Folks, I have a great transaction capture on Wireshark, when I went to save it I get a bitch screen that says You don't have permission to create or write to the file: test.pcapng
Funny thing is I have been doing these captures now for several days, but this was the best one. I just am not sure why this is happening. I started Wireshark with elevated access, and I have not stopped it since I saved the last file. Never seen this before. I have seen it when something did not get started with a needed permission level but never seen something change without shutting it down and restarting. On Thu, Jan 6, 2022 at 10:58 AM Chuck Hast <wch...@gmail.com> wrote: > I have a batch of Chinese security cameras, one day I was > sniffing my LAN and saw these packets that should not have > been there, started tracing them down and they were coming > from the cameras, they were trying to connect to 4 chinese > web sites and AWS. The now are on an island network which > routes to nowhere and the only other thing on there is the port > that sends all of the camera data to ZoneMinder. Crazy cameras > were trying to call home constantly. I cleaned some of it up by > giving them all static IP's and getting rid of any DNS info. Some > of them still try but a lot less. > > That was before I started seeing comments on line about the > cameras doing the "call home" thing. > > > On Wed, Jan 5, 2022 at 11:56 PM Tomas Kuchta <tomas.kuchta.li...@gmail.com> > wrote: > >> Like with all other "smart things" you are the product, that thing is just >> the bait to connect to you .... I had the same thing with environment >> sensors this summer. I returned them and got bunch of half price 433MHz >> sensors + SDR to receive their signals. >> >> There are still 433MHz remote controlled relays + $5-$10 transmitters to >> turn them on/off if you do not want to use SBC or Arduino. >> >> What sorry state of affairs, these things could be supper useful, only if >> the would hot call home. >> >> -T >> >> On Thu, Jan 6, 2022, 00:00 Chuck Hast <wch...@gmail.com> wrote: >> >> > Well folks here is the capture. This is when the device does the >> > time change. >> > >> -------------------------SoF---------------------------------------------- >> > No. Time Source Destination Protocol Length Info >> > 1416 6995.707153289 192.168.7.45 192.168.7.1 DNS 129 >> > Standard query 0x011d A my.radiothermostat.com >> > 1417 6995.743011679 192.168.7.1 192.168.7.45 DNS 283 >> > Standard query response 0x011d A my.radiothermostat.com CNAME >> > rtcoa-load-balancer.energyhub.net CNAME >> > prod-ext-2-397343966.us-east-1.elb.amazonaws.com A 3.214.34.120 A >> > 54.209.187.172 A 107.21.255.187 >> > 1418 6995.744228645 192.168.7.45 107.21.255.187 TCP 125 >> > 35222 → 80 [SYN] Seq=0 Win=2896 Len=0 MSS=1460 WS=1 SACK_PERM=1 >> > TSval=23065200 TSecr=0 >> > 1419 6995.795424653 107.21.255.187 192.168.7.45 TCP 121 >> 80 >> > → 35222 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0 MSS=1460 SACK_PERM=1 >> > TSval=1316753308 TSecr=23065200 WS=256 >> > 1420 6995.796759302 192.168.7.45 107.21.255.187 TCP 113 >> > 35222 → 80 [ACK] Seq=1 Ack=1 Win=2896 Len=0 TSval=23065200 >> TSecr=1316753308 >> > 1421 6995.797280360 192.168.7.45 107.21.255.187 TCP 204 >> > 35222 → 80 [PSH, ACK] Seq=1 Ack=1 Win=2896 Len=91 TSval=23065200 >> > TSecr=1316753308 [TCP segment of a reassembled PDU] >> > 1422 6995.851194008 107.21.255.187 192.168.7.45 TCP 113 >> 80 >> > → 35222 [ACK] Seq=1 Ack=92 Win=26880 Len=0 TSval=1316753363 >> TSecr=23065200 >> > 1423 6995.853333530 192.168.7.45 107.21.255.187 HTTP 579 >> > POST /filtrete/rest/rtcoa HTTP/1.1 >> > 1424 6995.905205495 107.21.255.187 192.168.7.45 TCP 113 >> 80 >> > → 35222 [ACK] Seq=1 Ack=558 Win=28160 Len=0 