cancel
Showing results for 
Search instead for 
Did you mean: 
1

Ask

2

Reply

3

Solution

Understand Red error/warnings in Event log

adillon
2: Seeker
2: Seeker

Can anybody help with understand the red errors in the event log? Router is THG3000

Tried for 4 days to get vodafone to help but cannot get any assistance from Tech

11 REPLIES 11

Anonymous
Not applicable

If you can copy and paste the warnings here, there are probably several people who can help!

The syslog is quite large for a copy and paste here can it be forwarded as an attachment.

Also doesnt it contain sensitive info for a public forum?

Sorry I am very new to this!

 

 

Anonymous
Not applicable

Just cut and paste the items that you are finding worrying.  You can omit any MAC, IP, or domain names, and just editing to the minimum is often enough.  A router can throw up literally hundreds of different errors, without seeing just a little detail it's impossible to diagnose anything!

 

The most common thing you'll probably be seeing is that unsolicited connections are being dropped - which is the router acting as a firewall and preventing remote access to your network that you didn't initiate.  You can see a very large number of such events/attacks, but they are genuinely nothing to worry about!

Thanks Keith

Because I thought it was a virus I have turned off the THG3000 router and have not connected any devices other than my desktop. So any log file from the THG3000 includes start up script  as well as system info, system error messages, system warning messages, firewall warning messages, Wan notice and system critical messages..

I will start up the router with the desktop connected and its a rather large file even to edit the ip address etc, so my question is "is there any preference to the messages type to copy and paste?" please excuse what maybe obvious but I am very much a novice at this and looking to see if the event log will tell me if there is a virus present!

Hope this makes sense 

 

Anonymous
Not applicable

You've probably seen the scare stories in the press about security flaws in routers, but Vodafone UK rarely if ever appears in those releases.  Frankly, if the THG3000 was tied down any tighter it'd squeak!  I know it's tied down tight to prevent inexperienced users from making bad set-up decisions, but IMHO maybe it's tied down too tightly!

 

All our routers whether we use the ISP router or our own, connect to the internet which can be a hostile place.  But most of the issues out there are easily mitigated by the router, with the end-user rarely having to lift a finger.  Add to this the fact that everything is built on protocols, handshakes, and fallbacks, you get an awful lot of info in the router logs which while it may seem scary it really just telling what is going on, and that (most of the time) pretty much everything is okay.

 

The chances that your router is infected with some kind of malware is infinitesimally small!

 

In most cases, you can take just the title of an event and google it to get more info, or if you'd like post just the event title with no identifying information and we can try to help.  Just pick say 1 to 3 event titles and give it a go!

 

*FYI:  Bots on the internet attempt to probe the average home router a couple of thousand times every day.  Our routers recognise these attacks and brush them away.  Almost all cases of home networks being breached require that a user on the home network has incorrectly changed a setting on the router, or that a device on the network has already been compromised!  Like a few others on these boards, I run a reasonably complex home network, and as a result, it means taking a few extra security measures.  But those measures are put in place and then left, just being checked on occasionally.  

Jayach
16: Advanced member
16: Advanced member

@adillon wrote:

Because I thought it was a virus I have turned off the THG3000 router and have not connected any devices other than my desktop.


If you had a virus, the last place it would show would be in the router logs. I rarely look at my log, but I've just checked and it's just a sea of red. I know it looks worrying, but it really is nothing disastrous.

Unfortunately, the entries are pretty meaningless to the layman, but as @KeithAlger says post any you are concerned about an they can be explained. 

How did you connect your desktop if the router was off?

Thanks Jayach

The router has been off and I turned it on and connected my desktop. Hence my ability to use this forum if that makes sense!

It had been on for over 1 hour and I download the event log and from . As you say there are lots of entries from 12.15 today until 13.04pm I had over 6000 entries. I have summarised then events and the number of times they occurred between these times.

