This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have this in my capture. Is this an ARP attack ?

"4","16.479870000","Zhongxin_fd:04:38","Spanning-tree-(for-bridges)_09","LLC","242","[Malformed Packet]"
"5","29.190352000","0.0.0.0","255.255.255.255","DHCP","590","DHCP Discover - Transaction ID 0xc0a0c949"
"6","32.250335000","0.0.0.0","255.255.255.255","DHCP","590","DHCP Discover - Transaction ID 0xc0a0c949"
"7","35.310368000","0.0.0.0","255.255.255.255","DHCP","590","DHCP Discover - Transaction ID 0xc0a0c949"
"8","42.406078000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"9","42.406114000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"10","42.406149000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"11","42.406177000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"12","42.406227000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"13","42.406263000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"14","42.406298000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"15","42.406325000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"16","42.406374000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"17","42.406410000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"18","42.406443000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"19","42.406469000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"20","43.163592000","Hangzhou_07:f2:e0","Spanning-tree-(for-bridges)_0a","0x88a7","160","Ethernet II"
"21","46.480676000","Zhongxin_fd:04:38","Spanning-tree-(for-bridges)_09","LLC","242","[Malformed Packet]"
"25","69.106271000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"26","69.106347000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"27","69.106382000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"28","69.106409000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"29","69.106492000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"30","69.106528000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"31","69.106562000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"32","69.106586000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"33","69.106639000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"34","69.106674000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"35","69.106709000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"36","69.106734000","Zte_5f:f8:67","Tp-LinkT_4d:76:bd","ARP","64","Who has 1.0.118.188?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"
"37","76.481479000","Zhongxin_fd:04:38","Spanning-tree-(for-bridges)_09","LLC","242","[Malformed Packet]"

asked 09 Sep '15, 05:22

Ciohap22's gravatar image

Ciohap22
11226
accept rate: 0%

edited 09 Sep '15, 06:54

grahamb's gravatar image

grahamb ♦
19.8k330206


I don't think it's ARP spoofing, as the requests a simply "crappy".

"8","42.406078000","Zte_5f:f8:67","TainetCo_12:fe:09","ARP","64","Who has 10.117.3.82?  Tell 192.168.1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]"

It does not make sense to ask for 10.117.3.82 in the network where 192.168.1.1 is part of, so I see the following possible reasons/problems:

  • a broken device is asking for totally wrong things
  • somebody is playing tricks with you
  • a broken device sends arbitrary/random data to the network, that just look like ARP requests

The last item looks pretty reasonable to me, given all the FCS (FRAME CHECK SEQUENCE) errors in every single ARP frame.

Regards
Kurt

permanent link

answered 10 Sep '15, 18:45

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Ok. Thank you.

(11 Sep '15, 07:55) Ciohap22
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×78
×4

question asked: 09 Sep '15, 05:22

question was seen: 1,487 times

last updated: 11 Sep '15, 07:55

p​o​w​e​r​e​d by O​S​Q​A