This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Will wireshark detect source of ping floods on Syswan SW-24?

0

howdee all... first time on. below is one of hundreds emails i've been getting over the last two weeks from my SW-24. the floods last 10-20 minutes, then seem to stop for a while...some days there are multiple floods, others only one. They occur at random times.

...DL'd WS, BUT...not sure how to set up filters for the SW-24.

one of hundreds email to me WAN1 MAC Address: 00-1C-74-00-B0-8C, IP: 24.100.82.111 WAN2 MAC Address: 00-1C-74-00-B0-8D, IP: 192.168.254.1 System Uptime: 16d 12h 41m 41s Firmware Version: Ver 1.0 Rel 04 Build Date: Jun 18 2010 CPU utilization: 5 % Heap Usage: 42 % Queue Usage: 1 %

Causes: Device Ping Flood! More than 120 pings per minute to SW00B08C(IP=24.100.82.111).

the 00-1C-74-00-B0-8C, IP: 24.100.82.111, is my Time-Warner cable modem

is it possible to use WS to detect the source of the ping-floods thru the SW-24?

Thanks in advance for speedy advice,

Chas

asked 20 Jun '12, 22:00

hesynergy's gravatar image

hesynergy
1111
accept rate: 0%

One Answer:

1

sounds like your cable modem detects some pings on 24.100.82.111. Those pings come either from the external side or from your LAN.

If the pings come from the external side (ISP Network), there is no easy way to work with wireshark, as you cannot sniff on the TV cable without further hardware, except your cable modem provides such a functionality. Please check the manual.

If the pings come from the internal side (rather unlikely), you can sniff the traffic on the LAN, by looking at this link: http://wiki.wireshark.org/CaptureSetup/Ethernet

If you manage to sniff traffic, you can use this display filter to show only icmp packets.

icmp

Sort the list of entries in the packet list by source ip, and you will see who sends most of the icmp packets (possibly pings).

Regards
Kurt

answered 20 Jun '12, 22:52

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks Kurt!

I am wondering if eliminating the SW-24, for diag. Purposes might simplify things.... Or is this strictly a wan problem....gonna 1. Filter icmp packets, then; 2. disconnect my DSL TO ISOLATE. 3. Disconnect my HP network printer

Sound reasonable?

Chas ...

(21 Jun '12, 07:30) hesynergy

well, I don't believe it's an internal device that generates those pings (would be kind of useless), but you never know!

If you can't sniff on the LAN side, it's of course an option to eliminate the possible sources of the problem and see if the situation changes.

(21 Jun '12, 07:59) Kurt Knochner ♦