I have several network cameras on a separate VLAN. They are managed from a Synology DS1520+ NAS. A while back, I was troubleshooting some other network issue and I noticed packets going to hikvision.com, presumably from cameras “phoning home” to their vendors.
I made a note to add firewall rules to block the cameras from the Internet (except for DNS and NTP traffic), but how do I confirm that that works?
Since the Synology NAS has access to the surveillance VLAN, I decided to SSH into the Synology NAS and use tcpdump to check for Internet traffic on that VLAN. With some tips from a Reddit post, an article on tcpdump, and a StackOverflow answer, first let’s list the available interfaces
tcpdump --list-interfaces
This NAS has four network ports. Port 3 is attached to the surveillance VLAN, so that’s probably eth2. Let’s try watching traffic on eth2:
sudo tcpdump -i eth2
Wow, lots of traffic! If we limit it to one camera?
sudo tcpdump -i eth2 host 10.100.4.111
Still a lot, but most of it is going to the NAS, which is fine. Let’s get all surveillance traffic not going to the NAS’s IP:
sudo tcpdump -i eth2 host 'not 10.100.4.200'
Better. And if we exclude ARP and STP packets?
sudo tcpdump -i eth2 host 'not 10.100.4.200' and not arp and not llc
That’s pretty good, but I’m not seeing traffic going to outside sites. And theoretically, I might not: if the camera sends a TCP packet to the Internet, the switch should just send that packet to the router without mirroring it to the NAS. Since I can’t remember the circumstances where I was seeing the traffic originally, I’ll just go ahead and block it in the router. I’ll post this for future notes on capturing traffic in a Synology NAS.