TSval=1316753417 >> TSecr=23065300 >> > 1425 6995.912865908 107.21.255.187 192.168.7.45 HTTP 585 >> > HTTP/1.1 200 200 >> > 1426 6995.935820827 192.168.7.45 107.21.255.187 TCP 113 >> > 35222 → 80 [FIN, PSH, ACK] Seq=558 Ack=473 Win=2424 Len=0 TSval=23065300 >> > TSecr=1316753424 >> > 1427 6995.986668924 107.21.255.187 192.168.7.45 TCP 113 >> 80 >> > → 35222 [FIN, ACK] Seq=473 Ack=559 Win=28160 Len=0 TSval=1316753499 >> > TSecr=23065300 >> > >> > >> ------------------------EoF----------------------------------------------------- >> > It is during this transaction that the time change takes place. >> > I never signed up for their cloud service. This took place betwen >> > Sept when I turned off the A/C and Nov when I turned on the >> > heat. Thermostat was on all of the time. And as far as I know it >> > was talking to the local HA server. >> > >> > >> > >> > >> > >> > >> > On Wed, Jan 5, 2022 at 6:56 PM Chuck Hast <wch...@gmail.com> wrote: >> > >> > > I am going to start the logging I tested yesterday back up. >> > > I had enabled packet sniffing streaming to a remote server >> > > (Wireshark on another machine) so I had it running indeed >> > > I thought I had saved that file but when I went to look at it >> > > this a.m. somehow I sent it down the bit toilet... Ohh well it >> > > is just bits, be a good exercise to get it going again. I need >> > > to trace things every once in a while knowing how to get >> > > the bit stream out of the router to wireshark can be very >> > > handy (I am looking these chinese cameras that call home) >> > > >> > > Now if I can get the manufacturer to do more than respond >> > > with scripted replies... >> > > >> > > >> > > On Wed, Jan 5, 2022 at 6:17 PM Ben Koenig <techkoe...@protonmail.com> >> > > wrote: >> > > >> > >> Whoops looks like I hit the wrong reply button and moved this off the >> > >> PLUG list. >> > >> >> > >> In my experience time sync issues are generally always the result of >> one >> > >> of 3 different root causes. For embedded devices its often simpler >> since >> > >> you have no control over the software, it just does whatever it was >> > coded >> > >> to do. >> > >> >> > >> #1 is the CMOS battery. If the firmware isn't holding on to certain >> > >> settings (such as battery failure) then the clock will revert. >> Normally >> > >> this sends you back to 1970 but I've seen more recent devices behave >> > >> differently. In your case it looks like the time zone is not being >> held >> > >> properly. >> > >> #2 is buggy software on the device that is resetting the time. Could >> be >> > a >> > >> y2k22 style bug ( hi microsoft! ) or something else that it hit. >> > >> #3 is the server. Since blocking the IP at the router prevents this >> > issue >> > >> then it might just be something stupid on their server end. >> > >> >> > >> IMO it's a combination of #2 and #3. This type of unexpected >> behavior is >> > >> not uncommon on E.T. devices since they *ALWAYS* phone home >> regardless >> > of >> > >> whether or not you set up an account. It's entirely possible that it >> > spent >> > >> the last 2 years dialing home for your timezone but in the past few >> > months >> > >> the server gave a different response. If you had a history of all web >> > >> traffic to those 3 addresses in the past year you could probably spot >> > the >> > >> change. Maybe they changed the default response to unregistered >> devices. >> > >> >> > >> It would be interesting to log the actual web traffic and see if you >> can >> > >> spot the data being returned. If you logged all traffic for the past >> > year >> > >> then you could correlate the time you saw the change with any >> changes in >> > >> server responses. >> > >> >> > >> -Ben >> > >> >> > >> >> > >> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> > >> On Wednesday, January 5th, 2022 at 2:50 PM, Chuck Hast < >> > wch...