@cfa2 Suggestion? Sure. Did this for a friend who had to find a hijacked device problem in his house. Yeah. A camera. Firmware exploit: Assuming you configured your gateway correctly and aren't using the horrid default settings causing the problem, (Firewall -- highest level, portscan block enabled, disable ICMP, disable UPnP, disable any kind of remote access, disable any kind of file sharing like netgear readyshare, no port forwards, changed the admin password.....etc) Advice is cheap. Engineering time isn't. Here's a $0 data logger solution to help track the problem with stuff you already likely have: Spare laptop x64, or one you aren't currently using. 8G USB stick minimum -- larger is better. Ethernet cable. (i386 laptop solution is different) We don't care if the hard drive works, in fact, we won't be using it. When you remove the USB stick we create, it's back to normal. We just want the CPU, WiFi and RAM on the laptop. Down and dirty. Stock Linux. Couple of packages. Edit one text config file. That's it. Hardware Setup: Xfinity-Gateway ethernet port <-ethernet cable-> Laptop Theory: We turn the laptop into a WiFi access point. You connect groups of devices to it. Phones/tablets first. See if they are the data pigs. Then add stupid stuff like "alexa" and "smart devices..plugs/outlets/thermostats.." See if they are the problem. Then remove those, and add a laptop at a time. This has limitations. About 9-12Mbps throughput max through the access point. Enough to blow your 1.2T cap though in a month running 24/7. Also, lots of devices connected at the same time are hard on this setup on a USB stick. If you actually install on a hard drive, it would work better, but you don't have to. Just boot from the USB stick. It also has limited physical range. This is not a whole house solution. You are going to make a bootable USB drive with a free utility called unetbootin. Find it on github (search) or here is their website: https://unetbootin.github.io/ (windows/mac/linux). From the top dropdown window, select Ubuntu for a distribution. Select 18.04_Live_x64 for a version -- yes, use that one. You want to add a "Persistance" file so your install can remember your configuration between boots. Type 3000 in the box for 8G USB. Type 4000 or more for larger USB sticks. (ubuntu itself will use 4+GB on the stick). It downloads and makes the bootable USB drive with one click. This Erases the USB Stick! Now boot the USB stick. F12 or F8 on power up to get a boot menu. Sometimes F2 or Alt-[some key]. Depends on BIOS. You may have to look it up for your laptop. On the blue unetbootin menu that comes up, use default, or Try Ubuntu. NOT INSTALL!! When Ubuntu starts, the button in the lower left on the screen is where your programs are. show applications --> software & Updates Check the box that says "community-maintained free and open source software(universe)" -- you need stuff. Hit close, and then hit the button that says "Reload" to update the package cache. show applications --> terminal Type this at the ubuntu@ubuntu:~$ prompt: sudo apt-get update sudo apt-get install net-tools sockstat darkstat vnstat tcpdump (y=yes to install) Ubuntu can be an access point. In the upper right corner, hit the down arrow symbol. Select the tool symbol wrench/sdriver. Now look at the top of that window. There are 3 horizontal lines between the switch off symbol and the window buttons (min, max close) on the top of the page. It's a menu. Click it and Select turn access point/hotspot on. The SSID=ubuntu. The wifi-password is shown and is auto-generated. We're going to setup darkstat to listen to the ethernet interface. In terminal type: ifconfig The ethernet interface is enp3s0 on this box -- you will be different. enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.10.48 netmask 255.255.255.0 broadcast 192.168.10.255 The wireless interface running the hotspot is here -- you will be different too. wlp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.42.0.1 netmask 255.255.255.0 broadcast 10.42.0.255 You need the device name for ethernet (enp3s0) on this laptop, and it's IP address 192.168.10.48. In terminal, edit darkstat's configuration file: sudo nano /etc/darkstat/init.cfg Remove the #'s to uncomment lines to make them work. # is a comment and ignored. Since my ethernet port address is 192.168.10.48 and the device is enp3s0, I change the INTERFACE, LOCAL and BINDIP lines to say INTERFACE="-i enp3s0" LOCAL="l 192.168.10.0/255.255.255.0" BINDIP="-b 192.168.10.48" You change the last octet of the ethernet ip address on the LOCAL line to zero (192.168.10.48 to 192.168.10.0). Your network topology may be different. Here is the complete configuration file -- match your network and devices, don't just copy and paste: # Turn this to yes when you have configured the options below. START_DARKSTAT=yes # Don't forget to read the man page. # You must set this option, else darkstat may not listen to # the interface you want INTERFACE="-i enp3s0" DIR="/var/lib/darkstat" PORT="-p 666" BINDIP="-b 192.168.10.48" LOCAL="-l 192.168.10.0/255.255.255.0" # File will be relative to $DIR: DAYLOG="--daylog darkstat.log" # Don't reverse resolve IPs to host names DNS="--no-dns" #FILTER="not (src net 192.168.0 and dst net 192.168.0)" # Additional command line Arguments: # OPTIONS="--syslog --no-macs" (CTRL-X to save) Will the enp3s0 ip address change? Maybe when you lose power or reboot your gateway, but probably not often. You can make a dhcp reservation for the laptop from your gateway for it and it won't. Now in terminal, restart darkstat: sudo /etc/init.d/darkstat restart If everything went OK, you can open a web browser on your network to your ethernet ip address:port 666: http://192.168.10.48:666 If you get nothing, your config file isn't right, or you typed in the wrong IP:port. Take another look at the config file, fix it, then restart darkstat. Quotes/syntax is important. You get historical total graphs, and data tables that show you what is currently talking. Also, every location talking to your laptop IP out there in the weberverse. It could be an evil connection from outside your network messing with you, or devices connected to the WiFi access point. Look for it. OK great. Now whatever connects to the access point is data logged, so lets start by connecting groups of things. Make sure "AutoJoin" is off on your devices, or 'forget' your gateway wifi password so they don't switch to the regular wifi. Find your data pig. If it's in the group of devices currently connected to your access point, the data counter will go insane. It's one of those. You can also change the config file to just lisen to the wireless wlp2s0 interface (on my laptop) and 10.42.0.0 network, ip address 10.42.0.1 too (INTERFACE,LOCAL,BINDIP lines). That will show you the specific device on your access point spewing data. You will only be able to see darkstat from the laptop then -- http://10.42.0.1:666 but you can narrow down specific devices. You also have a full linux, portable distribution on a USB stick for other tools like wireshark if you really want to get into data probing. (sudo apt-get install wireshark) By the way, if you've done this, you are one step away from a real time adaptive firewall / data throttling solution that fixes this issue for good.....but that's another story...... HISTORY darkstat was written in 2001, largely as a result of a certain Australian cable Internet provider intro‐ ducing a 3GB monthly traffic limit. --enjoy
... View more