11

I wanted to test something with Wireshark and upon launching it, I noticed that some device named "AvmAudio" continuously broadcasts some "SW version request" (HomePlug AV protocol) even though our power line does not support this. My guess is that this is a feature of the FritzBox 7530 I've got here, but I cannot find an option in the admin panel to disable this feature. Is it even possible to disable it?

Screenshot of Homeplug AV packets

EDIT: Thanks to @wsd for providing a modified version of Lorenzo Fontana's UDP packet filter. I modified it a little more, because I didn't like the void pointer arithmetic going on there.

/*
* File:    homeplug_av_drop.c
* Compile: clang -I /usr/include/x86_64-linux-gnu -O2 -target bpf -c homeplug_av_drop.c -o homeplug_av_drop.o
* Load:    ip link set dev <devname> xdp obj homeplug_av_drop.o sec .text
* Unload:  ip link set dev <devname> xdp off
*/

#include <linux/bpf.h>
#include <linux/in.h>
#include <linux/if_ether.h>

#define SEC(NAME) __attribute__((section(NAME), used))

#define htons(x) ((__be16)___constant_swab16((x)))

#define ETH_P_HOMEPLUG     0x88e1
#define ETH_P_MEDIAXSTREAM 0x8912



int dropper (struct xdp_md* ctx) {
    long ethhdr_addr = (long)ctx->data;
    long ethhdr_end_addr = ethhdr_addr + sizeof(struct ethhdr);

    if (ethhdr_end_addr > (long)ctx->data_end) {
        return XDP_PASS;
    }

    struct ethhdr* eth = (struct ethhdr*)ethhdr_addr;

    if (eth->h_proto == htons(ETH_P_HOMEPLUG) || eth->h_proto == htons(ETH_P_MEDIAXSTREAM)) {
        return XDP_DROP;
    } else {
        return XDP_PASS;
    }
}

char _license[] SEC("license") = "GPL";

EDIT 2 (June 2020): I sent AVM an email describing the problem and asking whether or not there is a way to make the FRITZ!Box stop sending those packets. Their response (translated from German) reads:

The evaluation of the support data you provided did not reveal any errors on the part of the FRITZ!Box.

We have no plans to add the ability to disable the protocols mentioned. The guide you found in our knowledge base describes a persistent solution to avoid future notifications [about unrequested packages hitting the firewall].

Cubi73
  • 431
  • 7
  • 21
  • 2
    Wondering about the same (FritzBox 7362 SL) – Mathias Conradt Apr 15 '19 at 20:04
  • Why do you assume it's part of the HomePlug AV protocol? The FritzBox shouldn't be aware whenever you're using power line or not as it's just a regular router. `AvmAudio` also might be related to either the media server functionality or VoIP/DECT if the model supports it. – Seth Dec 16 '19 at 12:38
  • 1
    @Seth I can rule out any of those media services, because I explicitly disabled them. And I don't really assume the protocol to be HomePlug AV... Wireshark tells me that it is (see screenshot above). – Cubi73 Dec 17 '19 at 23:52
  • Did you check the source? While there is a broadcast MAC header the information you've blurred out might give you a hint which device is sending that. Did you check whenever you see those broadcasts if you remove the Fritzbox? That way you could narrow it down further. Did you check your PowerPlug and Fritzbox manuals for hints? – Seth Dec 18 '19 at 06:26
  • @Seth Yep, I checked that device. The sending device's MAC address and my router's MAC address differ just in the last digit, so I think it's safe to assume that my router is spamming the network. If I find some time window, where nobody is using the router, I'll make sure to check whether taking it offline makes those packets disappear. In the mean time, I'm searching for the manual. – Cubi73 Dec 18 '19 at 06:37
  • Is there still no solution? In 24 seconds 52 packets of type "homeplug-av" (Get Device Attributes Request) have been collected by wireshark. And none of them will be ever used! – User8461 May 12 '20 at 17:50
  • No, sadly there is still no solution. I am still seeing the packages on my network and I am out of ideas what to enable/disable... :( – Cubi73 May 12 '20 at 18:13
  • `AvmAudio` is the MAC vendor, by the way, partially resolved for convenience by Wireshark. – Daniel B Jun 02 '20 at 13:19
  • You can probably also use ebtables to filter unwanted traffic: https://serverfault.com/questions/1019460/how-can-i-use-iptables-to-drop-packages-for-an-invalid-ether-type/1036839#1036839 – AVee Oct 07 '20 at 21:41

1 Answers1

4

This Problem is still around, and it doesn't look like fixing it is on the roadmap. The most relevant piece of information from AVM is a knowledge base article about what to do if your firewall reports an "attack" with packets of type 0x88e1. Unfortunately the page is not available in English, so here's a summary:

A firewall or a program for the analysis of network activity like Wireshark reports packets of type 0x88e1 every 5 seconds.

The incoming connections do not originate from the internet, but from the FRITZ!Box, and do not present a security problem.

Type 0x88e1: The FRITZ!Box regularly uses packets of type 0x88e1 to detect whether FRITZ!Powerline adapters are present in the network. The detected adapters are shown in the FRITZ!Box user interface in the "Local Network > Mesh" tab.

If you do not want to receive these notifications, configure your device firewall to allow incoming connections of packet type 0x88e1.

Depending on your use case, here are some workarounds (note that I handle both 0x88e1 and 0x8912, as those seem to coincide):

  • If the packets are obscuring your wireshark output, filter them like this:

    ! ether proto 0x88E1 and ! ether proto 0x8912

  • If you want to stop them reaching any programs (e.g. RAW sockets with ETH_P_ALL), filter then using XDP, with a small BPF program based on a snippet by Lorenzo Fontana (GPL):

    #include <linux/bpf.h>
#include <linux/in.h>
#include <linux/if_ether.h>

#define SEC(NAME) __attribute__((section(NAME), used))

#define htons(x) ((__be16)___constant_swab16((x)))

int homeplug_av_drop(struct xdp_md *ctx) {
  void *data = (void *)(long)ctx->data;
  void *data_end = (void *)(long)ctx->data_end;

  struct ethhdr *eth = data;

  if (data + sizeof(*eth) > data_end) {
      return XDP_PASS;
  }

  if (eth->h_proto == htons(0x88e1) || eth->h_proto == htons(0x8912)) {
      return XDP_DROP;
  }
  else {
      return XDP_PASS;
  }
}

char _license[] SEC("license") = "GPL";

    Save that as filter.c, then compile, load and unload (when you're done):

    clang -I/usr/include/x86_64-linux-gnu -O2 -target bpf -c filter.c -o filter.o
sudo ip link set dev eth0 xdp obj filter.o sec .text
sudo ip link set dev eth0 xdp off
Juergen
  • 497
  • 4
  • 21
wsd
  • 473
  • 1
  • 4
  • 10
  • Thanks for the helpful references :) Now I know, that this problem is tied to the Mesh feature of my Fritzbox. Though, as far as I know this feature can't be disabled. But maybe I find another way to make the Fritzbox stop sending those packets. – Cubi73 Jun 02 '20 at 12:13
  • Even before the Mesh feature became available, a FritzBox would try to find other AVM devices in the network for (somewhat) unified management. – Daniel B Jun 02 '20 at 13:18
  • The up-to-date link to the knowledge base article is [here](https://avm.de/service/wissensdatenbank/dok/FRITZ-Box-7490/249_Firewall-meldet-Angriffe-an-TCP-Port-80-bzw-53805-oder-unangeforderte-Pakete-vom-Typ-0x88e1/). – Holger Hoffstätte Mar 04 '23 at 11:03