@gmail.com> >> > >> wrote: >> > >> >> > >> The interesting thing is that I have had this unit for over >> > >> 2 years and it has never done this, it just started doing >> > >> it when I turned on the heat. I had shut the HVAC system >> > >> down in Sept because the weather did not warrant running >> > >> the system. All I did was set the system to OFF on the >> > >> thermostat. So it was all powered up. When I set it to HEAT >> > >> I got this funny time change thing. I tested with the A/C, as >> > >> we have had a nice warm autumn this year, and got the >> > >> same thing. So something happened between Sept and >> > >> Nov when I turned on the heat. The question is what? Did >> > >> the thermostat get hacked somehow, I have tried to do a >> > >> factory reset but that does not work either. And since these >> > >> people will not talk on the phone, I am pretty much running >> > >> out of patience. >> > >> >> > >> On Wed, Jan 5, 2022 at 4:38 PM Ben Koenig <techkoe...@protonmail.com >> > >> > >> wrote: >> > >> >> > >>> You also want to look at the URL sent as well. Since no other ports >> are >> > >>> open it's unlikely to be using any non-HTTP protocols. However if >> this >> > is a >> > >>> REST API of some sort then the addresses might be part of a load >> > balancing >> > >>> system and may be expecting data for authentication or other >> > information >> > >>> specific to your router. The address is just the server being asked >> for >> > >>> information, the full URL path is the question. >> > >>> >> > >>> What's probably happening is that your "unconfigured" device is >> dialing >> > >>> home to ask if it is associated with an account using a REST API. >> When >> > it >> > >>> gets a no from the server, it loads default settings and probably >> goes >> > >>> through this check on a regular schedule. I see this a lot with >> > >>> cloud-routers as well. Under the hood its openwrt and while they >> > function >> > >>> without the cloud account linked they tend to behave in unexpected >> > ways. >> > >>> >> > >>> -Ben >> > >>> >> > >>> >> > >>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> > >>> On Wednesday, January 5th, 2022 at 2:19 PM, Chuck Hast < >> > wch...@gmail.com> >> > >>> wrote: >> > >>> >> > >>> That is interesting, yesterday I tried all of them and >> > >>> got no route, but doing as you did gave me what you >> > >>> got. I have got to fire up Wireshark and get the sniffer >> > >>> going on my router again and capture those packets >> > >>> to see what is going on, I know that what I saw was >> > >>> that the system was saying that there was no route >> > >>> available. Let me get the port that was associated >> > >>> with this connection attempts. >> > >>> >> > >>> >> > >>> On Wed, Jan 5, 2022 at 3:53 PM Ben Koenig < >> techkoe...@protonmail.com> >> > >>> wrote: >> > >>> >> > >>>> FWIW those are actually up and have ports 80/443 open for web >> access >> > >>>> according to a zenmap no-ping scan. >> > >>>> >> > >>>> Although accessing them via a browser is a pain. They are using >> > >>>> self-signed certs and appear to be part of their API infrastructure >> > since >> > >>>> simple requests via curl result in redirect http response codes so >> the >> > >>>> servers are up but it appears they want to limit traffic from most >> > sources. >> > >>>> >> > >>>> It would be kind of odd if they are using HTTP calls to sync the >> time. >> > >>>> Either way since you mentioned that you don't want to use their >> cloud >> > >>>> system they are probably safe to block. If you bypass SSL cert >> checks >> > then >> > >>>> 3.214.34.120 actually brings up a real website. >> > >>>> >> > >>>> -Ben >> > >>>> >> > >>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> > >>>> >> > >>>> On Wednesday, January 5th, 2022 at 11:02 AM, Chuck Hast < >> > >>>> wch...