Strange Ethernet II packets in wireshark

networkingpacket-capturewireshark

Looking at a wireshark capture, I'm seeing something really strange. Ethernet II packets with random data are being sent on the network. The larger packets in the capture seem to contain bits and pieces of http, but the src/dst don't make any sense at all.

Both src and dst mac addresses are random…. neither exist on my network. The funny thing is, the src/dst randomly change with each packet.

About 1-3 packets/sec. Unable to find either src or dst mac in the switch tables.

Any ideas as to what this traffic is?

See .pcap file from cloudshark below.

http://cloudshark.org/captures/eca6e20e1835

Any help would be appreciated. My mind is boggled. I would love to know how to track down the culprit of these packets!

Best Answer

Packet 5 has, starting at an offset of hex 0036:

b4 99 ba 3d 49 00 00 17 54 01 63 b2 08 00 45

which looks like the beginning of an Ethernet packet to b4:99:ba:3d:49:00 from 00:17:54:01:63:b2, with a type field of 0x0800 meaning IPv4, and then the first byte of an IPv4 packet with no options.

If we treat that as an IPv4 header:

45 00 01 52 d7 d7 40 00 40 06 13 2f c0 a8 00 09 45 1f 48 cf

that's:

45 - IPv4, 20-byte header
00 - type of service (00 probably means "ordinary boring packet")
01 52 - total length (338 bytes)
d7 d7 - identification
40 00 - flags+fragment offset; flags = Don't Fragment, fragment offset = 0
40 - Time To Live
06 - protocol (TCP)
13 2f - checksum
c0 a8 00 09 - source address (192.168.0.9)
45 1f 48 cf - destination address (69.31.72.207)

I don't know whether that indicates where the packet came from or not, and I don't know what encapsulation is being used here (i.e., what all the stuff before the IPv4 header is). There might be a header that's not an Ethernet header but does have an Ethernet type field at the end.

Best Answer

Related Solutions

TCP segments of an HTTP Request in wrong order

Network flooded with seemingly empty packets

Related Topic