Dahua NVR constantly sending large amounts of data to their servers?

B

brandonn

n3wb
Nov 5, 2024
2
1
Sydney, Australia
Hi all,

I have a customer who has sent me some network logs of their 4x Dahua NVR's
I believe they are NVR4108s or NVR4104s

In the network logs I am seeing sent bytes totalling around 1032mb constantly along with a few smaller ones between 500-900mb

There's also some normal sized requests around 500-1000bytes but surely these logs aren't actually correct:

Code: 
date=2025-01-24 time=01:34:36 devname="NVR2" dstport=15301 dstcountry="Singapore" Network.Service" duration=1509812 sentbyte=8190513 rcvdbyte=5564114 sentpkt=50346 rcvdpkt=25206 sentdelta=975 rcvddelta=442
date=2025-01-24 time=01:35:15 devname="NVR1" dstport=15101 dstcountry="Singapore" HTTP.BROWSER" duration=2 sentbyte=418957 rcvdbyte=9199 sentpkt=299 rcvdpkt=164 utmaction="allow" countapp=1
date=2025-01-24 time=01:35:22 devname="NVR1" dstport=15301 dstcountry="Singapore" SSL_TLSv1.1" duration=4360405 sentbyte=870021500 rcvdbyte=426144005 sentpkt=2279471 rcvdpkt=1319706 sentdelta=5181 rcvddelta=1838
date=2025-01-24 time=01:35:27 devname="NVR1" dstport=15101 dstcountry="Singapore" HTTP.BROWSER" duration=2 sentbyte=518621 rcvdbyte=14482 sentpkt=364 rcvdpkt=264 utmaction="allow" countapp=1
date=2025-01-24 time=01:35:42 devname="NVR1" dstport=15301 dstcountry="Singapore" SSL_TLSv1.1" duration=5014190 sentbyte=1082816635 rcvdbyte=514317719 sentpkt=2760973 rcvdpkt=1534672 sentdelta=21657 rcvddelta=9130
date=2025-01-24 time=01:35:53 devname="NVR1" dstport=15101 dstcountry="Singapore" HTTP.BROWSER" duration=2 sentbyte=418208 rcvdbyte=9111 sentpkt=300 rcvdpkt=163 utmaction="allow" countapp=1
date=2025-01-24 time=01:36:36 devname="NVR2" dstport=15301 dstcountry="Singapore" Network.Service" duration=1509932 sentbyte=8191163 rcvdbyte=5564777 sentpkt=50350 rcvdpkt=25209 sentdelta=650 rcvddelta=663
date=2025-01-24 time=01:36:40 devname="NVR1" dstport=15301 dstcountry="Singapore" SSL_TLSv1.1" duration=4879030 sentbyte=551817640 rcvdbyte=357682857 sentpkt=1854068 rcvdpkt=935972 sentdelta=7177 rcvddelta=1581
date=2025-01-24 time=01:37:06 devname="NVR1" dstport=15101 dstcountry="Singapore" HTTP.BROWSER" duration=2 sentbyte=432527 rcvdbyte=11595 sentpkt=309 rcvdpkt=211 utmaction="allow" countapp=1
date=2025-01-24 time=01:37:12 devname="NVR1" dstport=15101 dstcountry="Singapore" HTTP.BROWSER" duration=2 sentbyte=514511 rcvdbyte=14118 sentpkt=363 rcvdpkt=257 utmaction="allow" countapp=1
date=2025-01-24 time=01:37:21 devname="NVR1" dstport=15101 dstcountry="Singapore" HTTP.BROWSER" duration=2 sentbyte=502395 rcvdbyte=14330 sentpkt=354 rcvdpkt=259 utmaction="allow" countapp=1
date=2025-01-24 time=01:37:34 devname="NVR1" dstport=15301 dstcountry="Singapore" SSL_TLSv1.1" duration=4360537 sentbyte=870034720 rcvdbyte=426147937 sentpkt=2279509 rcvdpkt=1319718 sentdelta=13220 rcvddelta=3932
