The recent posts got me looking at my GW1100 to see exactly what it was doing. (I have a GW2000 on order, so I'll repeat this when that arrives.)
So I monitored everything that it did from the time I turned it on, and here's what I saw. I'm leaving out the DHCP and ARP requests, as those are boring.
NOTE that this device has the updates to ecowitt.net set to one minute intervals. All other services are turned off. (More on that later.)
1. DNS lookup to the configured DHCP-configured DNS server, asking for "rtpdate.ecowitt.net". (On my network, I have configured my DNS server to return the local address of my own web server instead of the real IP address of rtpdate.ecowitt.net)
2. HTTP "POST" to /data/ip_api/ on that IP address, with the "HOST" (SNI) field set to cdnrtpdate.ecowitt.net - not rtpdate.ecowitt.net - and the following data:
mac=30:83:98:A7:2E:D9&stationtype=GW1100C_V2.1.8&fields=timezone,utc_offset,dst,date_sunrise,date_sunset
I have my server respond with HTTP status code 202 and the following data:
{"timezone":"America\/Los_Angeles","utc_offset":"-25200","dst":"1","date_sunrise":"06:50","date_sunset":"19:07"}
3. DNS lookup to the configured DHCP-configured DNS server, asking for "cdnrtpdate.ecowitt.net". (Similarly, I have configured my DNS server to return the address of my web server instead of the real IP address.)
4. HTTP "POST" to /data/report/ on that IP address, with the "HOST" (SNI) field set to cdnrtpdate.ecowitt.net, as expected, and the following data (broken onto multiple lines here for readability):
PASSKEY=FEA606E728ABB98925C42F5CE38A819D&stationtype=GW1100C_V2.1.8&
runtime=43&dateutc=2024-03-43+01:21:19&tempinf=74.12&humidityin=57&
baromrelin=30.014&baromabsin=30.014&temp6f=70.52&humidity6=61&soilmoisture1=0&
leak_ch1=0&leak_ch2=0&leak_ch3=0&leak_ch4=0&batt6=0&soilbatt1=0.8&leakbatt1=5&
leakbatt2=5&leakbatt3=5&leakbatt4=5&freq=433M&model=GW1100C
Note that the PASSKEY value is simply the MD5 hash of the MAC address, using uppercase hex digits.
My server simply responds with HTTP status code 202, accepted.
5. It does a DNS request for "pool.ntp.org". In this case, I let my DNS server return the real IP address for that.
6. It sends an NTP request using UDP to the returned IP address, which replies with the time information (several timestamps.)
7. It sends a UDP broadcast packet to the local network's broadcast address (192.168.23.255 in my case), directed to port 59387.
This is the Ecowitt broadcast packet, formatted as:
0x0000: 4500 0046 0018 0000 ff11 0cee c0a8 1551 E..F...........Q
0x0010: c0a8 17ff d5dc e7fb 0032 d6e3 ffff 1200 .........2......
0x0020: 2730 8398 a72e d9c0 a815 51af c817 4757 '0........Q...GW
0x0030: 3131 3030 432d 5749 4649 3245 4439 2056 1100C-WIFI2ED9.V
0x0040: 322e 312e 38ee 2.1.8.
The data contained is, in order, CMD_BROADCAST (hex 12), two bytes of packet size (00 27 in this case = 39 decimal), six bytes of MAC address (30 83 98 A7 2E D9), four bytes of IP address (C0 A8 15 51 = 192.168..21.81), two bytes of port number (AF C8 = 45000 decimal), one byte for the size of the SSID (in this case, 17 = 23 decimal), and size bytes of SSID, usually with the firmware version concatenated("GW1100C-WIFI2ED9 V2.1.8"), followed by the packet data checksum (ee).
8. It repeated step 7 three additional times, sending the UDP broadcast a total of four times, every two seconds.
9. It then repeated step 4, HTTP "POST" to /data/report/, WITHOUT doing another DNS lookup.
It then falls into a cycle, doing the UDP broadcast (step 7) roughly every two seconds, and the HTTP POST to /data/report (step 4) every 61 seconds.
It occasionally does the HTTP post to /data/ip_api (step 2) on a decreasing basis by my observation - initially one minute apart, then two, three, four, five, etc., up to ten minutes apart.
So when I disabled updates to the ecowitt.net service, unsurprisingly the POST to /data/report went away completely - it didn't do this even when first booted. When I began this project, I was using a near-virgin GW100C, and I didn't realize that ecowitt updates were enabled by default.
Some other notes: at least over the course of ten minutes, the GW1100 only performed one DNS query per name - it did not look them up again before reusing the address (for the HTTP POST, at least.) It also onlly performed the initial NTP query, and no more. I will monitor for a longer time to see if/when it reissues the DNS or NTP requests.
---Jonathan