This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

network interface tries to send a message to itself

0

this is one of many of the same packet happening every second - 2014-04-23 12:07:29.378767000 Enerpoin_02:6d:de Broadcast ARP 60 Who has 192.168.1.82? Tell 0.0.0.0 the mac address - Enerpoin (00:0a:3c) 02:6d:de - is a cctv dvr (although it does not follow mac address rules, hence it is showing as Enerpoin) and it has the ip address 192.168.1.82 so it seems that the dvr is trying to locate itself to send a message to itself, am I right? anyone have any ideas?

asked 27 Apr '14, 05:38

brunobri's gravatar image

brunobri
16114
accept rate: 0%

Enerpoin is the mfg OUI that 00:0a:3c is assigned to. Wireshark looks that up for you in its OUI database. You can manually look up the MAC address at [http://www.wireshark.org/tools/oui-lookup.html] and see it resolves to Enerpoint Ltd.

(30 Apr '14, 16:39) Rooster_50

Thanks Rooster_50, but as I stated, wireshark quite rightly states that 00:0a:3c is Enerpoint Ltd, but I know that this is my Swann dvr box. So I don't understand why Swann do not follow Mac addressing rules!

(01 May '14, 02:20) brunobri
2

Maybe they are using Enerpoint components.

(01 May '14, 05:55) Kurt Knochner ♦

What Kurt said...

(01 May '14, 09:33) Rooster_50

Yeh, they probably have used some of Enerpoints chips, but looking on there website they are a solar energy company, can't understand what they can put in a cctv dvr!

(01 May '14, 22:09) brunobri

One Answer:

2

That's (most certainly) an ARP probe request according to RFC 5227 and should look like this one:

https://www.cloudshark.org/captures/ef136da1ae79

The device is probably trying to detect if the IP address is available on the network.

Another reason for probe frames could be to announce it's existence on the network to some sort of CCTV management tool.

Nothing you should be worried about.

Regards
Kurt

answered 27 Apr '14, 12:02

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks for that Kurt

(28 Apr '14, 02:50) brunobri

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(28 Apr '14, 08:13) Kurt Knochner ♦

Yes, this is called a gratuitous ARP, where it is announcing itself. If it gets a response, and hence a duplicate IP, it might report that via a management interface. It might be triggered where it previously had obtained the address dynamically (eg via DHCP) but is not able to renew it at the moment

(02 May '14, 01:12) martyvis

Actually a gratuitous ARP looks silghtly different.

Gratuitous ARP: https://www.cloudshark.org/captures/54af88021aa8

Is gratuitous: True
Sender MAC address: Vmware_37:5f:f5 (00:0c:29:37:5f:f5)
Sender IP address: 192.168.130.128 (192.168.130.128)
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 192.168.130.128 (192.168.130.128)

Sender IP address and Target IP address identical.

ARP probe: https://www.cloudshark.org/captures/ef136da1ae79

Sender MAC address: Vmware_c5:f6:9b (00:0c:29:c5:f6:9b)
Sender IP address: 0.0.0.0 (0.0.0.0)
Target MAC address: Broadcast (ff:ff:ff:ff:ff:ff)
Target IP address: 192.168.1.82 (192.168.1.82)

Sender IP address and Target IP address different (0.0.0.0), to prevent ARP cache updates for the probed IP address on the receiving systems.

From RFC 5227: https://tools.ietf.org/html/rfc5227#section-2.1.1

Cite:

The 'sender IP address' field MUST be set to all zeroes; this 
is to avoid polluting ARP caches in other hosts on the same 
link in the case where the address turns out to be already in 
use by another host.
(02 May '14, 03:16) Kurt Knochner ♦