date=2025-01-24 time=01:37:40 devname="NVR1" dstport=15101 dstcountry="Singapore" HTTP.BROWSER" duration=2 sentbyte=425007 rcvdbyte=12070 sentpkt=304 rcvdpkt=216 utmaction="allow" countapp=1
date=2025-01-24 time=01:37:54 devname="NVR1" dstport=15301 dstcountry="Singapore" SSL_TLSv1.1" duration=5014321 sentbyte=1082835968 rcvdbyte=514329071 sentpkt=2761026 rcvdpkt=1534706 sentdelta=19333 rcvddelta=11352
date=2025-01-24 time=01:38:39 devname="NVR1" dstport=15301 dstcountry="Singapore" SSL_TLSv1.1" duration=4879150 sentbyte=551825694 rcvdbyte=357689538 sentpkt=1854096 rcvdpkt=935989 sentdelta=8054 rcvddelta=6681
date=2025-01-24 time=01:39:36 devname="NVR2" dstport=15301 dstcountry="Singapore" Network.Service" duration=1510112 sentbyte=8192138 rcvdbyte=5565219 sentpkt=50356 rcvdpkt=25211 sentdelta=975 rcvddelta=442
date=2025-01-24 time=01:39:48 devname="NVR1" dstport=15301 dstcountry="Singapore" SSL_TLSv1.1" duration=4360671 sentbyte=870036788 rcvdbyte=426152964 sentpkt=2279517 rcvdpkt=1319733 sentdelta=2068 rcvddelta=5027
date=2025-01-24 time=01:39:54 devname="NVR1" dstport=15301 dstcountry="Singapore" SSL_TLSv1.1" duration=5014441 sentbyte=1082865495 rcvdbyte=514343877 sentpkt=2761091 rcvdpkt=1534755 sentdelta=29527 rcvddelta=14806
date=2025-01-24 time=01:40:40 devname="NVR1" dstport=15301 dstcountry="Singapore" SSL_TLSv1.1" duration=4879270 sentbyte=551826392 rcvdbyte=357692202 sentpkt=1854100 rcvdpkt=935997 sentdelta=698 rcvddelta=2664
date=2025-01-24 time=01:40:48 devname="NVR1" dstport=15101 dstcountry="Singapore" HTTP.BROWSER" duration=2 sentbyte=419244 rcvdbyte=12734 sentpkt=301 rcvdpkt=229 utmaction="allow" countapp=1
date=2025-01-24 time=01:40:51 devname="NVR1" dstport=15101 dstcountry="Singapore" HTTP.BROWSER" duration=224 sentbyte=982943 rcvdbyte=26008 sentpkt=664 rcvdpkt=633 utmaction="allow" countapp=1
date=2025-01-24 time=01:41:35 devname="NVR2" dstport=15301 dstcountry="Singapore" Network.Service" duration=1510232 sentbyte=8192788 rcvdbyte=5565661 sentpkt=50360 rcvdpkt=25213 sentdelta=650 rcvddelta=442
date=2025-01-24 time=01:41:48 devname="NVR1" dstport=15301 dstcountry="Singapore" SSL_TLSv1.1" duration=4360791 sentbyte=870051138 rcvdbyte=426156835 sentpkt=2279547 rcvdpkt=1319762 sentdelta=14350 rcvddelta=3871
date=2025-01-24 time=01:42:00 devname="NVR1" dstport=15301 dstcountry="Singapore" SSL_TLSv1.1" duration=5014567 sentbyte=1082886762 rcvdbyte=514352930 sentpkt=2761153 rcvdpkt=1534783 sentdelta=21267 rcvddelta=9053
date=2025-01-24 time=01:42:40 devname="NVR1" dstport=15301 dstcountry="Singapore" SSL_TLSv1.1" duration=4879390 sentbyte=551828316 rcvdbyte=357693550 sentpkt=1854108 rcvdpkt=936001 sentdelta=1924 rcvddelta=1348
date=2025-01-24 time=01:43:36 devname="NVR2" dstport=15301 dstcountry="Singapore" Network.Service" duration=1510352 sentbyte=8193438 rcvdbyte=5566324 sentpkt=50364 rcvdpkt=25216 sentdelta=650 rcvddelta=663

Surely I am just misunderstanding these logs, I'll send it off to dahua but I have a feeling my dahua reps will take awhile to get back to me.

