id 15094, offset 0, flags [DF], proto UDP (17), length 76)
    172.16.0.254.38089 > 139.78.100.163.123: [udp sum ok] NTPv3, length 48
   Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 4s, precision -6
   Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
     Reference Timestamp:  0.000000000
     Originator Timestamp: 0.000000000
     Receive Timestamp:    0.000000000
     Transmit Timestamp:   3575828708.115754999 (2013/04/25 09:45:08)
       Originator - Receive Timestamp:  0.000000000
       Originator - Transmit Timestamp: 3575828708.115754999 (2013/04/25 09:45:08)
   0x0000:  4500 004c 3af6 4000 4011 62ab ac10 00fe  E..L:.@[email protected].....
   0x0010:  8b4e 64a3 94c9 007b 0038 caf1 1b00 04fa  .Nd....{.8......
   0x0020:  0001 0000 0001 0000 0000 0000 0000 0000  ................
   0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
   0x0040:  0000 0000 d522 d0e4 1da2 1ea2            ....."......
21:06:03.882117 IP (tos 0x0, ttl 64, id 15220, offset 0, flags [DF], proto UDP (17), length 76)
    172.16.0.254.45815 > 131.107.1.10.123: [udp sum ok] NTPv3, length 48
   Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 4s, precision -6
   Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
     Reference Timestamp:  0.000000000
     Originator Timestamp: 0.000000000
     Receive Timestamp:    0.000000000
     Transmit Timestamp:   3575828708.619747996 (2013/04/25 09:45:08)
       Originator - Receive Timestamp:  0.000000000
       Originator - Transmit Timestamp: 3575828708.619747996 (2013/04/25 09:45:08)
   0x0000:  4500 004c 3b74 4000 4011 cda9 ac10 00fe  E..L;t@.@.......
   0x0010:  836b 010a b2f7 007b 0038 e7d2 1b00 04fa  .k.....{.8......
   0x0020:  0001 0000 0001 0000 0000 0000 0000 0000  ................
   0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
   0x0040:  0000 0000 d522 d0e4 9ea7 ce09            ....."......
21:06:04.386020 IP (tos 0x0, ttl 64, id 15346, offset 0, flags [DF], proto UDP (17), length 76)
    172.16.0.254.59090 > 199.165.76.11.123: [udp sum ok] NTPv3, length 48
   Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 4s, precision -6
   Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
     Reference Timestamp:  0.000000000
     Originator Timestamp: 0.000000000
     Receive Timestamp:    0.000000000
     Transmit Timestamp:   3575828709.123755000 (2013/04/25 09:45:09)
       Originator - Receive Timestamp:  0.000000000
       Originator - Transmit Timestamp: 3575828709.123755000 (2013/04/25 09:45:09)
   0x0000:  4500 004c 3bf2 4000 4011 3df0 ac10 00fe  E..L;.@.@.=.....
   0x0010:  c7a5 4c0b e6d2 007b 0038 0962 1b00 04fa  ..L....{.8.b....
   0x0020:  0001 0000 0001 0000 0000 0000 0000 0000  ................
   0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
   0x0040:  0000 0000 d522 d0e5 1fae 685c            ....."....h\
21:06:04.890062 IP (tos 0x0, ttl 64, id 15472, offset 0, flags [DF], proto UDP (17), length 76)
    172.16.0.254.50922 > 140.142.16.34.123: [udp sum ok] NTPv3, length 48
   Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 4s, precision -6
   Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
     Reference Timestamp:  0.000000000
     Originator Timestamp: 0.000000000
     Receive Timestamp:    0.000000000
     Transmit Timestamp:   3575828709.627758026 (2013/04/25 09:45:09)
       Originator - Receive Timestamp:  0.000000000
