Few days ago I was connected through Numericable and I started wireshark to diagnose a local issue.
I was suprised to see a lot of traffic, the most visible one was about 20 ARP requests per second, coming from their routers and asking for other customers.
Cisco_29:c1:05 Broadcast ARP Who has 220.127.116.11? Tell 18.104.22.168 Cisco_29:c1:05 Broadcast ARP Who has 22.214.171.124? Tell 126.96.36.199 Cisco_29:c1:05 Broadcast ARP Who has 188.8.131.52? Tell 184.108.40.206 Cisco_29:c1:05 Broadcast ARP Who has 220.127.116.11? Tell 18.104.22.168
That's surprising than they forward the ARP broadcast to the local network, but that's not the interesting part.
Hidden in the flow, were quite a lot of DHCP answers I will now comment on.
Here is common part of all the DHCP answer, nothing very interesting:
Ethernet II, Src: Cisco_29:c1:05 (00:15:f9:29:c1:05), Dst: Broadcast (ff:ff:ff:ff:ff:ff) Internet Protocol, Src: 10.27.0.1 (10.27.0.1), Dst: 255.255.255.255 (255.255.255.255) User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68) Message type: Boot Reply (2)
First the ones for the user machines, probably when the modem is not set up as a router, as the one I was connected to had given me a 192.168.0.x address and was masquerading me :
Your (client) IP address: 22.214.171.124 (126.96.36.199) Relay agent IP address: 188.8.131.52 (184.108.40.206) Client MAC address: HewlettP_5b:cf:a9 (00:1a:4b:5b:cf:a9) Option: (t=53,l=1) DHCP Message Type = DHCP ACK Option: (t=54,l=4) Server Identifier = 172.20.230.15 Option: (t=1,l=4) Subnet Mask = 255.255.248.0 Option: (t=3,l=4) Router = 220.127.116.11
Your (client) IP address: 18.104.22.168 (22.214.171.124) Relay agent IP address: 126.96.36.199 (188.8.131.52) Client MAC address: AsustekC_7f:3d:ee (00:15:f2:7f:3d:ee) Option: (t=53,l=1) DHCP Message Type = DHCP Offer Option: (t=54,l=4) Server Identifier = 172.20.130.15 Option: (t=1,l=4) Subnet Mask = 255.255.240.0 Option: (t=3,l=4) Router = 184.108.40.206
So, I get the IP and MAC of other customer's machines, still not very interesting
Relay agent IP address: 220.127.116.11 (18.104.22.168) Client MAC address: AppleCom_ef:8e:24 (00:30:65:ef:8e:24) Option: (t=53,l=1) DHCP Message Type = DHCP NAK Option: (t=56,l=95) Message = "Requested lease 22.214.171.124 was active and assigned to different client: 01:00:1f:33:de:10:cd" Option: (t=54,l=4) Server Identifier = 172.20.130.15
Does this mean you can't change the connected machine until the (1 hour) lease has expired ?
Now some more interesting ones, for the modems. The common part, giving internal addresses of their servers:
Next server IP address: 172.20.143.8 (172.20.143.8) Relay agent IP address: 10.27.0.1 (10.27.0.1) Option: (t=53,l=1) DHCP Message Type = DHCP Offer Option: (t=54,l=4) Server Identifier = 172.20.143.15 Option: (t=1,l=4) Subnet Mask = 255.255.128.0 Option: (t=3,l=4) Router = 10.27.0.1 Option: (t=4,l=4) Time Server = 172.20.143.1
And now the interesting part, the one which changes:
Your (client) IP address: 10.27.74.224 (10.27.74.224) Client MAC address: Motorola_5e:34:82 (00:0e:5c:5e:34:82) Boot file name: selfprov.cm
Your (client) IP address: 10.27.59.77 (10.27.59.77) Client MAC address: NVPhilip_4b:be:4c (00:90:3e:4b:be:4c) Boot file name: s9e_30m_1m_01.cm
Your (client) IP address: 10.27.65.27 (10.27.65.27) Client MAC address: NVPhilip_56:18:e3 (00:90:3e:56:18:e3) Boot file name: s9e_512k_128k_01.cm
So, there are two brands of modem, and boot file is different if you subscribed to the 30Mb/1Mb offer, or to the 512kb/128kb one. Would your connection get faster if you trick your modem into getting the other file? I don't know but I would not be surprised...
I had thought of getting a connection through them in addition to my current DSL, as they promise 100Mb/s here before the end of 2008 (which is almost finished). After this experience I have decided to never subscribe to their services, playing with their network would be too tempting.
I think I didn't do anything bad, only looked at packets sent to me on the local network :) I didn't even try to see if the 10.x addresses are routed by the modem (I'm almost sure they are not).
Another point, all people in this building connected with Numericable (that's 12 of them) have WEP network on channel 6. I hope the modem supports WPA and selecting other channels. WEP when you have so much permanent unwanted traffic is very weak...