Well I had to go in and change some directory settings, still not sure what happened. But was able to save the file.
On Sun, Jan 9, 2022 at 5:27 PM Chuck Hast <[email protected]> wrote: > Folks, I have a great transaction capture on Wireshark, > when I went to save it I get a bitch screen that says > You don't have permission to create or write to the file: > test.pcapng > > Funny thing is I have been doing these captures now > for several days, but this was the best one. I just am > not sure why this is happening. I started Wireshark with > elevated access, and I have not stopped it since I saved > the last file. Never seen this before. I have seen it when > something did not get started with a needed permission > level but never seen something change without shutting > it down and restarting. > > > On Thu, Jan 6, 2022 at 10:58 AM Chuck Hast <[email protected]> wrote: > >> I have a batch of Chinese security cameras, one day I was >> sniffing my LAN and saw these packets that should not have >> been there, started tracing them down and they were coming >> from the cameras, they were trying to connect to 4 chinese >> web sites and AWS. The now are on an island network which >> routes to nowhere and the only other thing on there is the port >> that sends all of the camera data to ZoneMinder. Crazy cameras >> were trying to call home constantly. I cleaned some of it up by >> giving them all static IP's and getting rid of any DNS info. Some >> of them still try but a lot less. >> >> That was before I started seeing comments on line about the >> cameras doing the "call home" thing. >> >> >> On Wed, Jan 5, 2022 at 11:56 PM Tomas Kuchta < >> [email protected]> wrote: >> >>> Like with all other "smart things" you are the product, that thing is >>> just >>> the bait to connect to you .... I had the same thing with environment >>> sensors this summer. I returned them and got bunch of half price 433MHz >>> sensors + SDR to receive their signals. >>> >>> There are still 433MHz remote controlled relays + $5-$10 transmitters to >>> turn them on/off if you do not want to use SBC or Arduino. >>> >>> What sorry state of affairs, these things could be supper useful, only if >>> the would hot call home. >>> >>> -T >>> >>> On Thu, Jan 6, 2022, 00:00 Chuck Hast <[email protected]> wrote: >>> >>> > Well folks here is the capture. This is when the device does the >>> > time change. >>> > >>> -------------------------SoF---------------------------------------------- >>> > No. Time Source Destination Protocol Length Info >>> > 1416 6995.707153289 192.168.7.45 192.168.7.1 DNS 129 >>> > Standard query 0x011d A my.radiothermostat.com >>> > 1417 6995.743011679 192.168.7.1 192.168.7.45 DNS 283 >>> > Standard query response 0x011d A my.radiothermostat.com CNAME >>> > rtcoa-load-balancer.energyhub.net CNAME >>> > prod-ext-2-397343966.us-east-1.elb.amazonaws.com A 3.214.34.120 A >>> > 54.209.187.172 A 107.21.255.187 >>> > 1418 6995.744228645 192.168.7.45 107.21.255.187 TCP 125 >>> > 35222 → 80 [SYN] Seq=0 Win=2896 Len=0 MSS=1460 WS=1 SACK_PERM=1 >>> > TSval=23065200 TSecr=0 >>> > 1419 6995.795424653 107.21.255.187 192.168.7.45 TCP 121 >>> 80 >>> > → 35222 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0 MSS=1460 SACK_PERM=1 >>> > TSval=1316753308 TSecr=23065200 WS=256 >>> > 1420 6995.796759302 192.168.7.45 107.21.255.187 TCP 113 >>> > 35222 → 80 [ACK] Seq=1 Ack=1 Win=2896 Len=0 TSval=23065200 >>> TSecr=1316753308 >>> > 1421 6995.797280360 192.168.7.45 107.21.255.187 TCP 204 >>> > 35222 → 80 [PSH, ACK] Seq=1 Ack=1 Win=2896 Len=91 TSval=23065200 >>> > TSecr=1316753308 [TCP segment of a reassembled PDU] >>> > 1422 6995.851194008 107.21.255.187 192.168.7.45 TCP 113 >>> 80 >>> > → 35222 [ACK] Seq=1 Ack=92 Win=26880 Len=0 TSval=1316753363 >>> TSecr=23065200 >>> > 1423 6995.853333530 192.168.7.45 107.21.255.187 HTTP 579 >>> > POST /filtrete/rest/rtcoa HTTP/1.1 >>> > 1424 