       Originator - Transmit Timestamp: 3575828709.627758026 (2013/04/25 09:45:09)
   0x0000:  4500 004c 3c70 4000 4011 b472 ac10 00fe  E..L<p@[email protected]....
   0x0010:  8c8e 1022 c6ea 007b 0038 c817 1b00 04fa  ..."...{.8......
   0x0020:  0001 0000 0001 0000 0000 0000 0000 0000  ................
   0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
   0x0040:  0000 0000 d522 d0e5 a0b4 bf88            ....."......
21:06:05.394106 IP (tos 0x0, ttl 64, id 15598, offset 0, flags [DF], proto UDP (17), length 76)
    172.16.0.254.36277 > 128.138.140.44.123: [udp sum ok] NTPv3, length 48
   Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 4s, precision -6
   Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
     Reference Timestamp:  0.000000000
     Originator Timestamp: 0.000000000
     Receive Timestamp:    0.000000000
     Transmit Timestamp:   3575828710.131766006 (2013/04/25 09:45:10)
       Originator - Receive Timestamp:  0.000000000
       Originator - Transmit Timestamp: 3575828710.131766006 (2013/04/25 09:45:10)
   0x0000:  4500 004c 3cee 4000 4011 43ee ac10 00fe  E..L<.@[email protected].....
   0x0010:  808a 8c2c 8db5 007b 0038 6524 1b00 04fa  ...,...{.8e$....
   0x0020:  0001 0000 0001 0000 0000 0000 0000 0000  ................
   0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
   0x0040:  0000 0000 d522 d0e6 21bb 6aa3            ....."..!.j.
21:06:05.898153 IP (tos 0x0, ttl 64, id 15724, offset 0, flags [DF], proto UDP (17), length 76)
    172.16.0.254.42528 > 137.146.210.250.123: [udp sum ok] NTPv3, length 48
   Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 4s, precision -6
   Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
     Reference Timestamp:  0.000000000
     Originator Timestamp: 0.000000000
     Receive Timestamp:    0.000000000
     Transmit Timestamp:   3575828710.635747015 (2013/04/25 09:45:10)
       Originator - Receive Timestamp:  0.000000000
       Originator - Transmit Timestamp: 3575828710.635747015 (2013/04/25 09:45:10)
   0x0000:  4500 004c 3d6c 4000 4011 f399 ac10 00fe  E..L=l@.@.......
   0x0010:  8992 d2fa a620 007b 0038 95ca 1b00 04fa  .......{.8......
   0x0020:  0001 0000 0001 0000 0000 0000 0000 0000  ................
   0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
   0x0040:  0000 0000 d522 d0e6 a2c0 50b6            ....."....P.
21:06:06.402051 IP (tos 0x0, ttl 64, id 15850, offset 0, flags [DF], proto UDP (17), length 76)
    172.16.0.254.44141 > 192.36.144.22.123: [udp sum ok] NTPv3, length 48
   Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 4s, precision -6
   Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
     Reference Timestamp:  0.000000000
     Originator Timestamp: 0.000000000
     Receive Timestamp:    0.000000000
     Transmit Timestamp:   3575828711.139751002 (2013/04/25 09:45:11)
       Originator - Receive Timestamp:  0.000000000
       Originator - Transmit Timestamp: 3575828711.139751002 (2013/04/25 09:45:11)
   0x0000:  4500 004c 3dea 4000 4011 ff6d ac10 00fe  E..L=.@[email protected]....
   0x0010:  c024 9016 ac6d 007b 0038 b2c9 1b00 04fa  .$...m.{.8......
   0x0020:  0001 0000 0001 0000 0000 0000 0000 0000  ................
   0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
   0x0040:  0000 0000 d522 d0e7 23c6 b8b5            ....."..#...
21:06:06.906096 IP (tos 0x0, ttl 64, id 15976, offset 0, flags [DF], proto UDP (17), length 76)
