I am a long time Wyze camera owner and IT professional and recently discovered that one V2 camera is connecting to my router on UDP port 10000 every 10 seconds. This is the only camera doing this behavior and none of my other cameras (including other V2s and V3s) show it. The camera is on a separate subnet and should not be aware of the IP it is sending this traffic to.
The camera is sending the following data sequence:
As troubleshooting steps I have tried factorying resetting the camera and reinstalling the firmware from the SD card, but the unexpected behavior has not stopped.
I have no idea what this data is, why it is connecting to my router, or why only one specific camera is doing it. I’m hoping that Wyze might know.
For now I have blocked the traffic with my firewall.
It is a common port used by streaming media. Perhaps incorrectly trying to stream to its default gateway for some reason. Doubt it is anything to be concerned about.
Is the router’s 192.168.1.1 acting as the DNS server for the network? That may be how the camera is learning about it (granted it shouldn’t be sending a stream to its DNS server). Or is your subnet mask a /23 making that the default gateway for both?
Another thing to check, look at the opposite direction, is the router perhaps initiating and you’re seeing the responses? I recall 10000 being used for some management stuff at some point.
The fact that only that one cam is doing it may provide clues. Is that cam linked to Alexa or tiny cam or anything of that sort outside of the Wyze ecosystem? Or are any settings different on that one than others?
A small packet every 10 seconds sounds like a heartbeat, which it may be broadcasting to the whole network (and your sniffer capture is being taken in a spot where it’s been forwarded between router interfaces, which converts it to unicast). That sort of heartbeat is something I’d expect with smart home linkages or that sort of thing where they want to monitor online status.
After checking I’m seeing the exact same traffic (except on port 10001) from the other cameras but only to Wyze servers on the Internet. It is probably a keep-alive heartbeat for the video streams. Still, it is strange that the camera (and only this camera) would send this traffic to my router.
Is the router’s 192.168.1.1 acting as the DNS server for the network?
The DNS server for that network is the subnet’s gateway address. It shouldn’t be seeing 192.168.1.1. I do have a NAT rule to redirect external DNS locally but it should be transparent to clients. Every other camera should be the same.
is the router perhaps initiating and you’re seeing the responses?
I would not expect that, and the firewall would not block returned packets if so. The packet capture is the complete traffic between the camera and the router. The router is seen initiating no traffic, even with the firewall rule disabled.
Is that cam linked to Alexa or tiny cam or anything of that sort outside of the Wyze ecosystem?
All of my cameras are linked with Alexa, but my Alexa devices is on the same subnet as the cameras.
which it may be broadcasting to the whole network (and your sniffer capture is being taken in a spot where it’s been forwarded between router interfaces
The capture was taken from the router’s VLAN interface for the subnet the cameras are on.
It looks like you’re running Ubiquiti, do you have a separate AP - if so run the capture on the port that AP plugs into to confirm the camera is targeting 192.168.1.1 and you’re not seeing a forwarded packet or something. Also confirm there is no traffic (broadcast or otherwise) making 192.168.1.1 known to that other subnet, could be something as simple as DNS or DHCP sourcing from that IP that puts it in the camera’s routing/ARP table.
I have the Dream Machine AIO unit so there are no trunk ports involved. The most I think I can do is capture the WLAN interface directly instead of the VLAN interface. When I do this I see the exact same traffic.
Also confirm there is no traffic (broadcast or otherwise) making 192.168.1.1
The only thing being broadcast are ARP requests between devices on the local subnet.
I do see the gateway broadcasting 0x01000000 on UDP/10001 every 10 seconds. The broadcast is going to all VLAN subnets on the router.
The response is probably just a “connection refused” due to the port not listening. Or possibly something Wyze uses or used to use for discovery is replying thinking it is trying to be discovered. Why the other cams aren’t seeing it or doing that, honestly I don’t know.