6995.905205495 107.21.255.187 192.168.7.45 TCP 113 >>> 80 >>> > → 35222 [ACK] Seq=1 Ack=558 Win=28160 Len=0 TSval=1316753417 >>> TSecr=23065300 >>> > 1425 6995.912865908 107.21.255.187 192.168.7.45 HTTP 585 >>> > HTTP/1.1 200 200 >>> > 1426 6995.935820827 192.168.7.45 107.21.255.187 TCP 113 >>> > 35222 → 80 [FIN, PSH, ACK] Seq=558 Ack=473 Win=2424 Len=0 >>> TSval=23065300 >>> > TSecr=1316753424 >>> > 1427 6995.986668924 107.21.255.187 192.168.7.45 TCP 113 >>> 80 >>> > → 35222 [FIN, ACK] Seq=473 Ack=559 Win=28160 Len=0 TSval=1316753499 >>> > TSecr=23065300 >>> > >>> > >>> ------------------------EoF----------------------------------------------------- >>> > It is during this transaction that the time change takes place. >>> > I never signed up for their cloud service. This took place betwen >>> > Sept when I turned off the A/C and Nov when I turned on the >>> > heat. Thermostat was on all of the time. And as far as I know it >>> > was talking to the local HA server. >>> > >>> > >>> > >>> > >>> > >>> > >>> > On Wed, Jan 5, 2022 at 6:56 PM Chuck Hast <[email protected]> wrote: >>> > >>> > > I am going to start the logging I tested yesterday back up. >>> > > I had enabled packet sniffing streaming to a remote server >>> > > (Wireshark on another machine) so I had it running indeed >>> > > I thought I had saved that file but when I went to look at it >>> > > this a.m. somehow I sent it down the bit toilet... Ohh well it >>> > > is just bits, be a good exercise to get it going again. I need >>> > > to trace things every once in a while knowing how to get >>> > > the bit stream out of the router to wireshark can be very >>> > > handy (I am looking these chinese cameras that call home) >>> > > >>> > > Now if I can get the manufacturer to do more than respond >>> > > with scripted replies... >>> > > >>> > > >>> > > On Wed, Jan 5, 2022 at 6:17 PM Ben Koenig <[email protected] >>> > >>> > > wrote: >>> > > >>> > >> Whoops looks like I hit the wrong reply button and moved this off >>> the >>> > >> PLUG list. >>> > >> >>> > >> In my experience time sync issues are generally always the result >>> of one >>> > >> of 3 different root causes. For embedded devices its often simpler >>> since >>> > >> you have no control over the software, it just does whatever it was >>> > coded >>> > >> to do. >>> > >> >>> > >> #1 is the CMOS battery. If the firmware isn't holding on to certain >>> > >> settings (such as battery failure) then the clock will revert. >>> Normally >>> > >> this sends you back to 1970 but I've seen more recent devices behave >>> > >> differently. In your case it looks like the time zone is not being >>> held >>> > >> properly. >>> > >> #2 is buggy software on the device that is resetting the time. >>> Could be >>> > a >>> > >> y2k22 style bug ( hi microsoft! ) or something else that it hit. >>> > >> #3 is the server. Since blocking the IP at the router prevents this >>> > issue >>> > >> then it might just be something stupid on their server end. >>> > >> >>> > >> IMO it's a combination of #2 and #3. This type of unexpected >>> behavior is >>> > >> not uncommon on E.T. devices since they *ALWAYS* phone home >>> regardless >>> > of >>> > >> whether or not you set up an account. It's entirely possible that it >>> > spent >>> > >> the last 2 years dialing home for your timezone but in the past few >>> > months >>> > >> the server gave a different response. If you had a history of all >>> web >>> > >> traffic to those 3 addresses in the past year you could probably >>> spot >>> > the >>> > >> change. Maybe they changed the default response to unregistered >>> devices. >>> > >> >>> > >> It would be interesting to log the actual web traffic and see if >>> you can >>> > >> spot the data being returned. If you logged all traffic for the past >>> > year >>> > >> then you could correlate the time you saw the change with any >>> changes in >>> > >> server