 Firewall warning occurred 48 times

[ 6045.412817] DROP wan in: IN=pppoe-wan OUT= MAC= src=185.***.**.57 DST=**.***.*.162 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=4186 PROTO=TCP SPT=48116 DPT=38184 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000 48

System Critical

13.01.2022 12:41:27 system Critical [ 4688.408878] eth0 (Ext switch port: 0) (Logical Port: 😎 Link DOWN.
13.01.2022 12:41:30 system Critical [ 4691.454591] eth0 (Ext switch port: 0) (Logical Port: 😎 Link UP 10 mbps full duplex
13.01.2022 12:41:48 system Critical [ 4709.594363] eth0 (Ext switch port: 0) (Logical Port: 😎 Link DOWN.
13.01.2022 12:41:51 system Critical [ 4712.651809] eth0 (Ext switch port: 0) (Logical Port: 😎 Link UP 1000 mbps full duplex

Lan Info

13.01.2022 12:41:56 lan Info DHCPACK(br-lan) 192.168.1.31 f8:**:**:**:e1:97 DESKTOP-FQ601PC
13.01.2022 12:41:56 lan Info DHCPREQUEST(br-lan) 192.168.1.31 f8:**:**:**:e1:97
13.01.2022 12:41:27 lan Info Probing device f8:**:**:**:e1:97 IP address 192.168.1.31 on interface br-lan 

System Info

13.01.2022 12:41:27 system Info [ 4688.409176] br-lan: port 1(eth0) entered disabled state
13.01.2022 12:41:27 system Info [ 4688.417361] br-guest: port 3(eth0_guest) entered disabled state
13.01.2022 12:41:30 system Info [ 4691.454796] br-lan: port 1(eth0) entered listening state
13.01.2022 12:41:30 system Info [ 4691.454946] br-lan: port 1(eth0) entered listening state
13.01.2022 12:41:30 system Info [ 4691.457103] br-guest: port 3(eth0_guest) entered listening state
13.01.2022 12:41:30 system Info [ 4691.457185] br-guest: port 3(eth0_guest) entered listening state
13.01.2022 12:41:32 system Info [ 4693.458823] br-lan: port 1(eth0) entered learning state
13.01.2022 12:41:32 system Info [ 4693.459187] br-guest: port 3(eth0_guest) entered learning state
13.01.2022 12:41:34 system Info [ 4695.462829] br-lan: topology change detected
13.01.2022 12:41:34 system Info [ 4695.462886] br-lan: port 1(eth0) entered forwarding state
13.01.2022 12:41:34 system Info [ 4695.463222] br-guest: topology change detected
13.01.2022 12:41:34 system Info [ 4695.463268] br-guest: port 3(eth0_guest) entered forwarding state
13.01.2022 12:41:48 system Info [ 4709.594626] br-lan: port 1(eth0) entered disabled state
13.01.2022 12:41:48 system Info [ 4709.609600] br-guest: port 3(eth0_guest) entered disabled state
13.01.2022 12:41:51 system Info [ 4712.651953] br-lan: port 1(eth0) entered listening state
13.01.2022 12:41:51 system Info [ 4712.652076] br-lan: port 1(eth0) entered listening state
13.01.2022 12:41:51 system Info [ 4712.655009] br-guest: port 3(eth0_guest) entered listening state
13.01.2022 12:41:51 system Info [ 4712.655095] br-guest: port 3(eth0_guest) entered listening state
13.01.2022 12:41:53 system Info [ 4714.658910] br-lan: port 1(eth0) entered learning state
13.01.2022 12:41:53 system Info [ 4714.659272] br-guest: port 3(eth0_guest) entered learning state
13.01.2022 12:41:55 system Info [ 4716.662921] br-lan: topology change detected
13.01.2022 12:41:55 system Info [ 4716.662977] br-lan: port 1(eth0) entered forwarding state
13.01.2022 12:41:55 system Info [ 4716.663314] br-guest: topology change detected
13.01.2022 12:41:55 system Info [ 4716.663358] br-guest: port 3(eth0_guest) entered forwarding state

