This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

So I was running wireshark, and I kept getting this ARP packets about who is at "192.168.1.10"

alt text

It appears to be a rogue IP address on my network because when I attempt to ping it, and check my arp cache, this is what happens:

![alt text][2]

What measures can I take to make sure my network isn't compromised because recently, I did a wireshark trace on my brother's computer and I noticed an ARP poisoning attack to his cache:

alt text alt text

These ARP requests which was obviously an attempt at ARP poisoining had some mysterious SNMP get requests made (which I have some trouble reading but working on how to read SNMP messages in wireshark)

alt text

Can someone kindly share some light on this situation, especially with devices that don't exist on my network having IP addresses? There is a rogue right?

asked 19 Feb '15, 10:41

Beldum's gravatar image

Beldum
49111116
accept rate: 0%

edited 19 Feb '15, 18:41


Your computer, 192.168.1.18, is attempting to communicate with 192.168.1.10, so apparently at one time there was a device with that address on your network. It could be lots of things. For example, did you ever replace a network printer, but leave it configured on the computer? If so, the computer could still be trying to communicate with that printer.

If this is a Windows PC, you might try searching the registry to see if that IP address is stored somewhere. That might give you a clue what process on your computer is trying to communicate with that IP address.

What you are calling an ARP poisoning attack is not; it is an ARP scan. By itself, this is not malicious. It could be a precursor to an attack, but the ARP scan itself is not an attack. The device with IP address 192.168.43.43 is scanning your brother's entire address space to see what devices respond. It could also be some sort of network discovery tool. Some home routers will do an ARP scan periodically. My Netopia home router, for example, does an ARP scan every five minutes.

permanent link

answered 19 Feb '15, 16:15

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Jim, thanks for the explanation.

(19 Feb '15, 18:42) Beldum
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×36
×11

question asked: 19 Feb '15, 10:41

question was seen: 2,403 times

last updated: 19 Feb '15, 18:42

p​o​w​e​r​e​d by O​S​Q​A