responses. >>> > >> >>> > >> -Ben >>> > >> >>> > >> >>> > >> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>> > >> On Wednesday, January 5th, 2022 at 2:50 PM, Chuck Hast < >>> > [email protected]> >>> > >> wrote: >>> > >> >>> > >> The interesting thing is that I have had this unit for over >>> > >> 2 years and it has never done this, it just started doing >>> > >> it when I turned on the heat. I had shut the HVAC system >>> > >> down in Sept because the weather did not warrant running >>> > >> the system. All I did was set the system to OFF on the >>> > >> thermostat. So it was all powered up. When I set it to HEAT >>> > >> I got this funny time change thing. I tested with the A/C, as >>> > >> we have had a nice warm autumn this year, and got the >>> > >> same thing. So something happened between Sept and >>> > >> Nov when I turned on the heat. The question is what? Did >>> > >> the thermostat get hacked somehow, I have tried to do a >>> > >> factory reset but that does not work either. And since these >>> > >> people will not talk on the phone, I am pretty much running >>> > >> out of patience. >>> > >> >>> > >> On Wed, Jan 5, 2022 at 4:38 PM Ben Koenig < >>> [email protected]> >>> > >> wrote: >>> > >> >>> > >>> You also want to look at the URL sent as well. Since no other >>> ports are >>> > >>> open it's unlikely to be using any non-HTTP protocols. However if >>> this >>> > is a >>> > >>> REST API of some sort then the addresses might be part of a load >>> > balancing >>> > >>> system and may be expecting data for authentication or other >>> > information >>> > >>> specific to your router. The address is just the server being >>> asked for >>> > >>> information, the full URL path is the question. >>> > >>> >>> > >>> What's probably happening is that your "unconfigured" device is >>> dialing >>> > >>> home to ask if it is associated with an account using a REST API. >>> When >>> > it >>> > >>> gets a no from the server, it loads default settings and probably >>> goes >>> > >>> through this check on a regular schedule. I see this a lot with >>> > >>> cloud-routers as well. Under the hood its openwrt and while they >>> > function >>> > >>> without the cloud account linked they tend to behave in unexpected >>> > ways. >>> > >>> >>> > >>> -Ben >>> > >>> >>> > >>> >>> > >>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>> > >>> On Wednesday, January 5th, 2022 at 2:19 PM, Chuck Hast < >>> > [email protected]> >>> > >>> wrote: >>> > >>> >>> > >>> That is interesting, yesterday I tried all of them and >>> > >>> got no route, but doing as you did gave me what you >>> > >>> got. I have got to fire up Wireshark and get the sniffer >>> > >>> going on my router again and capture those packets >>> > >>> to see what is going on, I know that what I saw was >>> > >>> that the system was saying that there was no route >>> > >>> available. Let me get the port that was associated >>> > >>> with this connection attempts. >>> > >>> >>> > >>> >>> > >>> On Wed, Jan 5, 2022 at 3:53 PM Ben Koenig < >>> [email protected]> >>> > >>> wrote: >>> > >>> >>> > >>>> FWIW those are actually up and have ports 80/443 open for web >>> access >>> > >>>> according to a zenmap no-ping scan. >>> > >>>> >>> > >>>> Although accessing them via a browser is a pain. They are using >>> > >>>> self-signed certs and appear to be part of their API >>> infrastructure >>> > since >>> > >>>> simple requests via curl result in redirect http response codes >>> so the >>> > >>>> servers are up but it appears they want to limit traffic from most >>> > sources. >>> > >>>> >>> > >>>> It would be kind of odd if they are using HTTP calls to sync the >>> time. >>> > >>>> Either way since you mentioned that you don't want to use their >>> cloud >>> > >>>> system they are probably safe to block. If you bypass SSL cert >>> checks >>> > then >>> > >>>> 3.214.34.120 actually brings up a real