@gmail.com> wrote: >> > >>>> >> > >>>> > Going to tear into it. Sorry state of affairs when you cannot >> > >>>> > >> > >>>> > trust the devices in your own home... >> > >>>> > >> > >>>> > On Wed, Jan 5, 2022 at 12:59 PM Russell Senior >> > >>>> russ...@personaltelco.net >> > >>>> > >> > >>>> > wrote: >> > >>>> > >> > >>>> > > The FCC internal photos (if I have the right device) suggest it >> > is a >> > >>>> > > >> > >>>> > > marvell SoC. The photos have a sticker over the chip, so I >> can't >> > >>>> identify >> > >>>> > > >> > >>>> > > it precisely. There is a largish 8-pin SOIC chip in one corner >> > that >> > >>>> looks >> > >>>> > > >> > >>>> > > like serial NOR flash. If you can get the part numbers of the >> SoC >> > >>>> and the >> > >>>> > > >> > >>>> > > flash, that would help. I don't see an obvious serial console >> in >> > the >> > >>>> > > >> > >>>> > > photos, but the photos are a bit blurry. >> > >>>> > > >> > >>>> > > On Wed, Jan 5, 2022, 10:46 Chuck Hast wch...@gmail.com wrote: >> > >>>> > > >> > >>>> > > > The radio is a separate module you can plug two of them >> > >>>> > > > >> > >>>> > > > in, a zigbee module and a WiFi module, there are some >> > >>>> > > > >> > >>>> > > > other ones also. I have the Wifi module. I will see which >> > >>>> > > > >> > >>>> > > > one of those it is. I will see how to remove the case from >> > >>>> > > > >> > >>>> > > > the thermostat board and see what is in there beside the >> > >>>> > > > >> > >>>> > > > screen. >> > >>>> > > > >> > >>>> > > > I am going to start a capture again and see what the port >> > >>>> > > > >> > >>>> > > > is, I thought I had saved the previous capture file but when >> > >>>> > > > >> > >>>> > > > I went to open it, could not find it. >> > >>>> > > > >> > >>>> > > > It is either checking different addresses until it finds some >> > >>>> > > > >> > >>>> > > > thing alive or one of those addresses is being activated. >> > >>>> > > > >> > >>>> > > > If I block the address in the router the time stays what I >> > >>>> > > > >> > >>>> > > > have set it to. >> > >>>> > > > >> > >>>> > > > On Tue, Jan 4, 2022 at 9:34 PM Russell Senior < >> > >>>> russ...@personaltelco.net >> > >>>> > > > >> > >>>> > > > wrote: >> > >>>> > > > >> > >>>> > > > > Maybe this? FCC ID: QO8-WIFI-M-0210 >> > >>>> > > > > >> > >>>> > > > > https://fccid.io/QO8-WIFI-M-0210 >> > >>>> > > > > >> > >>>> > > > > On Tue, Jan 4, 2022 at 7:16 PM Russell Senior < >> > >>>> > > > > >> > >>>> > > > > russ...@personaltelco.net >> > >>>> > > > >> > >>>> > > > > wrote: >> > >>>> > > > > >> > >>>> > > > > > Those addresses are all in AWS address space, according >> to >> > >>>> whois. As >> > >>>> > > > > > >> > >>>> > > > > > a >> > >>>> > > > >> > >>>> > > > > > previous commenter suggested, it might just be NTP. Did >> you >> > >>>> notice >> > >>>> > > > > > >> > >>>> > > > > > what port the communication was happening over? >> > >>>> > > > > > >> > >>>> > > > > > Have you considered popping the case and seeing if there >> is >> > a >> > >>>> serial >> > >>>> > > > > > >> > >>>> > > > > > console port on their wifi module? It's reasonably >> likely it >> > >>>> is >> > >>>> > > > > > >> > >>>> > > > > > running some ancient version of linux. Is there an >> FCC-ID on >> > >>>> the >> > >>>> > > > > > >> > >>>> > > > > > case? >> > >>>> > > > >> > >>>> > > > > > On Tue, Jan 4, 2022 at 6:49 PM Chuck Hast >> wch...