is my camera connecting "outside"?

Jan 5, 2024
8
0
spain
Hello!

I have several Imou cameras at home (I think they are DAHUA rebranded models), currently pointing towards the garden. I'd like to use some of them indoors, but privacy is a concern. So, I set up Frigate to monitor the RTSP stream from the cameras and configured a router with a firewall to block internet traffic for the cameras' IPs. When I activate the firewall, I lose connectivity on the Imou app, indicating that at least that connection is being blocked. Yay!

However, I'm not 100% sure they're not connecting in some other way. So, I thought of using a network analyzer, Wireshark, for the first time.

I started Wireshark, set up a filter to watch only the LAN IP range of my cameras (both sending or reciving), and saw this:




1722276744207.png

So I thought, this is working, I see no "outside" connections. Nice!

To double-check, I tried the opposite: I deactivated the firewall and opened the app on my mobile, and I could see the cameras, thus confirming hey're connecting to the cloud.

I went to Wireshark and... no new connections. I saw the same type of info as before. So, Wireshark isn't detecting the connection to the cloud. How can I be sure then?

So... what am I doing wrong, and what can I do to see those cloud connections in Wireshark? Theoretically, I'm "secured," but I want to make sure!


PD: according to chatgpt:
The IP addresses 239.255.255.251 and 224.0.0.22 are both used for specific types of multicast communications in IP networking.
  1. 239.255.255.251:
    • This is the multicast address used for mDNS (Multicast DNS). mDNS is used for resolving hostnames to IP addresses within small networks that do not include a local name server. It is part of the Zeroconf protocol suite and is widely used for device discovery and service advertisement on local networks, such as discovering printers, cameras, or other network devices.
  2. 224.0.0.22:
    • This is the multicast address used by IGMP (Internet Group Management Protocol) Version 3. IGMP is used by IP hosts to report their multicast group memberships to any immediately neighboring multicast routers. Specifically, 224.0.0.22 is used by IGMPv3 for sending Membership Report and Membership Query messages.
Summary
  • 239.255.255.251: Multicast DNS (mDNS), used for device discovery on local networks.
  • 224.0.0.22: IGMPv3, used for managing multicast group memberships.
These addresses facilitate various network functionalities and are part of the normal operation of many devices and services on local area networks. If you're seeing traffic to these addresses, it's likely related to device discovery or multicast group management.
 
Last edited:
I went to Wireshark and... no new connections. I saw the same type of info as before. So, Wireshark isn't detecting the connection to the cloud. How can I be sure then?
Unless you are collecting the traffic by using something like a managed switch that's configured to replicate or copy the traffic from the switch port to which the camera is connected (I'm assuming it's wired) to the switch port for the PC that wireshark is running on, you will not see any of the traffic the camera is exchanging except for broadcast and multicast traffic. Which is all that's showing in your screenshot above.

Switches only send non-broadcast traffic between the originating and receiving endpoints, so that traffic is invisible to another endpoint such as the PC you are using to monitor with. Unless you have set up a traffic replicating configuration in a managed switch.
By definition - broadcasts and multicasts are sent to all active endpoints on the switch.

So I thought, this is working, I see no "outside" connections. Nice!
But also - on the first test, you've limited the displayed destinations on your wireshark screenshot to a subset of internal addresses only.
 
Unless you are collecting the traffic by using something like a managed switch that's configured to replicate or copy the traffic from the switch port to which the camera is connected (I'm assuming it's wired) to the switch port for the PC that wireshark is running on, you will not see any of the traffic the camera is exchanging except for broadcast and multicast traffic. Which is all that's showing in your screenshot above.

Switches only send non-broadcast traffic between the originating and receiving endpoints, so that traffic is invisible to another endpoint such as the PC you are using to monitor with. Unless you have set up a traffic replicating configuration in a managed switch.
By definition - broadcasts and multicasts are sent to all active endpoints on the switch.


But also - on the first test, you've limited the displayed destinations on your wireshark screenshot to a subset of internal addresses only.

Thanks for your comprehensive answer.
Reading it I remembered the concept of "promiscuous" mode of the network adapter, I think that might be the keyword here...
 
Thanks for your comprehensive answer.
Reading it I remembered the concept of "promiscuous" mode of the network adapter, I think that might be the keyword here...
Promiscuous mode on your local adapter does not change the fact that your network switch is suppressing/hiding/filtering the unicast traffic between the camera and the internet from you.
The only way to really do this is to use port mirroring on a managed switch, or make your own computer the IP gateway on the path between the camera and the internet.