website. >>> > >>>> >>> > >>>> -Ben >>> > >>>> >>> > >>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>> > >>>> >>> > >>>> On Wednesday, January 5th, 2022 at 11:02 AM, Chuck Hast < >>> > >>>> [email protected]> wrote: >>> > >>>> >>> > >>>> > Going to tear into it. Sorry state of affairs when you cannot >>> > >>>> > >>> > >>>> > trust the devices in your own home... >>> > >>>> > >>> > >>>> > On Wed, Jan 5, 2022 at 12:59 PM Russell Senior >>> > >>>> [email protected] >>> > >>>> > >>> > >>>> > wrote: >>> > >>>> > >>> > >>>> > > The FCC internal photos (if I have the right device) suggest >>> it >>> > is a >>> > >>>> > > >>> > >>>> > > marvell SoC. The photos have a sticker over the chip, so I >>> can't >>> > >>>> identify >>> > >>>> > > >>> > >>>> > > it precisely. There is a largish 8-pin SOIC chip in one corner >>> > that >>> > >>>> looks >>> > >>>> > > >>> > >>>> > > like serial NOR flash. If you can get the part numbers of the >>> SoC >>> > >>>> and the >>> > >>>> > > >>> > >>>> > > flash, that would help. I don't see an obvious serial console >>> in >>> > the >>> > >>>> > > >>> > >>>> > > photos, but the photos are a bit blurry. >>> > >>>> > > >>> > >>>> > > On Wed, Jan 5, 2022, 10:46 Chuck Hast [email protected] wrote: >>> > >>>> > > >>> > >>>> > > > The radio is a separate module you can plug two of them >>> > >>>> > > > >>> > >>>> > > > in, a zigbee module and a WiFi module, there are some >>> > >>>> > > > >>> > >>>> > > > other ones also. I have the Wifi module. I will see which >>> > >>>> > > > >>> > >>>> > > > one of those it is. I will see how to remove the case from >>> > >>>> > > > >>> > >>>> > > > the thermostat board and see what is in there beside the >>> > >>>> > > > >>> > >>>> > > > screen. >>> > >>>> > > > >>> > >>>> > > > I am going to start a capture again and see what the port >>> > >>>> > > > >>> > >>>> > > > is, I thought I had saved the previous capture file but when >>> > >>>> > > > >>> > >>>> > > > I went to open it, could not find it. >>> > >>>> > > > >>> > >>>> > > > It is either checking different addresses until it finds >>> some >>> > >>>> > > > >>> > >>>> > > > thing alive or one of those addresses is being activated. >>> > >>>> > > > >>> > >>>> > > > If I block the address in the router the time stays what I >>> > >>>> > > > >>> > >>>> > > > have set it to. >>> > >>>> > > > >>> > >>>> > > > On Tue, Jan 4, 2022 at 9:34 PM Russell Senior < >>> > >>>> [email protected] >>> > >>>> > > > >>> > >>>> > > > wrote: >>> > >>>> > > > >>> > >>>> > > > > Maybe this? FCC ID: QO8-WIFI-M-0210 >>> > >>>> > > > > >>> > >>>> > > > > https://fccid.io/QO8-WIFI-M-0210 >>> > >>>> > > > > >>> > >>>> > > > > On Tue, Jan 4, 2022 at 7:16 PM Russell Senior < >>> > >>>> > > > > >>> > >>>> > > > > [email protected] >>> > >>>> > > > >>> > >>>> > > > > wrote: >>> > >>>> > > > > >>> > >>>> > > > > > Those addresses are all in AWS address space, according >>> to >>> > >>>> whois. As >>> > >>>> > > > > > >>> > >>>> > > > > > a >>> > >>>> > > > >>> > >>>> > > > > > previous commenter suggested, it might just be NTP. Did >>> you >>> > >>>> notice >>> > >>>> > > > > > >>> > >>>> > > > > > what port the communication was happening over? >>> > >>>> > > > > > >>> > >>>> > > > > > Have you considered popping the case and seeing if >>> there is >>> > a >>> > >>>> serial >>> > >>>> > > > > > >>> > >>>> > > > > > console port on their wifi module? It's reasonably >>> likely it >>> > >>>> is >>> > >>>> > > > > > >>> > >>>> > > > > > running some ancient version of linux. Is there an >>> FCC-ID on >>> > >>>> the >>> > >>>> > > > > > >>> > >>>> > > > > > case? >>> > >>>> > > > >>> > >>>> > > > > > On Tue, Jan 4, 2022 at 6:49 PM Chuck Hast >>> [email protected] >>> > >>>> wrote: >>> > >>>> > > > > > >>> > >>>> > > > > > > Well folks, I was able to get wireshark on the >>> thermostat. >>> > >>>> I found >>> > >>>> > > > > > > >>> > >>>> > > > > > > that it is trying