System Warnings

13.01.2022 12:41:27 system Warning [ 4688.408945] ===> Activate Deep Green Mode
13.01.2022 12:41:30 system Warning [ 4691.454683] <=== Deactivate Deep Green Mode
13.01.2022 13:03:30 system Warning 2022/01/13 13:03:30 [warn] 5484#0: *57 [lua] session.lua:353: new(): new session for default user 
13.01.2022 13:04:00 system Warning 2022/01/13 13:03:59 [warn] 5484#0: *57 [lua] session.lua:103: changeUser(): changing user to vodafone 

Wan Notice

13.01.2022 12:41:27 wan Notice 8021q 'eth0_guest' link is down
13.01.2022 12:41:51 wan Notice 8021q 'eth0_guest' link is up
13.01.2022 12:41:27 wan Notice Network device 'eth0' link is down
13.01.2022 12:41:30 wan Notice Network device 'eth0' link is up

All the others are multiple connections starting

PROT_TRACE

UBUS_CLIENT

CONNECTION: < HTTP code 401

CONNECTION: Connecting to server retry 477.

UBUS_CLIENT: external IP address is ***.***.*.162   recorded over 1300 times

As I have mentioned I am a novice so dont really know what to look for in the events log. I have just guessed based on the type of message, where is come from (system, lan , firewall etc) and the number of repetition's

Any help would be appreciated

 

Jayach
16: Advanced member
16: Advanced member

I'm no expert, Keith will probably be able to decipher them better than me, but this is my take on them:

Firewall warning:

The firewall had dropped unsolicited packets - That is what firewalls are supposed to do

System Critical:

Some device had connected at 10Mbs (Megabits per second) and then switched to 1000MBs (probably your desktop hard wired to the router)

Lan Info:

Some device getting it's IP address from the router. DHCP is Dynamic Host Configuration Protocol and is how devices get their local addresses on your LAN, once again your desktop.

System Info:

Simply that, information about the system (the firmware running on the router) going about its business.

System Warnings:

The first 2 are probably just the router using some power saving feature, the second 2 are you logging into the router.

Wan Notice:

Just info on things happening on the WAN (wide area network, i.e. the internet). To be honest I really don't have much idea about what it all means, but as users we aren't suppose to.

 


@adillon wrote:

As I have mentioned I am a novice so dont really know what to look for in the events log. I have just guessed based on the type of message, where is come from (system, lan , firewall etc) and the number of repetition's

 


Basically very few people using the Vodafone router are going to know what it all means, and why perfectly normal function are marked in red I can't say, but the log is really for experts trying to fault find problems, it's not really for normal users to worry about.

 

CrimsonLiar
16: Advanced member
16: Advanced member

@Jayach covered most of the stuff in there, so I'll just cover anything significant that is missing (not much!).

 

Okay, so this first one is good, but it requires a bit of a leap to understand what is going on (and I may be wrong on this):

I believe the WAN (DSL or Fibre) is mapped to eth0.  During negotiation, this can/will drop and connect multiple times.  You'll also see it combined with "guest" on some occasions and the router goes through the CHAP (CHallenge and Authenticate Protocol) to retrieve your broadband username and password.  *The UBUS_CLIENT notice is also probably related to some settings downloaded from Vodafone to your router (possibly Teredo IPv6 faking).

 

System Info:

The br-lan messages mostly relate to the router figuring out routing, so that packets don't need to be broadcast to all ports - router doing what a router is going to do (as opposed to a common backbone)!

 

System Warnings:

The LUA messages relate to the router operating system switching to a different user (Vodafone - root user) in order to run a script.  Perfectly normal stuff.

 

So there is as far as I can see absolutely nothing in there to worry about!