This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Lot of traffic to 173.194.41.67

0

I am running wireshark on my laptop and am seeing a lot of traffic going to and from the above IP address.

It all follows roughly the same format

cadsi-lm > https [ACK] SEQ = 2063 ACK= 4052 WIN=65740 LEN = 0
atex-elmd > https [ACK] SEQ = 2063 ACK= 4052 WIN=65740 LEN = 0
f-ser > https [ACK] SEQ = 2063 ACK= 4052 WIN=65740 LEN = 0
cad-key > https [ACK] SEQ = 2063 ACK= 4052 WIN=65740 LEN = 0
iclpv-pm> https [ACK] SEQ = 2063 ACK= 4052 WIN=65740 LEN = 0
cichlid > https [ACK] SEQ = 2063 ACK= 4052 WIN=65740 LEN = 0
molly > https [ACK] SEQ = 2063 ACK= 4052 WIN=65740 LEN = 0

so on and so forth - there seems to be slight variations in the IP address

Havent a clue what it is - can anybody give me any pointers please

Cheers Glenn

asked 15 Mar '13, 06:12

job3210's gravatar image

job3210
1111
accept rate: 0%

edited 15 Mar '13, 06:21

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245

2 Answers:

1

Not sure what it is exactly, but...

$ nslookup 173.194.41.67
Server:     192.168.1.20
Address:    192.168.1.20#53

Non-authoritative answer:
67.41.194.173.in-addr.arpa  name = lhr08s01-in-f3.1e100.net.

And 1e100.net points to google, see http://support.google.com/bin/answer.py?hl=en&answer=174717

answered 15 Mar ‘13, 06:25

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Cheers for having a look Just seems odd - that there was nothing open on the laptop at the time - and I closed as many apps down as I could - but thanks again

(15 Mar ‘13, 06:32) job3210

If it is a windows laptop, you can use netmon to look at the traffic and see which process is responsible for it…

(there is work being done to make that possible with Wireshark too, but it’s not finished yet)

(15 Mar ‘13, 06:44) SYN-bit ♦♦

0

that there was nothing open on the laptop at the time - and I closed as many apps down as I could - but thanks again

If you connect to that IP address with HTTPS, it will present a certificate that is valid for a broad range of domains, including google analytics, google apis, youtube, etc.

  *.google.com , *.android.com , *.appengine.google.com , *.cloud.google.com , *.google-analytics.com , *.google.ca , *.google.cl , *.google.co.in , *.google.co.jp , *.google.co.uk , *.google.com.ar , *.google.com.au , *.google.com.br , *.google.com.co , *.google.com.mx , *.google.com.tr , *.google.com.vn , *.google.de , *.google.es , *.google.fr , *.google.hu , *.google.it , *.google.nl , *.google.pl , *.google.pt , *.googleapis.cn , *.googlecommerce.com , *.gstatic.com , *.urchin.com , *.url.google.com , *.youtube-nocookie.com , *.youtube.com , *.ytimg.com , android.com , g.co , goo.gl , google-analytics.com , google.com , googlecommerce.com , urchin.com , youtu.be , youtube.com

I bet, there is some software (maybe a service) on your system that uses one of those sites to either use a google API or to update data sets (google analytics, youtube, etc.).

Regards
Kurt

answered 19 Mar '13, 14:34

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%