to contact these addresses: >>> > >>>> > > > > > > >>> > >>>> > > > > > > 54.209.187.172 >>> > >>>> > > > > > > >>> > >>>> > > > > > > 107.21.255.187 >>> > >>>> > > > > > > >>> > >>>> > > > > > > 3.214.34.120 >>> > >>>> > > > > > > >>> > >>>> > > > > > > Right now none are reachable. I am trying to figure >>> out >>> > why >>> > >>>> this >>> > >>>> > > > > > > >>> > >>>> > > > > > > thermostat is trying to reach those addresses. >>> > >>>> > > > > > > >>> > >>>> > > > > > > When I do a whois, they come up as being hosted on >>> > Amazon... >>> > >>>> > > > > > > >>> > >>>> > > > > > > I wonder if one of them comes awake every so often >>> and the >>> > >>>> > > > > > > >>> > >>>> > > > > > > thermostat gets the connection and receives a TZ >>> change... >>> > >>>> So >>> > >>>> > > > > > > >>> > >>>> > > > > > > far I have not been able to catch it doing so. >>> > >>>> > > > > > > >>> > >>>> > > > > > > When I bought the unit I intentionally did NOT try to >>> use >>> > >>>> the >>> > >>>> > > > > > > >>> > >>>> > > > > > > cloud service, I have tried to get proper >>> communications >>> > >>>> with >>> > >>>> > > > > > > >>> > >>>> > > > > > > Radio Thermostat but so far only idiots... And they >>> do not >>> > >>>> have >>> > >>>> > > > > > > >>> > >>>> > > > > > > a published telephone number. >>> > >>>> > > > > > > >>> > >>>> > > > > > > On Tue, Jan 4, 2022 at 4:53 PM Chuck Hast >>> > [email protected] >>> > >>>> > > > > > > >>> > >>>> > > > > > > wrote: >>> > >>>> > > > >>> > >>>> > > > > > > > More info, this was the reply I got from the >>> > manufacturer >>> > >>>> > > > >>> > >>>> > > > >>> > >>>> >>> -----------------------SoF------------------------------------------ >>> > >>>> > > > >>> > >>>> > > > > > > > Radio Thermostat [email protected] >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > 1:10 PM (3 hours ago) >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > to Info, me >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > Hi, >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > If you are sure you have a WiFi module in the >>> thermostat >>> > >>>> Model - >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > RTMV-01 >>> > >>>> > > > > > >>> > >>>> > > > > > > > Then check out the following to see and correct the >>> time >>> > >>>> zone so >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > the >>> > >>>> > > > > >>> > >>>> > > > > > > > thermostat will have the correct time: >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > How to change time zone >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > First go to the web portal via a browser * >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > https://my.radiothermostat.com/rtcoa/login.html >>> > >>>> > > > > > >>> > >>>> > > > > > > > https://my.radiothermostat.com/rtcoa/login.html* >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > (Note you will need to use the desktop version of >>> the >>> > web >>> > >>>> site) >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > Then log in and go to the person (then select >>> location) >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > select the location you want and click edit >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > Go to the pull down for time zone and select your >>> time >>> > >>>> zone >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > Then click save >>> > >>>> > > > > >>> > >>>> > > > > >>> > >>>> >>> > -----------------------------------EoF--------------------------------- >>> > >>>> > > > > >>> > >>>> > > > > > > > This is exactly what I have tried to avoid, I never >>> > >>>> registered >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > the thermostat with their cloud. I have my personal >>> > >>>> reasons >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > for not wanting my devices on someone's cloud if I >>> can >>> > >>>> avoid >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > it. in this case that is exactly what I have tried >>> to >>> > do. >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > Now meantime, since the thermostat IP is static, I >>> went >>> > >>>> into >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > the firewall and set up a rule to drop any packets >>> > to/from >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > the thermostat. No more time change, and I did that >>> well >>> > >>>> over >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > and hour ago. I can still control the device on my >>> LAN >>> > >>>> just >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > dropping whatever is trying to reach the thermostat. >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > This brings up the question, of who/what is it? I >>> never >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > registered the device with their cloud, indeed I >>> bought >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > it because it was one of the thermostats that did >>> not >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > require you to use an outside network to access it, >>> (I >>> > am >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > looking at you Honeywell, Nest and all of the rest >>> of >>> > the >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > cloud only based devices). Now to see if I can get >>> Wire >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > shark on a part of the network that can see that >>> device. >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > Suspend the rule and try to catch the packet >>> session. >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > On Tue, Jan 4, 2022 at 9:41 AM Chuck Hast >>> > >>>> [email protected] >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > wrote: >>> > >>>> > > > > >>> > >>>> > > > > > > > > Sorry, should have, not there is not. But the >>> > >>>> interesting thing >>> > >>>> > > > > > > > > >>> > >>>> > > > > > > > > is that as long as it cannot contact the network >>> there >>> > >>>> is no >>> > >>>> > > > > > > > > >>> > >>>> > > > > > > > > time change. I think I am going to go into the >>> > firewall >>> > >>>> and >>> > >>>> > > > > > > > > >>> > >>>> > > > > > > > > make it drop all packets to/from the device and >>> see >>> > what >>> > >>>> > > > > > > > > >>> > >>>> > > > > > > > > happens. If that takes care of it then maybe >>> allow it >>> > >>>> to talk >>> > >>>> > > > > > > > > >>> > >>>> > > > > > > > > on the LAN but drop anything going to/from it on >>> the >>> > WAN >>> > >>>> > > > > > > > > >>> > >>>> > > > > > > > > side. I would like to see what it is talking to. >>> So >>> > far >>> > >>>> I have >>> > >>>> > > > > > > > > >>> > >>>> > > > > > > > > not been able to catch it. >>> > >>>> > > > > > > > > >>> > >>>> > > > > > > > > On Mon, Jan 3, 2022 at 11:00 PM Erik Lane >>> > >>>> [email protected] >>> > >>>> > > > > > > > > >>> > >>>> > > > > > > > > wrote: >>> > >>>> > > > > > >>> > >>>> > > > > > > > > > You don't mention this, but since it's always 2 >>> > >>>> hours, is >>> > >>>> > > > > > > > > > >>> > >>>> > > > > > > > > > there a >>> > >>>> > > > >>> > >>>> > > > > time >>> > >>>> > > > > >>> > >>>> > > > > > > > > > zone >>> > >>>> > > > > > > > > > >>> > >>>> > > > > > > > > > setting in there that has gotten off? Maybe it's >>> > >>>> talking to a >>> > >>>> > > > > > > > > > >>> > >>>> > > > > > > > > > NTP >>> > >>>> > > > >>> > >>>> > > > > server? >>> > >>>> > > > > >>> > >>>> > > > > > > > > > On Mon, Jan 3, 2022 at 8:49 PM Chuck Hast >>> > >>>> [email protected] >>> > >>>> > > > > > > > > > >>> > >>>> > > > > > > > > > wrote: >>> > >>>> > > > > > >>> > >>>> > > > > > > > > > > Folks, >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > Not sure where to take this but figured that I >>> > >>>> would get