Any ideas or explanations? I'm aware it's probably something related to the P2P feature but I don't think anyone is actively using the DMSS app to view footage or anything like that, I could be wrong.

Thanks.
 
I would confirm with the End User if they are using Cloud service? With how much data is being transmitted it seems that it could be Cloud that if from what I am seeing on NVR2 this is over a SSL_TLSv1.1 and tbh the server should upgrade to 1.2..

There are some what seems like a Quick check where something is maybe checking that system is still alive.

I would get the IP for the Singapore connection and find out if it is a cloud service. Or some other type of streaming service they signed up to.
 
  • Like
Reactions: bigredfish
Revo2Maxx said:
I would confirm with the End User if they are using Cloud service? With how much data is being transmitted it seems that it could be Cloud that if from what I am seeing on NVR2 this is over a SSL_TLSv1.1 and tbh the server should upgrade to 1.2..

There are some what seems like a Quick check where something is maybe checking that system is still alive.

I would get the IP for the Singapore connection and find out if it is a cloud service. Or some other type of streaming service they signed up to.
Click to expand...
It's definitely the Dahua servers, not a single other cloud service is attached to the machine, no cloud storage etc.

A search on one of the many IP addresses points back to Alibaba Cloud servers, port numbers match up with what Dahua uses too. (47.236.151.80 is one of the IPs)

I don't think it's anything malicious, something maybe poorly configured somewhere between when we sold the NVRs to when the installer set them up for the end user.

____________________________________
I got a response from one of my Dahua contacts, I'll share it here to showcase my stupidity and the customers complicity...


A couple of things I’m reading from these logs. First off 1 million Bytes is 1 Megabyte. Secondly, it appears that the SSL_TLS sent lines are not a total but a start Byte. If you look at the lines you highlighted, you’ll see that the sentbyte value increases with each pass, and if you subtract the one line from the next line’s value for the same starting Bytes, the difference is shown in the second line as “sentdelta”.



For example, if you subtract the first number (1082816635) from the second number (1082835968) you’ll get 19333, which is the value shown in the sentdelta of the second number. I would say that for each transmission, the delta is the amount of actual data sent. In this case, 19333B = 154kb or 0.02MB. Based on the small size of these transfers and the fact they are using SSL Transport Layer Security, I’d say that they are digital certificates being used to maintain cybersecurity, or do regular checks for changes or updates. I don’t know this, but I’ll ask the question.



In any case, these aren’t large enough file transfer sizes to be send actual video or audio data.
Click to expand...
 
  • Like
Reactions: bigredfish
Seeing it again guess it wasn't as large as it looked at first glance. So yeah doing a search for that Ip does come back to the Cloud service. Seems like normal operations.. If they are worried about it. I would have them turn off P2P as you have said before you already know about P2P.. But after some time with that off checking to see if that data does infact stop or not.. Now something I noticed and seeing I setup many different devices I am not sure what one it was however one in the last month from Dahua I noticed there was an option they said should be enabled and I turned it off but oddly was UPNP and said it with it on would help with streaming. I was like yeah don't think so lol. Plus it wouldn't work if I left it on seeing my Router I have turned it off as well so my router will not even let another device work with it enabled.
 
  • Like
Reactions: bigredfish
Looks like the NVR simply pinging the P2P server, as they do, while SSL is turned on
 
bigredfish said:
Looks like the NVR simply pinging the P2P server, as they do, while SSL is turned on
Click to expand...

No, they don't... In latest NVRs firmwares they send massive amount of data to Dahua (probably) servers over HTTPs...

I have many NVRs on LTE/5G connections where NVR eats all mobile transfer monthly quota in first days of the month.

From my debugging it looks now that any event (SMD, IVS, AcuPick, VMD) sends many MB per event of data to Dahua cloud..

I understand that Dahua need small image snapshot to show in DMSS - but it should be some hundreds KB per event max...
Not many MB - sometimes even much more... sometimes it looks like all video footage is send to the cloud...

if you have some non stop false positive (like some tree which generates thousands of VMD events per day), it can generate hundreds of GB of data per month...

ps. look at this send bytes:

Zrzut ekranu 2025-01-31 o 12.52.20.png
 
Last edited:
  • Like
Reactions: bigredfish
I must say that changes which Dahua did in last years about DMSS / NVR / cloud integration went in very wrong way...