    172.16.0.254.58724 > 129.7.1.66.123: [udp sum ok] NTPv3, length 48
   Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 4s, precision -6
   Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
     Reference Timestamp:  0.000000000
     Originator Timestamp: 0.000000000
     Receive Timestamp:    0.000000000
     Transmit Timestamp:   3575828711.643737971 (2013/04/25 09:45:11)
       Originator - Receive Timestamp:  0.000000000
       Originator - Transmit Timestamp: 3575828711.643737971 (2013/04/25 09:45:11)
   0x0000:  4500 004c 3e68 4000 4011 cce1 ac10 00fe  E..L>h@.@.......
   0x0010:  8107 0142 e564 007b 0038 7c01 1b00 04fa  ...B.d.{.8|.....
   0x0020:  0001 0000 0001 0000 0000 0000 0000 0000  ................
   0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
   0x0040:  0000 0000 d522 d0e7 a4cc 0372            .....".....r
21:06:07.410001 IP (tos 0x0, ttl 64, id 16102, offset 0, flags [DF], proto UDP (17), length 76)
    172.16.0.254.48680 > 192.43.244.18.123: [udp sum ok] NTPv3, length 48
   Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 4s, precision -6
   Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
     Reference Timestamp:  0.000000000
     Originator Timestamp: 0.000000000
     Receive Timestamp:    0.000000000
     Transmit Timestamp:   3575828712.147738993 (2013/04/25 09:45:12)
       Originator - Receive Timestamp:  0.000000000
       Originator - Transmit Timestamp: 3575828712.147738993 (2013/04/25 09:45:12)
   0x0000:  4500 004c 3ee6 4000 4011 9a6e ac10 00fe  E..L>.@[email protected]....
   0x0010:  c02b f412 be28 007b 0038 ba98 1b00 04fa  .+...(.{.8......
   0x0020:  0001 0000 0001 0000 0000 0000 0000 0000  ................
   0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
   0x0040:  0000 0000 d522 d0e8 25d2 391b            ....."..%.9.
21:06:07.914428 IP (tos 0x0, ttl 64, id 16228, offset 0, flags [DF], proto UDP (17), length 76)
    172.16.0.254.37865 > 158.121.104.4.123: [udp sum ok] NTPv3, length 48
   Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 4s, precision -6
   Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
     Reference Timestamp:  0.000000000
     Originator Timestamp: 0.000000000
     Receive Timestamp:    0.000000000
     Transmit Timestamp:   3575828712.652059018 (2013/04/25 09:45:12)
       Originator - Receive Timestamp:  0.000000000
       Originator - Transmit Timestamp: 3575828712.652059018 (2013/04/25 09:45:12)
   0x0000:  4500 004c 3f64 4000 4011 47b1 ac10 00fe  E..L?d@[email protected].....
   0x0010:  9e79 6804 93e9 007b 0038 f3ef 1b00 04fa  .yh....{.8......
   0x0020:  0001 0000 0001 0000 0000 0000 0000 0000  ................
   0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
   0x0040:  0000 0000 d522 d0e8 a6ed 56a8            ....."....V.
21:06:08.418080 IP (tos 0x0, ttl 64, id 16354, offset 0, flags [DF], proto UDP (17), length 76)
    172.16.0.254.53230 > 192.6.38.127.123: [udp sum ok] NTPv3, length 48
   Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 4s, precision -6
   Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
     Reference Timestamp:  0.000000000
     Originator Timestamp: 0.000000000
     Receive Timestamp:    0.000000000
     Transmit Timestamp:   3575828713.155744001 (2013/04/25 09:45:13)
       Originator - Receive Timestamp:  0.000000000
       Originator - Transmit Timestamp: 3575828713.155744001 (2013/04/25 09:45:13)
