dslreports logo
    All Forums Hot Topics Gallery


Search Topic:
share rss forum feed



Unusual Router Traffic

I've noticed some "interesting" traffic in my router log.

Remote IP

Remote name p5-vvipttempz3yi-yjro32jiljp42irg-630273-i1-v6exp3-v4.metric.g

Local IP

The IP's show some variation but the name is always similar, starts with "p5" and ends with "metric.g"

Neither of these IP's is my actual LAN or WAN address, and my router log shows no other local IP's other than my LAN or WAN exept for this. Usually only a few times daily.

Outgoing tcp always following outgoing to gstatic.com and google.com from LAN address.

Does this have something to do with Google's use of "the cloud" ?


Canyon Lake, TX resolves to yh-in-f120.1e100.net and is MarkMonitor owned by Google. Almost anything Google will make a connection to a .1e100.net domain on an infinite number of IP addresses and ports.

IF you are using Firefox > Tools > Options > Security > unchecking Block reported attack sites and Block reported web forgeries will tame it down. Firefox will make these connections to get a current list of attack and forgery sites.

The Google SSL search engine, YouTube, Google Maps and Google Earth all make .1e100.net connections. I am told the Google Tool Bar and Chrome also make these connections. Although this is untested probably anything Google makes these connections including Google Cloud and Google DNS if you are using them.

Google tracks everything but short of that these connection are likely benign. Wireshark would insure a more definitive answer but I am too lazy to run down all Google connections. resolves to Dupont and I don't have a clue why that would show as your local IP. Nothing Google for that remote name.

I gave her time to steal my mind away
San Jose, CA
·Pacific Bell - SBC
reply to falcon04
Not sure where your router is getting that remote name; it isn't the reverse name on that IP address. As dsilvers See Profile states, '1e100.net' is a Google domain. As an aside, it has to do with the fact that 1.0x10¹°° can be written as 1e100; the mathematicians call this a, "Googol".

The other puzzle is the reported as a local IP address. Seeing the actual, unedited log entry might be revealing.
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

reply to falcon04
Seconded... if you can please post said log of the traffic you're looking at.

Also, checking both IP address ranges with arin.net,



Firefox blocks unchecked ages ago.

"safebrowsing-" etc. was slowing everything down.

Here's the last instance from my WW log.

2013/01/04 13:58:06.76 O tcp www.google.com 80 49205
2013/01/04 13:58:07.06 O tcp ssl.gstatic.com 80 49206
2013/01/04 13:58:07.60 O tcp ocsp.godaddy.com 80 49207
2013/01/04 13:58:11.35 O tcp www.google.com 80 49210
2013/01/04 13:58:11.56 O tcp id.google.com 80 49211
2013/01/04 13:58:17.66 O tcp p5-vjbrh5n742oqe-evtxaylq3ixe2ham-430548-i1-v6exp3-ds.metric.g 80 49212

This started a few weeks ago - SAS and MWB find no funnies - and it only happens a few times daily ??

reply to falcon04
Make / model of this device, falcon04?

My only question is what the "O" flag is for (if anything), but looks like it's autoresolving an IP address to a
hostname. Ignoring the "O," looks like it's all return traffic from port 80 / HTTP to your PC on a high order port,
which is normal and expected.

Couldn't say about this one... there any previous occurrences? Does it reoccur, and how often?

Short of running a continuous netstat on all your PCs on your LAN or running some sort of packet sniffer, you got me.

My 00000010bits.



"O" is outgoing - green flagged in WW for passed. Usually only 1 to 3 times daily - "metric.g" looks like a track of some sort. I'm fairly comfortable it's benign - or as benign as can be expected from Google

Irreverent or irrelevant?
Kelowna, BC
Do you use a Host file at all? I wonder if that would eliminate some or all of those entries. Might be worth a shot.