This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have an HP laptop that I use for Wireshark that randomly responds to packets for other devices with ICMP redirects. It only happens when Wireshark is running. I used another Wireshark PC to capture it coming from the HP PC. The redirects even indicate the correct IP and MAC destination in the packet. It just feels like telling the originator he was right, but send it again.....

I am running Win Vista 32 bit on this laptop. It was on an older Wireshark install which I uninstalled as well as WinPcap and installed the latest and still it happens.

Any ideas?

asked 18 Mar '13, 21:22

azmtnbike's gravatar image

azmtnbike
11113
accept rate: 0%

edited 18 Mar '13, 21:24

Perhaps you could upload a capture file to www.cloudshark.org so we could look at what's happening. Be careful that your file doesn't contain confidential data.

(18 Mar '13, 22:18) Jim Aragon

I guess that fact that you capture in promiscuous mode causes packets to be delivered to the network stack that aren't expected there (not the right destination IP address). The network stack assumes the MAC address filter of the hardware would have filtered out frames not destined for this interface, thus decides to help the sender with the information it has on the destination host. I think it's a Vista 'feature' to behave this way regardless of the promiscuous mode of the interface.

Two things you can do:

  1. don't capture in promiscuous mode.
  2. disable the specific ICMP redirect option in the network settings.

I would go for option 2. A normal host shouldn't be bothered with this.

permanent link

answered 19 Mar '13, 00:10

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Windows (actually any OS) will/should send an ICMP redirect (only) if IP Forwarding is enabled. So I guess, you have two (or more) interfaces in your laptop (e.g. Ethernet and WLAN) and both are active while you capture packets. In that case your OS will send an ICMP redirect if it receives a packet that could be routed differently (according to its own routing table).

Please check if you have multiple interfaces (ipconfig /all) and if IP Forwarding is enabled (please google it). If so, please disable one interface while you capture packets or disable IP Forwarding.

Regards
Kurt

permanent link

answered 19 Mar '13, 06:33

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

No luck. I checked and IP forwarding is not enabled. I do have a wired and wireless adapter, but the wireless is turned off.

I turned of ICMP redirects in the registry, but still I get them.

And if I don't capture in promiscuous mode, I can't see the traffic that I need.

Any other ideas before I make this a Linux or Win 7 machine?

Thanks for the input so far.

Jon

(19 Mar '13, 23:30) azmtnbike

I turned of ICMP redirects in the registry, but still I get them.

did you reboot the Laptop?

Any other ideas before I make this a Linux or Win 7 machine?

Can you please post the output of the following commands?

  • ipconfig /all
  • reg query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
(20 Mar '13, 09:39) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×74
×7

question asked: 18 Mar '13, 21:22

question was seen: 4,584 times

last updated: 20 Mar '13, 09:39

p​o​w​e​r​e​d by O​S​Q​A