   0x0000:  4500 004c 3fe2 4000 4011 672b ac10 00fe  E..L?.@[email protected]+....
   0x0010:  c006 267f cfee 007b 0038 d6e0 1b00 04fa  ..&....{.8......
   0x0020:  0001 0000 0001 0000 0000 0000 0000 0000  ................
   0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
   0x0040:  0000 0000 d522 d0e9 27de d6b8            ....."..'...
21:06:08.922008 IP (tos 0x0, ttl 64, id 16480, offset 0, flags [DF], proto UDP (17), length 76)
    172.16.0.254.40464 > 216.133.140.77.123: [udp sum ok] NTPv3, length 48
   Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 4s, precision -6
   Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
     Reference Timestamp:  0.000000000
     Originator Timestamp: 0.000000000
     Receive Timestamp:    0.000000000
     Transmit Timestamp:   3575828713.659738004 (2013/04/25 09:45:13)
       Originator - Receive Timestamp:  0.000000000
       Originator - Transmit Timestamp: 3575828713.659738004 (2013/04/25 09:45:13)
   0x0000:  4500 004c 4060 4000 4011 e85f ac10 00fe  E..L@`@.@.._....
   0x0010:  d885 8c4d 9e10 007b 0038 493d 1b00 04fa  ...M...{.8I=....
   0x0020:  0001 0000 0001 0000 0000 0000 0000 0000  ................
   0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
   0x0040:  0000 0000 d522 d0e9 a8e4 96e6            ....."......
21:06:09.426028 IP (tos 0x0, ttl 64, id 16606, offset 0, flags [DF], proto UDP (17), length 76)
    172.16.0.254.38820 > 140.221.8.88.123: [udp sum ok] NTPv3, length 48
   Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 4s, precision -6
   Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
     Reference Timestamp:  0.000000000
     Originator Timestamp: 0.000000000
     Receive Timestamp:    0.000000000
     Transmit Timestamp:   3575828714.163742005 (2013/04/25 09:45:14)
       Originator - Receive Timestamp:  0.000000000
       Originator - Transmit Timestamp: 3575828714.163742005 (2013/04/25 09:45:14)
   0x0000:  4500 004c 40de 4000 4011 b77f ac10 00fe  E..L@.@.@.......
   0x0010:  8cdd 0858 97a4 007b 0038 3641 1b00 04fa  ...X...{.86A....
   0x0020:  0001 0000 0001 0000 0000 0000 0000 0000  ................
   0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
   0x0040:  0000 0000 d522 d0ea 29ea fee5            ....."..)...
21:06:09.930075 IP (tos 0x0, ttl 64, id 16732, offset 0, flags [DF], proto UDP (17), length 76)
    172.16.0.254.45266 > 66.243.43.2.123: [udp sum ok] NTPv3, length 48
   Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 4s, precision -6
   Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
     Reference Timestamp:  0.000000000
     Originator Timestamp: 0.000000000
     Receive Timestamp:    0.000000000
     Transmit Timestamp:   3575828714.667738020 (2013/04/25 09:45:14)
       Originator - Receive Timestamp:  0.000000000
       Originator - Transmit Timestamp: 3575828714.667738020 (2013/04/25 09:45:14)
   0x0000:  4500 004c 415c 4000 4011 de41 ac10 00fe  E..LA\@[email protected]....
   0x0010:  42f3 2b02 b0d2 007b 0038 e190 1b00 04fa  B.+....{.8......
   0x0020:  0001 0000 0001 0000 0000 0000 0000 0000  ................
   0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
   0x0040:  0000 0000 d522 d0ea aaf0 e0a1            ....."......
21:06:21.809822 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 64)
    172.16.0.254.36792 > 10.0.20.1.53: [udp sum ok] 1234+ A? a.root-servers.net. (36)
