Hi All, I am not too familiar with understanding wireshark logs, but have tried to diagnose a recent network connectivity issue that is crippling our speeds. I have been reading up on issues around the large amount of duplicate IP and ARP transactions, with a lot of resources saying its related to an ARP Spoofing attack. Would someone with a bit more experience on the matter be able to let me know if thats the case? Here is the dump: https://www.cloudshark.org/captures/dc90369489a0 I really appreciate the support, thanks! asked 05 Aug '15, 18:23  danr |
One Answer:
It looks indeed a little bit strange. There is a suspicious system in your trace, at least from my point of view. The IP is 192.168.16.10 with the Mac 00:04:23:e1:2F:77 It sends always a an direct ARP Answer to all the devices and it als o sends constantly DHCP ACKs. This makes the system supsicious. There is another MAC the 00:04.23:e1:2f:76 with the IP Address 192.168.16.10. If I were you, I would investigate this behaviour. But maybe it is just a new art of ARP and teaming implementation? answered 05 Aug '15, 21:47  Christian_R edited 05 Aug '15, 22:19 |
Thank you for your input Christian.
But it has an FCS checksum of 0x0 so it be the system with the trace. Oh and I oversaw, that he is maybe the real DHCP server.
Correct, both MAC's are the adapters on the DHCP. Which I wasn't aware of at the time.