more >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > info here. >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > I have a RadioThermostat CT80. I have had it >>> now >>> > >>>> for several >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > years. As the summer wound down. I shut down >>> the >>> > >>>> A/C and >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > opened the windows in the house. Then in Nov I >>> > >>>> needed to fire >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > up the heating, all appeared to be well, but I >>> > >>>> noticed that >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > the >>> > >>>> > > > >>> > >>>> > > > > > > > > > > thermostat clock was 2 hours slow. I set it >>> and a >>> > >>>> while >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > later see that it has lost 2 hours again. >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > I have a home automation system. I checked the >>> > >>>> logs, and >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > contacted the author. He has a CT50 which has >>> > fewer >>> > >>>> bells >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > and whistles than mine but same unit. Anyhow >>> he >>> > >>>> gave me >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > some guidance, in the end I shut down the HA >>> > system >>> > >>>> and it >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > still would drop the 2 hours, I powered the >>> > >>>> thermostat down >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > and removed the WiFi radio, powered it back >>> up, it >>> > >>>> ran about >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > 4 hours (about 3 hours longer) and never >>> dropped >>> > >>>> the 2 hours. >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > Normally it will go between 20 minutes and an >>> hour >>> > >>>> after I >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > have set it to the correct time, then drop >>> back to >>> > >>>> the >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > incorrect >>> > >>>> > > > > >>> > >>>> > > > > > > > > > > time. So this appears to indicated that it is >>> > either >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > something >>> > >>>> > > > >>> > >>>> > > > > > > > > > > on the network that is doing the time change >>> or >>> > >>>> something in >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > the WiFi radio. >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > I am trying to sniff the network and see if I >>> can >>> > >>>> catch any >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > weird packets. But this is one I have not done >>> > >>>> before. >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > My router is a Mikrotik 2011, and I have been >>> > >>>> trying to use >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > the tools on it to try to monitor the IP >>> address >>> > of >>> > >>>> the >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > thermo- >>> > >>>> > > > >>> > >>>> > > > > > > > > > > stat and try to see if it is talking to >>> something >>> > >>>> else. So >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > far >>> > >>>> > > > >>> > >>>> > > > > > > > > > > no joy. >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > I am wondering about getting wire shark in >>> there >>> > >>>> and trying >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > to filter those packets that way as I am not >>> > having >>> > >>>> much luck >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > with the Mikrotik tools >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > Any recommendations? >>> > >>>> > > > > > > > > > > -------------------- >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > Chuck Hast -- KP4DJT -- >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > I can do all things through