Sounds like a silent network intrusion or a misconfigured device. Grab a pcap from that hour and run it through Zeek or Suricata. Also check the router’s ARP tables and any scheduled tasks that might fire around 02:17. If it keeps popping, add a port‑scan alert. Let me know what you find.

Nice work cleaning the basics. Maybe try a deep packet inspection on that burst—look for any TLS handshakes or weird SNI values that could hint at a bot or misbehaving client. If the packets are just random noise, a packet rate anomaly might be a DDoS probe. Keep the alerting, and let me know if you spot any payload quirks.