This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to find nodes with wrong subnet mask

0

how would i filter a capture to find what nodes have the wrong subnet mask? i.e my network is 10.128.5.x / 255.255.255.0 but a client is misconfigured using 255.255.0.0

asked 08 Nov '12, 12:16

pcmonkey's gravatar image

pcmonkey
1111
accept rate: 0%

3 Answers:

1

You can find wrong subnetmasks either by finding for ARP requests that are looking for MAC addresses of IP addresses they should not be able to reach directly (which is your case), or by finding ICMP redirect messages from default gateways that tell clients to talk to the target node directly (if the mask is too narrow).

answered 08 Nov '12, 12:18

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 08 Nov '12, 12:19

So i make a filter for icmp.redir_gw ??

(08 Nov '12, 12:29) pcmonkey

you could filter for icmp.type==5, because type 5 is a redirect message. And if you combine that with an IP filter on your default gateway you should be able to spot these things.

(08 Nov '12, 23:53) Jasper ♦♦

0

Are you for something like arp and not arp.dst.proto_ipv4 == 10.128.5.0/24 ?

answered 08 Nov '12, 12:32

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

I will try that packethunter

(08 Nov '12, 13:48) pcmonkey

0

In addition to what @Jasper said, look for broadcast packets to 10.128.255.255. If it's a Windows machine it will eventually send some broadcasts to it's network broadcast address.

Filter: ip.address eq 10.128.255.255

Regards
Kurt

answered 08 Nov '12, 19:02

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%