@gmail.com >> > >>>> wrote: >> > >>>> > > > > > >> > >>>> > > > > > > Well folks, I was able to get wireshark on the >> thermostat. >> > >>>> I found >> > >>>> > > > > > > >> > >>>> > > > > > > that it is trying to contact these addresses: >> > >>>> > > > > > > >> > >>>> > > > > > > 54.209.187.172 >> > >>>> > > > > > > >> > >>>> > > > > > > 107.21.255.187 >> > >>>> > > > > > > >> > >>>> > > > > > > 3.214.34.120 >> > >>>> > > > > > > >> > >>>> > > > > > > Right now none are reachable. I am trying to figure out >> > why >> > >>>> this >> > >>>> > > > > > > >> > >>>> > > > > > > thermostat is trying to reach those addresses. >> > >>>> > > > > > > >> > >>>> > > > > > > When I do a whois, they come up as being hosted on >> > Amazon... >> > >>>> > > > > > > >> > >>>> > > > > > > I wonder if one of them comes awake every so often and >> the >> > >>>> > > > > > > >> > >>>> > > > > > > thermostat gets the connection and receives a TZ >> change... >> > >>>> So >> > >>>> > > > > > > >> > >>>> > > > > > > far I have not been able to catch it doing so. >> > >>>> > > > > > > >> > >>>> > > > > > > When I bought the unit I intentionally did NOT try to >> use >> > >>>> the >> > >>>> > > > > > > >> > >>>> > > > > > > cloud service, I have tried to get proper >> communications >> > >>>> with >> > >>>> > > > > > > >> > >>>> > > > > > > Radio Thermostat but so far only idiots... And they do >> not >> > >>>> have >> > >>>> > > > > > > >> > >>>> > > > > > > a published telephone number. >> > >>>> > > > > > > >> > >>>> > > > > > > On Tue, Jan 4, 2022 at 4:53 PM Chuck Hast >> > wch...@gmail.com >> > >>>> > > > > > > >> > >>>> > > > > > > wrote: >> > >>>> > > > >> > >>>> > > > > > > > More info, this was the reply I got from the >> > manufacturer >> > >>>> > > > >> > >>>> > > > >> > >>>> >> -----------------------SoF------------------------------------------ >> > >>>> > > > >> > >>>> > > > > > > > Radio Thermostat radiothermos...@tstatsupport.com >> > >>>> > > > > > > > >> > >>>> > > > > > > > 1:10 PM (3 hours ago) >> > >>>> > > > > > > > >> > >>>> > > > > > > > to Info, me >> > >>>> > > > > > > > >> > >>>> > > > > > > > Hi, >> > >>>> > > > > > > > >> > >>>> > > > > > > > If you are sure you have a WiFi module in the >> thermostat >> > >>>> Model - >> > >>>> > > > > > > > >> > >>>> > > > > > > > RTMV-01 >> > >>>> > > > > > >> > >>>> > > > > > > > Then check out the following to see and correct the >> time >> > >>>> zone so >> > >>>> > > > > > > > >> > >>>> > > > > > > > the >> > >>>> > > > > >> > >>>> > > > > > > > thermostat will have the correct time: >> > >>>> > > > > > > > >> > >>>> > > > > > > > How to change time zone >> > >>>> > > > > > > > >> > >>>> > > > > > > > First go to the web portal via a browser * >> > >>>> > > > > > > > >> > >>>> > > > > > > > https://my.radiothermostat.com/rtcoa/login.html >> > >>>> > > > > > >> > >>>> > > > > > > > https://my.radiothermostat.com/rtcoa/login.html* >> > >>>> > > > > > > > >> > >>>> > > > > > > > (Note you will need to use the desktop version of the >> > web >> > >>>> site) >> > >>>> > > > > > > > >> > >>>> > > > > > > > Then log in and go to the person (then select >> location) >> > >>>> > > > > > > > >> > >>>> > > > > > > > select the location you want and click edit >> > >>>> > > > > > > > >> > >>>> > > > > > > > Go to the pull down for time zone and select your >> time >> > >>>> zone >> > >>>> > > > > > > > >> > >>>> > > > > > > > Then click save >> > >>>> > > > > >> > >>>> > > > > >> > >>>> >> > -----------------------------------EoF--------------------------------- >> > >>>> > > > > >> > >>>> > > > > > > > This is exactly what I have tried to avoid, I never >> > >>>> registered >> > >>>> > > > > > > > >> > >>>> > > > > > > > the thermostat with their cloud. I have my personal >> > >>>> reasons >> > >>>> > > > > > > > >> > >>>> > > > > > > > for