This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why is Wireshark trying to connect to 162.159.242.165 ???

0

I have just openend a capture session and looking at the packets go by I get TLS connections to 162.159.242.165. Whois resolves to Cloudfare and blog.wireshark.org. WTF?

http://162.159.242.165.ipaddress.com/ http://blog.wireshark.org.ipaddress.com/ http://www.herdprotect.com/ip-address-162.159.242.165.aspx

asked 20 Feb '14, 17:56

Leinad's gravatar image

Leinad
11112
accept rate: 0%

alt text

(20 Feb '14, 17:58) Leinad

One Answer:

1

Note that this address is also used by the main site:

$ host www.wireshark.org
www.wireshark.org has address 162.159.241.165
www.wireshark.org has address 162.159.242.165

As well as this site, the bug tracker, and others:

$ host ask.wireshark.org
ask.wireshark.org has address 162.159.242.165
ask.wireshark.org has address 162.159.241.165

$ host bugs.wireshark.org bugs.wireshark.org has address 162.159.241.165 bugs.wireshark.org has address 162.159.242.165

Does the TLS connection contain an SNI field? Wireshark periodically checks www.wireshark.org for updates, which is likely the traffic you’re seeing. You can disable this via Edit→Preferences→User Interface. (…and if you disable this setting and still see this behavior please let us know.)

We currently use CloudFlare because they’re effective at blocking DDoS attacks. I’m not sure why we get DDoS attacks. You’d have to ask the attackers.

answered 20 Feb ‘14, 18:54

Gerald%20Combs's gravatar image

Gerald Combs ♦♦
3.3k92258
accept rate: 24%