   0x0000:  4500 0040 0000 4000 4011 6f9e ac10 00fe  E..@..@[email protected].....
   0x0010:  0a00 1401 8fb8 0035 002c 0c9d 04d2 0100  .......5.,......
   0x0020:  0001 0000 0000 0000 0161 0c72 6f6f 742d  .........a.root-
   0x0030:  7365 7276 6572 7303 6e65 7400 0001 0001  servers.net.....
21:06:21.810638 IP (tos 0x0, ttl 64, id 39979, offset 0, flags [none], proto UDP (17), length 533)
    10.0.20.1.53 > 172.16.0.254.36792: [udp sum ok] 1234 q: A? a.root-servers.net. 1/13/13 a.root-servers.net. [3d3h3m28s] A 198.41.0.4 ns: net. [4h21s] NS g.gtld-servers.net., net. [4h21s] NS e.gtld-servers.net., net. [4h21s] NS l.gtld-servers.net., net. [4h21s] NS m.gtld-servers.net., net. [4h21s] NS a.gtld-servers.net., net. [4h21s] NS f.gtld-servers.net., net. [4h21s] NS c.gtld-servers.net., net. [4h21s] NS i.gtld-servers.net., net. [4h21s] NS j.gtld-servers.net., net. [4h21s] NS b.gtld-servers.net., net. [4h21s] NS d.gtld-servers.net., net. [4h21s] NS h.gtld-servers.net., net. [4h21s] NS k.gtld-servers.net. ar: a.gtld-servers.net. [3h5m59s] A 192.5.6.30, a.gtld-servers.net. [3h5m59s] AAAA 2001:503:a83e::2:30, b.gtld-servers.net. [3h5m59s] A 192.33.14.30, b.gtld-servers.net. [3h5m59s] AAAA 2001:503:231d::2:30, c.gtld-servers.net. [3h5m59s] A 192.26.92.30, d.gtld-servers.net. [3h5m59s] A 192.31.80.30, e.gtld-servers.net. [3h5m59s] A 192.12.94.30, f.gtld-servers.net. [3h5m59s] A 192.35.51.30, g.gtld-servers.net. [3h5m59s] A 192.42.93.30, h.gtld-servers.net. [3h5m59s] A 192.54.112.30, i.gtld-servers.net. [3h5m59s] A 192.43.172.30, j.gtld-servers.net. [3h5m59s] A 192.48.79.30, k.gtld-servers.net. [3h5m59s] A 192.52.178.30 (505)
   0x0000:  4500 0215 9c2b 0000 4011 119e 0a00 1401  E....+..@.......
   0x0010:  ac10 00fe 0035 8fb8 0201 6ab9 04d2 8180  .....5....j.....
   0x0020:  0001 0001 000d 000d 0161 0c72 6f6f 742d  .........a.root-
   0x0030:  7365 7276 6572 7303 6e65 7400 0001 0001  servers.net.....
   0x0040:  c00c 0001 0001 0004 1f80 0004 c629 0004  .............)..
   0x0050:  c01b 0002 0001 0000 3855 0011 0167 0c67  ........8U...g.g
   0x0060:  746c 642d 7365 7276 6572 73c0 1bc0 1b00  tld-servers.....
   0x0070:  0200 0100 0038 5500 0401 65c0 42c0 1b00  .....8U...e.B...
   0x0080:  0200 0100 0038 5500 0401 6cc0 42c0 1b00  .....8U...l.B...
   0x0090:  0200 0100 0038 5500 0401 6dc0 42c0 1b00  .....8U...m.B...
   0x00a0:  0200 0100 0038 5500 0401 61c0 42c0 1b00  .....8U...a.B...
   0x00b0:  0200 0100 0038 5500 0401 66c0 42c0 1b00  .....8U...f.B...
   0x00c0:  0200 0100 0038 5500 0401 63c0 42c0 1b00  .....8U...c.B...
   0x00d0:  0200 0100 0038 5500 0401 69c0 42c0 1b00  .....8U...i.B...
   0x00e0:  0200 0100 0038 5500 0401 6ac0 42c0 1b00  .....8U...j.B...
   0x00f0:  0200 0100 0038 5500 0401 62c0 42c0 1b00  .....8U...b.B...
   0x0100:  0200 0100 0038 5500 0401 64c0 42c0 1b00  .....8U...d.B...
   0x0110:  0200 0100 0038 5500 0401 68c0 42c0 1b00  .....8U...h.B...
   0x0120:  0200 0100 0038 5500 0401 6bc0 42c0 8d00  .....8U...k.B...
   0x0130:  0100 0100 002b 9700 04c0 0506 1ec0 8d00  .....+..........
   0x0140:  1c00 0100 002b 9700 1020 0105 03a8 3e00  .....+........>.
   0x0150:  0000 0000 0000 0200 30c0 dd00 0100 0100  ........0.......
   0x0160:  002b 9700 04c0 210e 1ec0 dd00 1c00 0100  .+....!.........
   0x0170:  002b 9700 1020 0105 0323 1d00 0000 0000  .+.......#......
   0x0180:  0000 0200 30c0 ad00 0100 0100 002b 9700  ....0........+..
   0x0190:  04c0 1a5c 1ec0 ed00 0100 0100 002b 9700  ...\.........+..