not wanting my devices on someone's cloud if I >> can >> > >>>> avoid >> > >>>> > > > > > > > >> > >>>> > > > > > > > it. in this case that is exactly what I have tried to >> > do. >> > >>>> > > > > > > > >> > >>>> > > > > > > > Now meantime, since the thermostat IP is static, I >> went >> > >>>> into >> > >>>> > > > > > > > >> > >>>> > > > > > > > the firewall and set up a rule to drop any packets >> > to/from >> > >>>> > > > > > > > >> > >>>> > > > > > > > the thermostat. No more time change, and I did that >> well >> > >>>> over >> > >>>> > > > > > > > >> > >>>> > > > > > > > and hour ago. I can still control the device on my >> LAN >> > >>>> just >> > >>>> > > > > > > > >> > >>>> > > > > > > > dropping whatever is trying to reach the thermostat. >> > >>>> > > > > > > > >> > >>>> > > > > > > > This brings up the question, of who/what is it? I >> never >> > >>>> > > > > > > > >> > >>>> > > > > > > > registered the device with their cloud, indeed I >> bought >> > >>>> > > > > > > > >> > >>>> > > > > > > > it because it was one of the thermostats that did not >> > >>>> > > > > > > > >> > >>>> > > > > > > > require you to use an outside network to access it, >> (I >> > am >> > >>>> > > > > > > > >> > >>>> > > > > > > > looking at you Honeywell, Nest and all of the rest of >> > the >> > >>>> > > > > > > > >> > >>>> > > > > > > > cloud only based devices). Now to see if I can get >> Wire >> > >>>> > > > > > > > >> > >>>> > > > > > > > shark on a part of the network that can see that >> device. >> > >>>> > > > > > > > >> > >>>> > > > > > > > Suspend the rule and try to catch the packet session. >> > >>>> > > > > > > > >> > >>>> > > > > > > > On Tue, Jan 4, 2022 at 9:41 AM Chuck Hast >> > >>>> wch...@gmail.com >> > >>>> > > > > > > > >> > >>>> > > > > > > > wrote: >> > >>>> > > > > >> > >>>> > > > > > > > > Sorry, should have, not there is not. But the >> > >>>> interesting thing >> > >>>> > > > > > > > > >> > >>>> > > > > > > > > is that as long as it cannot contact the network >> there >> > >>>> is no >> > >>>> > > > > > > > > >> > >>>> > > > > > > > > time change. I think I am going to go into the >> > firewall >> > >>>> and >> > >>>> > > > > > > > > >> > >>>> > > > > > > > > make it drop all packets to/from the device and see >> > what >> > >>>> > > > > > > > > >> > >>>> > > > > > > > > happens. If that takes care of it then maybe allow >> it >> > >>>> to talk >> > >>>> > > > > > > > > >> > >>>> > > > > > > > > on the LAN but drop anything going to/from it on >> the >> > WAN >> > >>>> > > > > > > > > >> > >>>> > > > > > > > > side. I would like to see what it is talking to. So >> > far >> > >>>> I have >> > >>>> > > > > > > > > >> > >>>> > > > > > > > > not been able to catch it. >> > >>>> > > > > > > > > >> > >>>> > > > > > > > > On Mon, Jan 3, 2022 at 11:00 PM Erik Lane >> > >>>> erikl...@gmail.com >> > >>>> > > > > > > > > >> > >>>> > > > > > > > > wrote: >> > >>>> > > > > > >> > >>>> > > > > > > > > > You don't mention this, but since it's always 2 >> > >>>> hours, is >> > >>>> > > > > > > > > > >> > >>>> > > > > > > > > > there a >> > >>>> > > > >> > >>>> > > > > time >> > >>>> > > > > >> > >>>> > > > > > > > > > zone >> > >>>> > > > > > > > > > >> > >>>> > > > > > > > > > setting in there that has gotten off? Maybe it's >> > >>>> talking to a >> > >>>> > > > > > > > > > >> > >>>> > > > > > > > > > NTP >> > >>>> > > > >> > >>>> > > > > server? >> > >>>> > > > > >> > >>>> > > > > > > > > > On Mon, Jan 3, 2022 at 8:49 PM Chuck Hast >> > >>>> wch...