This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have just openend a capture session and looking at the packets go by I get TLS connections to 162.159.242.165. Whois resolves to Cloudfare and blog.wireshark.org. WTF?

http://162.159.242.165.ipaddress.com/ http://blog.wireshark.org.ipaddress.com/ http://www.herdprotect.com/ip-address-162.159.242.165.aspx

asked 20 Feb '14, 17:56

Leinad's gravatar image

Leinad
11112
accept rate: 0%

alt text

(20 Feb '14, 17:58) Leinad

Note that this address is also used by the main site:

$ host www.wireshark.org
www.wireshark.org has address 162.159.241.165
www.wireshark.org has address 162.159.242.165

As well as this site, the bug tracker, and others:

$ host ask.wireshark.org
ask.wireshark.org has address 162.159.242.165
ask.wireshark.org has address 162.159.241.165

$ host bugs.wireshark.org
bugs.wireshark.org has address 162.159.241.165
bugs.wireshark.org has address 162.159.242.165

Does the TLS connection contain an SNI field? Wireshark periodically checks www.wireshark.org for updates, which is likely the traffic you're seeing. You can disable this via Edit→Preferences→User Interface. (...and if you disable this setting and still see this behavior please let us know.)

We currently use CloudFlare because they're effective at blocking DDoS attacks. I'm not sure why we get DDoS attacks. You'd have to ask the attackers.

permanent link

answered 20 Feb '14, 18:54

Gerald%20Combs's gravatar image

Gerald Combs ♦♦
3.3k92258
accept rate: 24%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×3
×1

question asked: 20 Feb '14, 17:56

question was seen: 12,696 times

last updated: 20 Feb '14, 19:07

p​o​w​e​r​e​d by O​S​Q​A