I have an HP laptop that I use for Wireshark that randomly responds to packets for other devices with ICMP redirects. It only happens when Wireshark is running. I used another Wireshark PC to capture it coming from the HP PC. The redirects even indicate the correct IP and MAC destination in the packet. It just feels like telling the originator he was right, but send it again..... I am running Win Vista 32 bit on this laptop. It was on an older Wireshark install which I uninstalled as well as WinPcap and installed the latest and still it happens. Any ideas? asked 18 Mar '13, 21:22  azmtnbike edited 18 Mar '13, 21:24 |
2 Answers:
I guess that fact that you capture in promiscuous mode causes packets to be delivered to the network stack that aren't expected there (not the right destination IP address). The network stack assumes the MAC address filter of the hardware would have filtered out frames not destined for this interface, thus decides to help the sender with the information it has on the destination host. I think it's a Vista 'feature' to behave this way regardless of the promiscuous mode of the interface. Two things you can do:
I would go for option 2. A normal host shouldn't be bothered with this. answered 19 Mar '13, 00:10  Jaap ♦ |
Windows (actually any OS) will/should send an ICMP redirect (only) if IP Forwarding is enabled. So I guess, you have two (or more) interfaces in your laptop (e.g. Ethernet and WLAN) and both are active while you capture packets. In that case your OS will send an ICMP redirect if it receives a packet that could be routed differently (according to its own routing table). Please check if you have multiple interfaces (ipconfig /all) and if IP Forwarding is enabled (please google it). If so, please disable one interface while you capture packets or disable IP Forwarding. Regards answered 19 Mar '13, 06:33  Kurt Knochner ♦ No luck. I checked and IP forwarding is not enabled. I do have a wired and wireless adapter, but the wireless is turned off. I turned of ICMP redirects in the registry, but still I get them. And if I don't capture in promiscuous mode, I can't see the traffic that I need. Any other ideas before I make this a Linux or Win 7 machine? Thanks for the input so far. Jon (19 Mar '13, 23:30) azmtnbike
did you reboot the Laptop?
Can you please post the output of the following commands?
(20 Mar '13, 09:39) Kurt Knochner ♦ |
Perhaps you could upload a capture file to www.cloudshark.org so we could look at what's happening. Be careful that your file doesn't contain confidential data.