Christ which >>> > >>>> strengtheneth me. >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > Ph 4:13 KJV >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > Todo lo puedo en Cristo que me fortalece. >>> > >>>> > > > > > > > > > > >>> > >>>> > > > > > > > > > > Fil 4:13 RVR1960 >>> > >>>> > > > > > > > > >>> > >>>> > > > > > > > > -- >>> > >>>> > > > > > > > > >>> > >>>> > > > > > > > > Chuck Hast -- KP4DJT -- >>> > >>>> > > > > > > > > >>> > >>>> > > > > > > > > I can do all things through Christ which >>> strengtheneth >>> > >>>> me. >>> > >>>> > > > > > > > > >>> > >>>> > > > > > > > > Ph 4:13 KJV >>> > >>>> > > > > > > > > >>> > >>>> > > > > > > > > Todo lo puedo en Cristo que me fortalece. >>> > >>>> > > > > > > > > >>> > >>>> > > > > > > > > Fil 4:13 RVR1960 >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > -- >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > Chuck Hast -- KP4DJT -- >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > I can do all things through Christ which >>> strengtheneth >>> > me. >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > Ph 4:13 KJV >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > Todo lo puedo en Cristo que me fortalece. >>> > >>>> > > > > > > > >>> > >>>> > > > > > > > Fil 4:13 RVR1960 >>> > >>>> > > > > > > >>> > >>>> > > > > > > -- >>> > >>>> > > > > > > >>> > >>>> > > > > > > Chuck Hast -- KP4DJT -- >>> > >>>> > > > > > > >>> > >>>> > > > > > > I can do all things through Christ which >>> strengtheneth me. >>> > >>>> > > > > > > >>> > >>>> > > > > > > Ph 4:13 KJV >>> > >>>> > > > > > > >>> > >>>> > > > > > > Todo lo puedo en Cristo que me fortalece. >>> > >>>> > > > > > > >>> > >>>> > > > > > > Fil 4:13 RVR1960 >>> > >>>> > > > >>> > >>>> > > > -- >>> > >>>> > > > >>> > >>>> > > > Chuck Hast -- KP4DJT -- >>> > >>>> > > > >>> > >>>> > > > I can do all things through Christ which strengtheneth me. >>> > >>>> > > > >>> > >>>> > > > Ph 4:13 KJV >>> > >>>> > > > >>> > >>>> > > > Todo lo puedo en Cristo que me fortalece. >>> > >>>> > > > >>> > >>>> > > > Fil 4:13 RVR1960 >>> > >>>> > >>> > >>>> > -- >>> > >>>> > >>> > >>>> > Chuck Hast -- KP4DJT -- >>> > >>>> > >>> > >>>> > I can do all things through Christ which strengtheneth me. >>> > >>>> > >>> > >>>> > Ph 4:13 KJV >>> > >>>> > >>> > >>>> > Todo lo puedo en Cristo que me fortalece. >>> > >>>> > >>> > >>>> > Fil 4:13 RVR1960 >>> > >>>> >>> > >>> >>> > >>> >>> > >>> -- >>> > >>> >>> > >>> Chuck Hast -- KP4DJT -- >>> > >>> I can do all things through Christ which strengtheneth me. >>> > >>> Ph 4:13 KJV >>> > >>> Todo lo puedo en Cristo que me fortalece. >>> > >>> Fil 4:13 RVR1960 >>> > >>> >>> > >>> >>> > >>> >>> > >> >>> > >> -- >>> > >> >>> > >> Chuck Hast -- KP4DJT -- >>> > >> I can do all things through Christ which strengtheneth me. >>> > >> Ph 4:13 KJV >>> > >> Todo lo puedo en Cristo que me fortalece. >>> > >> Fil 4:13 RVR1960 >>> > >> >>> > >> >>> > >> >>> > > >>> > > -- >>> > > >>> > > Chuck Hast -- KP4DJT -- >>> > > I can do all things through Christ which strengtheneth me. >>> > > Ph 4:13 KJV >>> > > Todo lo puedo en Cristo que me fortalece. >>> > > Fil 4:13 RVR1960 >>> > > >>> > > >>> > >>> > -- >>> > >>> > Chuck Hast -- KP4DJT -- >>> > I can do all things through Christ which strengtheneth me. >>> > Ph 4:13 KJV >>> > Todo lo puedo en Cristo que me fortalece. >>> > Fil 4:13 RVR1960 >>> > >>> >> >> >> -- >> >> Chuck Hast -- KP4DJT -- >> I can do all things through Christ which strengtheneth me. >> Ph 4:13 KJV >> Todo lo puedo en Cristo que me fortalece. >> Fil 4:13 RVR1960 >> >> > > -- > > Chuck Hast -- KP4DJT -- > I can do all things through Christ which strengtheneth me. > Ph 4:13 KJV > Todo lo puedo en Cristo que me fortalece. > Fil 4:13 RVR1960 > > -- Chuck Hast -- KP4DJT -- I can do all things through Christ which strengtheneth me. Ph 4:13 KJV Todo lo puedo en Cristo que me fortalece. Fil 4:13 RVR1960
