Traffic from SIP phone that shows up on bandwidth history but not on any Active Sessions or User List

Hello to all. I have a strange occurrence that I’ve searched on the Internet and on the Peplink forums, but I haven’t been able to find anything similar.

I have a Peplink Balance 50 with three WAN connections. I have a SIP PABX and SIP phones, all using fixed LAN IP addresses. The SIP phones only connect to the PABX within the LAN*, and all the SIP calls are routed through the PABX.

(* I’m not using any firewall to prevent the phones from connecting directly to the Internet, but they’re only configured to connect to the PABX in the LAN, and there are no inbound rules that point to any of the phones).

Today I noticed a spike in traffic in the bandwidth history, from the IP address of one the SIP phones (

It’s still going, the traffic counter on the bandwidth history for this IP is always increasing, even if the phone is not making or receiving any calls.

What is more strange is that if I search for this IP address on the router’s Active Sessions page, with “Any” as the Protocol / Service, I never see any traffic found.

So I have two mysteries: why do I have this traffic, and why it doesn’t show up on any established connections? Can anyone help me shed some light on this? Thanks!

Another piece of information: even thought the amount of used bandwidth usage is increasing, the bandwidth usage is not showing up either on the real-time Client list. It’s very strange! I wonder if this is a problem with the router miscounting the traffic, and it’s not really coming from the phone?

Is the phone configured to use an NTP server on the internet? Can the user forward the phone to another voip device?

Oh, when you search, make sure that you change the protocol to any. The default is to search only tcp. Most voip devices use encapsulated UDP or just UDP.

1 Like

Thanks for the reply! Yes, I selected “Any” on the protocol (I tried illustrating my question with more screenshots but I’m not allowed more than one image per post as a new user).

Please note that the bandwidth usage doesn’t show up either on the “Client list” page, even while the historical bandwidth usage is increasing.

The phone might be configured for NTP, I believe it is, but we’ve had this phone for months and this is the first time I’ve seen this.

Another piece of information: after the office closed, the amount of traffic from that phone went way down, together with all the other traffic:

Compare the traffic between 5/6pm and between 7/8pm for the address.

Is that phone trying to download firmware? That seems like an excessive amount of data for voice traffic. I wonder if someone brought their Xbox to work and spoofed the MAC address of their phone or something.

1 Like

It’s a small company, I’m pretty sure no one could have access to my network. Anyway, if they did that, a) the phone wouldn’t work normally (it does), and b) the traffic would show up both on the Client List and on the Active Sessions, and not only on the Bandwidth History, don’t you agree?

I can understand a faulty or hacked phone generating abnormal traffic, but I can’t understand the reason for ghost traffic that doesn’t show up on two of the three places where I could see it.

Would you able to perform packet capture from the Peplink/Max devices to confirm the what traffics being sent from the SIP phone ?

Details packet capture guide can be found here:

At the same time, please open a support ticket here for support team to investigate why the sessions, client list and bandwidth history is not show.

1 Like

Before doing the wireshark capture, I tried something simpler: I disconnected the phone from the network. The count for that IP address keeps increasing. There’s no other device on the network with that IP address (and the phone wouldn’t work if there was a duplicate address on the network).
DHCP is being carried out by the Peplink, and the address in question is outside the range available for DHCP.
I believe this is a bug of the router.

With the phone removed (or reprogrammed to a different IP), write a rule in the Peplink firewall blocking outbound traffic from the original problem IP, and also inbound traffic to that LAN IP. If the firewall stops the data from logging, then in fact there is another device on the network with that IP. Duplicate IP on the LAN can sometimes produce unpredictable results, that a device can work sometimes, and not other times.

I had a similar problem once. The firewall stopped the traffic. The offending user came forward, did not realize he was doing anything bad, and brought me his video game that would not work. He had manually programmed the device with an IP on our LAN. We never noticed it until we tried to use that same IP for something else.

Do you have anything that would be pinging that phone? Even if it is off, the icmp packets go and the destination would be the IP of the device in question. Is this a possibility?

I doubt it is such a large bug to account for a bloat of more than 100 times (barring a conversion bug). I bet it is a combination of an overzealous ping monitor and an incorrect classification of the IP based packet (considered Wan to LAN when should be Local IP traffic). I would bet that there really was a bunch of traffic going through the router with that particular IP. Whether it is WAN traffic is the question.

I reserve the right to change my mind at any time for any reason :slight_smile:

1 Like

Do you have the support ticket created ? This will allow us to identify the issue

1 Like

I have created the ticket. Ticket #772593.

:+1: Let’s catch the ghost traffics

We will followup with you using support ticket.

If possible, please share what is found. I am curious.