I have an HP laptop that I use for Wireshark that randomly responds to packets for other devices with ICMP redirects. It only happens when Wireshark is running. I used another Wireshark PC to capture it coming from the HP PC. The redirects even indicate the correct IP and MAC destination in the packet. It just feels like telling the originator he was right, but send it again.....
I am running Win Vista 32 bit on this laptop. It was on an older Wireshark install which I uninstalled as well as WinPcap and installed the latest and still it happens.
asked 18 Mar '13, 21:22
edited 18 Mar '13, 21:24
I guess that fact that you capture in promiscuous mode causes packets to be delivered to the network stack that aren't expected there (not the right destination IP address). The network stack assumes the MAC address filter of the hardware would have filtered out frames not destined for this interface, thus decides to help the sender with the information it has on the destination host. I think it's a Vista 'feature' to behave this way regardless of the promiscuous mode of the interface.
Two things you can do:
I would go for option 2. A normal host shouldn't be bothered with this.
answered 19 Mar '13, 00:10
Windows (actually any OS) will/should send an ICMP redirect (only) if IP Forwarding is enabled. So I guess, you have two (or more) interfaces in your laptop (e.g. Ethernet and WLAN) and both are active while you capture packets. In that case your OS will send an ICMP redirect if it receives a packet that could be routed differently (according to its own routing table).
Please check if you have multiple interfaces (ipconfig /all) and if IP Forwarding is enabled (please google it). If so, please disable one interface while you capture packets or disable IP Forwarding.
answered 19 Mar '13, 06:33
Kurt Knochner ♦