Trying to understand Philips Hue hub network activity

I noticed repeated activity on the firewalls of two of my computers.
The activity originates from, which was not assigned by my DHCP server. After much sleuthing, I determined the MAC address that is trying to connect was from a Philips device, which in my case would have to be a Philips Hue hub.
I could understand it trying to discover other Philips devices, but all communication with my Hue bulbs happens over Zigbee.
I’ve tried googling, but no explanations so far.

I don’t think I am being, or have been hacked, just trying to understand what’s happening in my home.

My questions are:

  • Why doesn’t the hub use DHCP (even though I have DHCP enabled in the Hue app)?
  • Why is it trying to connect to other computers on the network?
  • What is it trying to discover?

In the Log entries below, the first six hex numbers (three bytes) are the destination MAC address, the second six are the source MAC address. After learning this, I was able to look them up and determine the manufacturer using this website. E.g. 00:17:88 is Philips Lighting Bv, 10:dd:b1 is Apple, Inc., and 48:4d:7e is Dell Inc.

Log entry from computer A:

Nov 23 23:19:26 mac-mini kernel: [UFW BLOCK] IN=enp1s0f0 OUT= MAC=10:dd:b1:99:xx:xx:00:17:88:6a:e6:1c:08:00 SRC= DST= LEN=316 TOS=0x00 PREC=0x00 TTL=64 ID=26510 DF PROTO=UDP SPT=1900 DPT=44248 LEN=296 

Log entry from computer B:

Nov 23 23:17:43 pop-os kernel: [UFW BLOCK] IN=enp0s31f6 OUT= MAC=48:4d:7e:fa:42:f9:yy:yy:88:6a:e6:1c:08:00 SRC= DST= LEN=319 TOS=0x00 PREC=0x00 TTL=64 ID=43299 DF PROTO=UDP SPT=1900 DPT=58869 LEN=299 

Can you get a packet capture and examine that to try to work out exactly what it’s doing?

That’s a good idea. I’ll have to dig up tcpdump, it’s been a minute - unless you know of something better.

I always use tcpdump and then wireshark to analyze. Usually I’m getting traffic from a server so command line tools are preferred for capture.

1 Like

Thanks for suggesting Wireshark.
It looks like the network activity is the Hub saying, “Where my lightbulbs at?” every second or so. Destinations are the MDNS address and SSDP address, but in the UFW logs, appeared to be directed to the specific hosts where I was checking the logs.

1 Like

Yeah, multicast traffic is weird (or at least I find it surprises me in various ways) when dealing with it and firewalls/ACLs :slight_smile:

1 Like

It’s kind of like drawing the curtain back, and thinking, “wow, you all just jabber among yourselves like this day and night?”

1 Like