Elk M1 sending UDP to 24.176.94.177 every 30 seconds

Anyone have any info on why my Elk m1 Gold XEP would send the following text as UDP to 24.176.94.177 every thirty seconds:
 
00000000//0//<elk serial number>//<xep mac address>//05.03.00//02.00.22//QUERY
 
the <elk serial number> is four 0's and the four digit serial number.
the <xep mac address> is the mac address of the XEP.
 
I have all the latest firmwares.
 
The ip 24.176.94.177 is part of Charter Communications/Security Depot in Hickory NC.
 
My system is not monitored.
I have telephone 1 setup as dial out.
Telephone 2 is disabled.
Telephone 3 is used for ip to Denon receiver.
 
This is a strange one...
 
Any thoughts....
 
Kevin
 

Are you on the version 2 firmware on your M1XEP?  This may be a part of their M1Cloud implementation.  I don't see the same traffic on my system, but I am on an older version.

I have the latest version of XEP firmware installed. I'm running Wireshark now - my first run of about a minute didn't find anything. I made a filter for my XEP and will let it run until I see something, or about 20 minutes, whichever comes first.

Yes I'm on the v2 XEP firmware.
The firmware version is even part of the broadcast //02.00.22//.
 
But you may be on to something.
But why would Elk hard-code a UDP broadcast to a specific IP every thirty seconds sending my serial number, mac, and firmware versions?
I'm not sure i want my serial and mac being sent all the time.
And since the UDP would be coming from my IP address......that means all XEPs w/ v2 broadcast their identity 2,880 times a day?
 
I forgot to add that it sends the UDP from port 2000 and to port 2000.
Or rather it sends it from the XEPs port 2000 and to 24.176.94.177:2000.
 
For fun, I blocked the outbound ip on my router for a while, but got tired of seeing all the blocked/dropped packet log messages (that would be 5,760 log entries a day). 
I then redirected 24.176.94.177 to my computer so i could see what was being sent.
So last night my pc received a thousand identical UDPs = 00000000//0//<elk serial number>//<xep mac address>//05.03.00//02.00.22//QUERY
 
.....

I don't think you are going to see it w/ wireshark since the broadcast comes from the XEP and goes out your router.
Your PC won't see it since it doesn't go thru your PC.
You'd have to mirror the port to see it.
 
I found the transmission by looking at active internet sessions on my router.
It kind of stuck out being active 24/7 from my xep ip of 192.168.1.199 port 2000 to the aforementioned 24.176.94.177:2000.
I couldn't see the traffic w/ wireshark or smartsniff because it didn't go thru my computer.
I experimented w/ port mirroring but finally redirected the outbound to my PC's ip and was able to see what was being sent.

Ahh you're right. I was recently using Wireshark for something else and didn't put that thought into this.
 
I'm definitely interested in this, and will research further. I have a Cisco business class router here, so I know I'll be able to capture the traffic if it's there. Net flow capture it is

I agree it is obviously a poor implementation.   But then again all MS PC's running Vista+ have a toredo IPv6 tunnel back to MS servers, so this kinda thing seems to be happening a lot.  Since you don't have v2 monitoring setup I would block it. 
 
BTW I took TCPdumps off my router to try and catch it...

This is from smartsniff (w/ redirection to my PC's ip)
Packets Stream Report
Index 3
Protocol UDP
Local Address 192.168.1.199
Remote Address 24.176.94.177
Local Port 2000
Remote Port 2000
Packets 304 {304 ; 0}
Data Size 19,456 Bytes {19,456 ; 0}
Total Size 28,060 Bytes {27,968 ; 92}
Data Speed 0.0 KB/Sec
Capture Time 11/28/2014 7:59:15 AM:093
Last Packet Time 11/28/2014 10:27:41 AM:578
Duration 02:28:26.484 

[11/28/2014 7:59:15 AM:093]


 
 

00000000//0//0000xxxx//<macaddress>//05.03.00//02.00.22//QUERY
00000000//0//0000xxxx//<macaddress>//05.03.00//02.00.22//QUERY
00000000//0//0000xxxx//<macaddress>//05.03.00//02.00.22//QUERY
306 lines just like this in an hour and a half.

I observed traffic on my routers Vlan and the FE port on my router and got no hits to the address you mentioned above.

Are you sure it is not to 224.x.x.x? This would make sense as UDP multicast packets can be used for device discovery. The ElkRP software has a Find XEP button to look for the M1XEP adapters.

thanks, but:
1 - No it is not 224.x.x.x.
2 - if you say so
3 - not having problem finding xep
 
I've looked everything over multiple times.
There is no doubt that every 30 seconds my M1 XEP is sending un-encrypted UDP as i described above to 24.176.94.177:2000.
 
I removed the redirects from my router and disabled port forwards.
I rebooted Everything.
And my router session table shows an active UDP connection from my XEP ip:2000 to 24.176.94.177:2000 that restarts every thirty seconds.
 
What info i can find for 24.176.94.177 points to Hickory NC, Charter Communications - Systems Depot.
Elk is from Hickory NC, or very close. And Systems Depot is an Elk reseller.
I tried calling Systems Depot - but they are closed for long weekend.
And that reminds me I've got better things to do than worry about UDP packets all weekend, but i'm sure i'll check back in here often to see if anyone has some ideas.
 
Any input on this would be greatly appreciated.
 
I think I'll have a Turkey sandwich for lunch.
 
Thanks,
Kevin

Systems Depot is owned by Elk for all intents and purposes.
 
Sounds like part of the M1 cloud integration and possibly a poorly written program update or something not implemented yet.

Have to agree that is what this looks like. Some remnant of some fallback ip c.s call out.
 
Below entry is in my router internet sessions listing constantly.
The timeout goes to zero then starts over every 30 seconds.
(i'm sure the copy paste will not parse right the first time, so i'll be cleaning this up)
 
Local                           NAT                             internet           Protocol    State    Dir    Priority  Time OuT
192.168.1.199:2000    <my ip>:2000    24.176.94.177:2000   UDP           -          Out   128        30

Sounds pretty much like a standard TCP/IP communicator heartbeat or "keep alive" as used with CS receivers. Probably a bad piece of coding or might not be able to see it on the front end, or a carryover from the first versions of the xep's out there.

Did you request an M1Cloud account at any point?  The activity you describe is a handshake occurring with the M1Cloud service.  I just confirmed it with Elk tech support while discussing an unrelated issue.