   0x01a0:  04c0 1f50 1ec0 5d00 0100 0100 002b 9700  ...P..]......+..
   0x01b0:  04c0 0c5e 1ec0 9d00 0100 0100 002b 9700  ...^.........+..
   0x01c0:  04c0 2333 1ec0 4000 0100 0100 002b 9700  ..#3..@......+..
   0x01d0:  04c0 2a5d 1ec0 fd00 0100 0100 002b 9700  ..*].........+..
   0x01e0:  04c0 3670 1ec0 bd00 0100 0100 002b 9700  ..6p.........+..
   0x01f0:  04c0 2bac 1ec0 cd00 0100 0100 002b 9700  ..+..........+..
   0x0200:  04c0 304f 1ec1 0d00 0100 0100 002b 9700  ..0O.........+..
   0x0210:  04c0 34b2 1e                             ..4..
21:06:22.814141 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 64)
    172.16.0.254.41505 > 10.0.20.1.53: [udp sum ok] 1234+ A? www.tp-link.com. (36)
   0x0000:  4500 0040 0000 4000 4011 6f9e ac10 00fe  E..@..@[email protected].....
   0x0010:  0a00 1401 a221 0035 002c 4a26 04d2 0100  .....!.5.,J&....
   0x0020:  0001 0000 0000 0000 0377 7777 0774 702d  .........www.tp-
   0x0030:  6c69 6e6b 0363 6f6d 0000 0100 0101 0001  link.com........
21:06:24.821818 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 64)
    172.16.0.254.41505 > 10.0.20.1.53: [udp sum ok] 1234+ A? www.tp-link.com. (36)
   0x0000:  4500 0040 0000 4000 4011 6f9e ac10 00fe  E..@..@[email protected].....
   0x0010:  0a00 1401 a221 0035 002c 4a26 04d2 0100  .....!.5.,J&....
   0x0020:  0001 0000 0000 0000 0377 7777 0774 702d  .........www.tp-
   0x0030:  6c69 6e6b 0363 6f6d 0000 0100 0101 0001  link.com........
21:06:26.829695 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 64)
    172.16.0.254.41505 > 10.0.20.1.53: [udp sum ok] 1234+ A? www.tp-link.com. (36)
   0x0000:  4500 0040 0000 4000 4011 6f9e ac10 00fe  E..@..@[email protected].....
   0x0010:  0a00 1401 a221 0035 002c 4a26 04d2 0100  .....!.5.,J&....
   0x0020:  0001 0000 0000 0000 0377 7777 0774 702d  .........www.tp-
   0x0030:  6c69 6e6b 0363 6f6d 0000 0100 0101 0001  link.com........
21:06:32.815007 IP (tos 0x0, ttl 64, id 39980, offset 0, flags [none], proto UDP (17), length 61)
    10.0.20.1.53 > 172.16.0.254.41505: [udp sum ok] 1234 ServFail q: A? www.tp-link.com. 0/0/0 (33)
   0x0000:  4500 003d 9c2c 0000 4011 1375 0a00 1401  E..=.,[email protected]....
   0x0010:  ac10 00fe 0035 a221 0029 c9ab 04d2 8182  .....5.!.)......
   0x0020:  0001 0000 0000 0000 0377 7777 0774 702d  .........www.tp-
   0x0030:  6c69 6e6b 0363 6f6d 0000 0100 01         link.com.....

macaddict1 · Fri Jun 10, 2016 8:10 am

Did you ever figure out how to make it stop? I also have OpenDNS setup and I see the high level of queries for tp-link.com

Mon Jun 13, 2016 8:03 am

blacktree wrote:
It is doing root DNS queries every 60 seconds and trying to lookup tp-link.com every 2 seconds. I have rechecked the config several times and no auto-updates or "DDNS" services are enabled.

WTF. Get enough devices doing this and you have what amounts to a DDOS attack on the root servers. :roll:

Clueless firmware engineers.

IIRC there was a similar incident a few years back when a router vendor took out one of the big public NTP servers by hard coding its IP address as the default time server for a popular model of router.

Mon Jun 13, 2016 10:30 am

There have been several instances of that: https://en.wikipedia.org/wiki/NTP_serve ... _and_abuse

TR Forums

Is my router calling home

Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Re: Is my router calling home

Who is online