@gmail.com >> > >>>> > > > > > > > > > >> > >>>> > > > > > > > > > wrote: >> > >>>> > > > > > >> > >>>> > > > > > > > > > > Folks, >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > Not sure where to take this but figured that I >> > >>>> would get more >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > info here. >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > I have a RadioThermostat CT80. I have had it >> now >> > >>>> for several >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > years. As the summer wound down. I shut down >> the >> > >>>> A/C and >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > opened the windows in the house. Then in Nov I >> > >>>> needed to fire >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > up the heating, all appeared to be well, but I >> > >>>> noticed that >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > the >> > >>>> > > > >> > >>>> > > > > > > > > > > thermostat clock was 2 hours slow. I set it >> and a >> > >>>> while >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > later see that it has lost 2 hours again. >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > I have a home automation system. I checked the >> > >>>> logs, and >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > contacted the author. He has a CT50 which has >> > fewer >> > >>>> bells >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > and whistles than mine but same unit. Anyhow he >> > >>>> gave me >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > some guidance, in the end I shut down the HA >> > system >> > >>>> and it >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > still would drop the 2 hours, I powered the >> > >>>> thermostat down >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > and removed the WiFi radio, powered it back >> up, it >> > >>>> ran about >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > 4 hours (about 3 hours longer) and never >> dropped >> > >>>> the 2 hours. >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > Normally it will go between 20 minutes and an >> hour >> > >>>> after I >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > have set it to the correct time, then drop >> back to >> > >>>> the >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > incorrect >> > >>>> > > > > >> > >>>> > > > > > > > > > > time. So this appears to indicated that it is >> > either >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > something >> > >>>> > > > >> > >>>> > > > > > > > > > > on the network that is doing the time change or >> > >>>> something in >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > the WiFi radio. >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > I am trying to sniff the network and see if I >> can >> > >>>> catch any >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > weird packets. But this is one I have not done >> > >>>> before. >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > My router is a Mikrotik 2011, and I have been >> > >>>> trying to use >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > the tools on it to try to monitor the IP >> address >> > of >> > >>>> the >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > thermo- >> > >>>> > > > >> > >>>> > > > > > > > > > > stat and try to see if it is talking to >> something >> > >>>> else. So >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > far >> > >>>> > > > >> > >>>> > > > > > > > > > > no joy. >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > I am wondering about getting wire shark in >> there >> > >>>> and trying >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > to filter those packets that way as I am not >> > having >> > >>>> much luck >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > with the Mikrotik tools >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > Any recommendations? >> > >>>> > > > > > > > > > > -------------------- >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > Chuck