This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Applied for job and now location and foreign IP packets continually flowing for one week through port 67/68 bootps protocol: Page showing “Nothing to see here."

0

First off, I'll give the usual disclaimer that I'm not an expert. But, for over a week, I've continually had approximately 4-8 kbs/sec of data flowing through my NIC.

I applied for job at St Vincent Hospital and oddly enough the name keeps reoccurring intermediately about every 10 seconds when I sniff packets with Wireshark.

I run Windows 7 SP1 and go through Time Warner Cable NE WI. I have a Surfboard SB4100 cable mode. The activity light on it I don't think has flashed in weeks. I have a wireless NIC card and not a router.

Here's what I have tried:

Unplugging everything and took off all the wireless connections. Terminated everything and everything and kept the modem off hoping it resets.

IPconfig /reset /renew /flush etc...

Turned off DHCP, reinstalled NIC cards etc.

But, here's the kicker. I plug the cable modem into my desktop and I see the packets stuck. AND I plug it into my Laptop and also see the packets stuck! So it's not a software issue and figuratively the name/foreign IP is stuck in my cable modem. I went to the 192.xxx address and did a reset there and everything and didn't get rid of it. I also put a pin in the back of the modem and reset it that way. Nothing has worked.

Here's the nitty gritty of what's "stuck"

bootps 2014-06-26 11:18:17.687131000 142.254.152.61 427 255.255.255.255 DHCP bootps bootpc 255.255.255.255 68

link:big screenshot

alt text

The IP and address it says is: Bootfile name: http://75.180.137.252 /smbconfig/1U6xH2QmItaz9CR26ypkUFYTtvF9j4CVx

When you click load up the link it says "Nothing to see here"

What bothers me and what it making me post this is that this occurred ever since I applied for a job at the hospital!

Are they snooping on me? Virus scanners show nothing.

To note, when I applied for the job it used Adobe Flash plugin and when I went to their page it made me accept a certificate" that I blindly clicked add exception too. I have since deleted that and by packet sniffing on two different computers it still shows up.

Should I be concerned? Will this eventually go away? It's been over a week and the constant bytes flowing have been getting on my nerves.

6/30/2014 UPDATE:

I've tried some other tricks trying to get the packets to go away. STILL NO LUCK!

The activity light has been in a constant orange state ever since this started. In fact, I think it's been constantly orange for a while now before I noticed this so packets have been continually flowing for a while.

Here's what I tried:

Unplugged everything .. all computers and modems and left everything off for about 7 hours. Nope, still didn't work.

Moved my laptop into another room, unplugged the cable wall outlet, plugged it in in another room, fired everything up. Nope, regardless of what wall hole it's connected through the St vincent and unresolvable IP are still there.

Tried every netsh, netstat, IP config dos command with every switch imaginable over and over again and still no luck.

Connected my phone to the computer to change up the IP addresses and servers .. nothing.

Conclusion: The packets, job name, unknown IP address that when you load up in a web browser simply states "nothing to see her" go from cable wire in the wall to the cable modem and regardless of computer, off time, rebooting, etc St Vincent hospital still shows up.

So, any ideas yet? I'm going to send this web address to RR. Please note Time Warner rep: This is a HIGHLY ADVANCED technical issue of which the typical flow chart of troubleshooting can be thrown out the window. Perhaps an IP reset and full cable modem reset on your end may work.

Thank you all!

This question is marked "community wiki".

asked 26 Jun '14, 09:42

Mike%20Kramer's gravatar image

Mike Kramer
11114
accept rate: 0%

edited 30 Jun '14, 10:46


One Answer:

1

It's difficult to impossible to troubleshoot from a screen shot. We can't drill down into the Packet Details, apply display filters, add custom columns, or use any of our normal Wireshark troubleshooting aids. If you want someone to examine the traffic, you should post the actual capture file somewhere, like cloudshark.org, Dropbox, Google Drive, etc.

Cable is a shared medium. Just because you can see traffic, does't mean it's for your computer.

In the packet shown, the destination address is 255.255.255.255. That is the broadcast address, which means that the packet was not addressed to your computer specifically, but to "all devices on this network." Without seeing more, we have no idea whether your computer responds to this packet or not. I suspect not.

Resetting your cable modem or other devices on your network is not going to help. You are seeing these packets because they are being transmitted by some other device. Nothing you do to your devices will stop that other device.

answered 01 Jul '14, 18:48

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Hi Jim. Thanks for the reply. The issue is still occurring and your information was definitely of use in helping me figure this issue out.

Here's an update. I actually called Time Warner and of course they had no solution other than inform me my cable modem was obsolete and I should exchange it for a new one. I figured, why not. I needed to upgrade eventually so I went and they gave me an Arris CM820 cable modem.

I got home, plugged it in, and amazingly the issue was still happening! My IP address stayed the same so that was nice because I host my website off my computer.

I went ahead and captured and saved the issue.

Here is the link to download:

http://www.blex.org/oddpacket.pcapng

If you wish to review and post your analysis be my guest and thank you in advance!

(02 Jul '14, 10:08) Mike Kramer

Hi Jim. Thanks for the reply. The issue is still occurring and your information was definitely of use in helping me figure this issue out.

Here's an update. I actually called Time Warner and of course they had no solution other than inform me my cable modem was obsolete and I should exchange it for a new one. I figured, why not. I needed to upgrade eventually so I went and they gave me an Arris CM820 cable modem.

I got home, plugged it in, and amazingly the issue was still happening! My IP address stayed the same so that was nice because I host my website off my computer.

I went ahead and captured and saved the issue.

Here is the link to download:

http://www.blex.org/oddpacket.pcapng

If you wish to review and post your analysis be my guest and thank you in advance!

(02 Jul '14, 10:08) Mike Kramer