Noticed that my Wansview K2 camera was making connections on its own to
several servers, in China and on AWS.
Find the camera's MAC address from the setup site
Setup router security logging
My Security Log looks like this.
Dec 24 01:17:50 2018 local5.notice<173> ulogd[876]: Blocked IN=br-lan OUT=eth0 MAC=xx:xx:xx:xx:xx:xx:cc:79:cf:xx:xx:xx:xx:xx SRC=192.168.1.xx DST=54.245.98.57 LEN=32 TOS=00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=28755 DPT=32100 LEN=12 MARK=8000
To get the remote IP I used this command
grep -i "CC:79:CF" SecurityLog.txt | cut -f12 -d' '| sort -u | cut -c5-
or
for h in $( grep -i "CC:79:CF" SecurityLog.txt | cut -f12 -d' '| sort -u | cut -c5- ) ; do echo -n "$h " && whois $h | grep -i netname ; echo "" ; done
I found these addresses, if you see more do share:
- 123.56.159.92
- 216.146.43.70
- 52.18.177.18
- 54.245.98.57
OK First find out our network addresses
ifconfig
Turn on promiscuous mode - not all cards can support this
sudo ip link set promisc on
sudo ifconfig wlx0.... down
sudo iwconfig wlx0.... mode monitor
sudo iwconfig wlx0.... mode managed
sudo ifconfig wlx0.... up
Listen to the IP of the webcam
sudo tcpdump -vv -s 0 -n src host