DMSS lost possibility to display events (and snapshots) from NVrs which are not subscribed / reported to cloud / notified to mobiles...

Not every one want to be informed by notifications about all events, but everyone want to see in DMSS all historic events from specific NVR channels.

Dahua copied the same cloud model for all events as HIK is using...

NVRs should be the only place where video data is stored..
Cloud is needed only to find / match / connect clients (DMSS, SmartPSS) with servers (NVRs, cams) over firewalls using UDP proxy and do relay for mobile notifications..
Even the mobile notifications can be send directly from NVRs / cams to Apple / Google servers...
 
  • Like
Reactions: tigerwillow1, alastairstevenson and bigredfish
steve1225 said:
No, they don't... In latest NVRs firmwares they send massive amount of data to Dahua (probably) servers over HTTPs...

I have many NVRs on LTE/5G connections where NVR eats all mobile transfer monthly quota in first days of the month.

From my debugging it looks now that any event (SMD, IVS, AcuPick, VMD) sends many MB per event of data to Dahua cloud..

I understand that Dahua need small image snapshot to show in DMSS - but it should be some hundreds KB per event max...
Not many MB - sometimes even much more... sometimes it looks like all video footage is send to the cloud...

if you have some non stop false positive (like some tree which generates thousands of VMD events per day), it can generate hundreds of GB of data per month...

ps. look at this send bytes:

View attachment 213199
Click to expand...


Definitely NOT seeing that on my older 5216-16P-4KS2E

Mine pings the P2P servers as I said and the cloud server to get event data, but over 24 hours I see next to nothing in data transfer

IMG_8419.png IMG_8418.png
 
  • Like
Reactions: steve1225
The only real data use is for sending email alerts with images to my mail server

IMG_8421.png IMG_8420.png
 
  • Like
Reactions: steve1225
I watch 5 others, all same Model NVR except two that are even older, with NO hint of that kind of data going back and forth
 
  • Like
Reactions: steve1225
bigredfish said:
Definitely NOT seeing that on my older 5216-16P-4KS2E

Mine pings the P2P servers as I said and the cloud server to get event data, but over 24 hours I see next to nothing in data transfer

View attachment 213206 View attachment 213207
Click to expand...

I use mostly 5xxx-EI everywhere...
4ks2 is about 3-4 years behind in firmware development..
so this can be a difference...
 
  • Like
Reactions: bigredfish
I have the latest 5xxAI NVR with seven 5442 S3 cameras with P2P enabled and use DMSS. Over the last 24 hours, I see no upload or download amounts in excess of 1MB to or from any destination cumulatively.
 

Attachments

  • IMG_6989.jpg
    IMG_6989.jpg
    175.3 KB · Views: 0
  • Like
Reactions: bigredfish
steve1225 said:
I use mostly 5xxx-EI everywhere...
4ks2 is about 3-4 years behind in firmware development..
so this can be a difference...
Click to expand...
Yep, and given what we’ve seen of Dahua fw the past couple of years, I’m glad !
 
  • Like
Reactions: H. Swanson
H. Swanson said:
I have the latest 5xxAI NVR with seven 5442 S3 cameras with P2P enabled and use DMSS. Over the last 24 hours, I see no upload or download amounts in excess of 1MB to or from any destination cumulatively.
Click to expand...

How are you liking your Firewalla ?
 
bigredfish said:
How are you liking your Firewalla ?
Click to expand...
I LOVE it! I saw you have Firewalla too. I had an Omada ER707-M2 before but switched to a Gold Plus a few months ago...what a difference! The ability to build VLANs and rules...WAY easier and more effective.

Even the ability to show you that image is way better/easier than anything Omada has.
 
  • Like
Reactions: bigredfish
I've just got the Purple, for my little place I just didnt see the benefit of the Gold. But like you I like the ease of use
 
Last edited:
You must log in or register to reply here.
Top Bottom