This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is this ARP poisoning?

0

I have this in my capture. Is this an ARP attack ?

"4","16.479870000","Zhongxin_fd:04:38","Spanning-tree-(for-bridges)_09","LLC","242","[Malformed Packet]"
"5","29.190352000","0.0.0.0","255.255.255.255","DHCP","590","DHCP Discover - Transaction ID 0xc0a0c949"
"6","32.250335000","0.0.0.0","255.255.255.255","DHCP","590","DHCP Discover - Transaction ID 0xc0a0c949"
"7","35.310368000","0.0.0.0","255.255.255.255","DHCP","590","DHCP Discover - Transaction ID 0xc0a0c949"
"8","42.406078000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"9","42.406114000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"10","42.406149000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"11","42.406177000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"12","42.406227000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"13","42.406263000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"14","42.406298000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"15","42.406325000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"16","42.406374000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"17","42.406410000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"18","42.406443000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"19","42.406469000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"20","43.163592000","Hangzhou_07:f2:e0","Spanning-tree-(for-bridges)_0a","0x88a7","160","Ethernet II"
"21","46.480676000","Zhongxin_fd:04:38","Spanning-tree-(for-bridges)_09","LLC","242","[Malformed Packet]"
"25","69.106271000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"26","69.106347000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"27","69.106382000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"28","69.106409000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"29","69.106492000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"30","69.106528000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"31","69.106562000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"32","69.106586000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"33","69.106639000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"34","69.106674000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"35","69.106709000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"36","69.106734000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"37","76.481479000","Zhongxin_fd:04:38","Spanning-tree-(for-bridges)_09","LLC","242","[Malformed Packet]"

asked 09 Sep '15, 05:22

Ciohap22's gravatar image

Ciohap22
11226
accept rate: 0%

edited 09 Sep '15, 06:54

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

2

I don't think it's ARP spoofing, as the requests a simply "crappy".

"8","42.406078000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"

It does not make sense to ask for 10.117.3.82 in the network where 192.168.1.1 is part of, so I see the following possible reasons/problems:

  • a broken device is asking for totally wrong things
  • somebody is playing tricks with you
  • a broken device sends arbitrary/random data to the network, that just look like ARP requests

The last item looks pretty reasonable to me, given all the FCS (FRAME CHECK SEQUENCE) errors in every single ARP frame.

Regards
Kurt

answered 10 Sep '15, 18:45

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Ok. Thank you.

(11 Sep '15, 07:55) Ciohap22