Hast -- KP4DJT -- >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > I can do all things through Christ which >> > >>>> strengtheneth me. >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > Ph 4:13 KJV >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > Todo lo puedo en Cristo que me fortalece. >> > >>>> > > > > > > > > > > >> > >>>> > > > > > > > > > > Fil 4:13 RVR1960 >> > >>>> > > > > > > > > >> > >>>> > > > > > > > > -- >> > >>>> > > > > > > > > >> > >>>> > > > > > > > > Chuck Hast -- KP4DJT -- >> > >>>> > > > > > > > > >> > >>>> > > > > > > > > I can do all things through Christ which >> strengtheneth >> > >>>> me. >> > >>>> > > > > > > > > >> > >>>> > > > > > > > > Ph 4:13 KJV >> > >>>> > > > > > > > > >> > >>>> > > > > > > > > Todo lo puedo en Cristo que me fortalece. >> > >>>> > > > > > > > > >> > >>>> > > > > > > > > Fil 4:13 RVR1960 >> > >>>> > > > > > > > >> > >>>> > > > > > > > -- >> > >>>> > > > > > > > >> > >>>> > > > > > > > Chuck Hast -- KP4DJT -- >> > >>>> > > > > > > > >> > >>>> > > > > > > > I can do all things through Christ which >> strengtheneth >> > me. >> > >>>> > > > > > > > >> > >>>> > > > > > > > Ph 4:13 KJV >> > >>>> > > > > > > > >> > >>>> > > > > > > > Todo lo puedo en Cristo que me fortalece. >> > >>>> > > > > > > > >> > >>>> > > > > > > > Fil 4:13 RVR1960 >> > >>>> > > > > > > >> > >>>> > > > > > > -- >> > >>>> > > > > > > >> > >>>> > > > > > > Chuck Hast -- KP4DJT -- >> > >>>> > > > > > > >> > >>>> > > > > > > I can do all things through Christ which strengtheneth >> me. >> > >>>> > > > > > > >> > >>>> > > > > > > Ph 4:13 KJV >> > >>>> > > > > > > >> > >>>> > > > > > > Todo lo puedo en Cristo que me fortalece. >> > >>>> > > > > > > >> > >>>> > > > > > > Fil 4:13 RVR1960 >> > >>>> > > > >> > >>>> > > > -- >> > >>>> > > > >> > >>>> > > > Chuck Hast -- KP4DJT -- >> > >>>> > > > >> > >>>> > > > I can do all things through Christ which strengtheneth me. >> > >>>> > > > >> > >>>> > > > Ph 4:13 KJV >> > >>>> > > > >> > >>>> > > > Todo lo puedo en Cristo que me fortalece. >> > >>>> > > > >> > >>>> > > > Fil 4:13 RVR1960 >> > >>>> > >> > >>>> > -- >> > >>>> > >> > >>>> > Chuck Hast -- KP4DJT -- >> > >>>> > >> > >>>> > I can do all things through Christ which strengtheneth me. >> > >>>> > >> > >>>> > Ph 4:13 KJV >> > >>>> > >> > >>>> > Todo lo puedo en Cristo que me fortalece. >> > >>>> > >> > >>>> > Fil 4:13 RVR1960 >> > >>>> >> > >>> >> > >>> >> > >>> -- >> > >>> >> > >>> Chuck Hast -- KP4DJT -- >> > >>> I can do all things through Christ which strengtheneth me. >> > >>> Ph 4:13 KJV >> > >>> Todo lo puedo en Cristo que me fortalece. >> > >>> Fil 4:13 RVR1960 >> > >>> >> > >>> >> > >>> >> > >> >> > >> -- >> > >> >> > >> Chuck Hast -- KP4DJT -- >> > >> I can do all things through Christ which strengtheneth me. >> > >> Ph 4:13 KJV >> > >> Todo lo puedo en Cristo que me fortalece. >> > >> Fil 4:13 RVR1960 >> > >> >> > >> >> > >> >> > > >> > > -- >> > > >> > > Chuck Hast -- KP4DJT -- >> > > I can do all things through Christ which strengtheneth me. >> > > Ph 4:13 KJV >> > > Todo lo puedo en Cristo que me fortalece. >> > > Fil 4:13 RVR1960 >> > > >> > > >> > >> > -- >> > >> > Chuck Hast -- KP4DJT -- >> > I can do all things through Christ which strengtheneth me. >> > Ph 4:13 KJV >> > Todo lo puedo en Cristo que me fortalece. >> > Fil 4:13 RVR1960 >> > >> > > > -- > > Chuck Hast -- KP4DJT -- > I can do all things through Christ which strengtheneth me. > Ph 4:13 KJV > Todo lo puedo en Cristo que me fortalece. > Fil 4:13 RVR1960 > > -- Chuck Hast -- KP4DJT -- I can do all things through Christ which strengtheneth me. Ph 4:13 KJV Todo lo puedo en Cristo que me fortalece. Fil 4:13 RVR1960
