This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Seeing an unreachable local IP address on my network

0

So I was running wireshark, and I kept getting this ARP packets about who is at "192.168.1.10"

alt text

It appears to be a rogue IP address on my network because when I attempt to ping it, and check my arp cache, this is what happens:

![alt text][2]

What measures can I take to make sure my network isn't compromised because recently, I did a wireshark trace on my brother's computer and I noticed an ARP poisoning attack to his cache:

alt text alt text

These ARP requests which was obviously an attempt at ARP poisoining had some mysterious SNMP get requests made (which I have some trouble reading but working on how to read SNMP messages in wireshark)

alt text

Can someone kindly share some light on this situation, especially with devices that don't exist on my network having IP addresses? There is a rogue right?

asked 19 Feb '15, 10:41

Beldum's gravatar image

Beldum
49111116
accept rate: 0%

edited 19 Feb '15, 18:41


One Answer:

1

Your computer, 192.168.1.18, is attempting to communicate with 192.168.1.10, so apparently at one time there was a device with that address on your network. It could be lots of things. For example, did you ever replace a network printer, but leave it configured on the computer? If so, the computer could still be trying to communicate with that printer.

If this is a Windows PC, you might try searching the registry to see if that IP address is stored somewhere. That might give you a clue what process on your computer is trying to communicate with that IP address.

What you are calling an ARP poisoning attack is not; it is an ARP scan. By itself, this is not malicious. It could be a precursor to an attack, but the ARP scan itself is not an attack. The device with IP address 192.168.43.43 is scanning your brother's entire address space to see what devices respond. It could also be some sort of network discovery tool. Some home routers will do an ARP scan periodically. My Netopia home router, for example, does an ARP scan every five minutes.

answered 19 Feb '15, 16:15

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Jim, thanks for the explanation.

(19 Feb '15, 18:42) Beldum