This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark is Phoning Home (checking for updates)

1

Lately I've been putting up a quarantine on the Windows desktop when I step away to see if any spyware/malware lurks within.

Part of the exercise is to run Wireshark to capture suspicious traffic on one particular path.

Immediately upon starting Wireshark, I saw this:

Nov 8 00:51:23 asa5505 %ASA-4-106100: access-list forward-inside denied tcp inside/10.29.87.10(54796) -> outside/108.162.204.234(443) hit-cnt 1 first hit [0x2b7f3f90, 0x0]

Nov 8 00:51:24 asa5505 %ASA-4-106100: access-list forward-inside denied tcp inside/10.29.88.10(54797) -> outside/108.162.203.234(443) hit-cnt 1 first hit [0xe0514b70, 0x0]

Running a second instance of Wireshark shows that that a DNS query to www.wireshark.org is made and resolves to the above address, and the connection attempts follow immediately. 100% reproducible.

So Wireshark is clearly phoning home. NOT liking this one bit.

What gives here?

Version 1.10.3 (SVN Rev 53022 from /trunk-1.10)

Compiled (64-bit). . .

asked 07 Nov '13, 17:45

starlight's gravatar image

starlight
16112
accept rate: 0%

edited 08 Nov '13, 04:16

grahamb's gravatar image

grahamb ♦
19.8k330206

Before anyone asks: NO BROWSERS are running on the machine when this happens. No other application that could possibly make the request. The requests appear within one second of starting Wireshark. The quarantine ACL traps no network traffic that cannot be accounted for.

Wireshark is sending out one TCP connection request to www.wireshark.org:443 from each interface on the system.

(07 Nov '13, 18:08) starlight

One Answer:

4

Wireshark has joined the ranks of programs that can automatically check for updates. That's probably what you're seeing. To confirm / turn off, go to Edit > Preferences, and in the User Interface section, uncheck "Check for updates."

answered 07 Nov '13, 18:29

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Yes, that's fixed it. Setting is not where one would expect to look--an automatic update did cross my mind.

(07 Nov '13, 19:16) starlight

@starlight: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(08 Nov '13, 04:44) Kurt Knochner ♦