This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hey, I'm new to the forums but a long time (basic) wireshark user. I'm seeing some really strange traffic. There is constant activity (+/- 2000 packets per second) between 2 source ip's and a destination ip. The source IP's are vm's which use anywhereusb. The destination IP is from an anywhereusb device. The strange thing is that the traffic continues even if the source machine is powered off and the anywhereusb device is powered off. The second strange thing is that the MAC address wireshark shows for the anywhereusb device doesn't match with it's actual MAC address. The mac address also isn't traceable in the mac-address-table of our switches. The mac address of the source is correct an can be traced to the port connected to our esx. But as stated before there's even traffic when both machines are turned off. For the moment I'm a bit clueless as to what could be the cause. Below are the summary texts for two records.

Any help will be much appreciated.

17369 2015-11-17 09:40:34.939583000 10.7.x.x 10.0.x.x TCP 60 netiq > rtip [SYN] Seq=1902520936 Win=64240[Malformed Packet] Vmware_9c:15:f5 Digiboar_9c:1a:20

28663 2015-11-17 10:14:12.301107000 10.7.x.y 10.0.x.x TCP 60 brlp-3 > rtip [SYN] Seq=1075763157 Win=64240[Malformed Packet] Vmware_9c:1a:20 Digiboar_44:bf:f5

asked 17 Nov '15, 02:32

pproost's gravatar image

pproost
6113
accept rate: 0%

Can you share a capture in a publicly accessible spot, e.g. CloudShark?

(17 Nov '15, 02:55) Jaap ♦

17369 2015-11-17 09:40:34.939583000 10.7.x.x 10.0.x.x TCP 60 netiq > rtip [SYN] Seq=1902520936 Win=64240[Malformed Packet] Vmware_9c:15:f5 Digiboar_9c:1a:20

28663 2015-11-17 10:14:12.301107000 10.7.x.y 10.0.x.x TCP 60 brlp-3 > rtip [SYN] Seq=1075763157 Win=64240[Malformed Packet] Vmware_9c:1a:20 Digiboar_44:bf:f5

Maybe there are just two packets, because all the packets with the src 10.7.0.7 have the IP.ID 0xe7e4 and all the packets with the src 10.7.0.8 have the IP.ID 0x3669. When you apply the following filter eno strange packet can be seen any more:

(!(ip.id == 0xe7e4)) && !(ip.id == 0x3669)

So that assumption means that these packets are circling in the network and it doesn´t matter if the src hosts are active or not. The reason for that I just can guess... maybe it is because the destination IP is the network address or the mac is not known in the network or a bug or...???

permanent link

answered 17 Nov '15, 14:14

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%

edited 17 Nov '15, 15:36

Hi, thanks for you answer. I also noticed the same thing and I'm suspecting that there's something wrong with the spanning-tree in our network and that there's a kind of flooding going on. But unfortunately my Cisco knowledge isn't good enough to be sure so I'll have to contact our network specialist when I'm back at the office tomorrow.

(17 Nov '15, 14:23) pproost

We're still investigating the network problem/cause but were able to get the rogue packets of the network by creating two vm's with the mac addresses of the rogue packets so the packets had somewhere to go. Maybe it can help someone else with the same problem.

(19 Nov '15, 01:49) pproost

Smart idea with that dummy MAC. Have tried a firmware update at the switches?

(19 Nov '15, 02:02) Christian_R
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×23
×1

question asked: 17 Nov '15, 02:32

question was seen: 1,315 times

last updated: 19 Nov '15, 02:02

p​o​w​e​r​e​d by O​S​Q​A