Hey, I'm new to the forums but a long time (basic) wireshark user. I'm seeing some really strange traffic. There is constant activity (+/- 2000 packets per second) between 2 source ip's and a destination ip. The source IP's are vm's which use anywhereusb. The destination IP is from an anywhereusb device. The strange thing is that the traffic continues even if the source machine is powered off and the anywhereusb device is powered off. The second strange thing is that the MAC address wireshark shows for the anywhereusb device doesn't match with it's actual MAC address. The mac address also isn't traceable in the mac-address-table of our switches. The mac address of the source is correct an can be traced to the port connected to our esx. But as stated before there's even traffic when both machines are turned off. For the moment I'm a bit clueless as to what could be the cause. Below are the summary texts for two records. Any help will be much appreciated. 17369 2015-11-17 09:40:34.939583000 10.7.x.x 10.0.x.x TCP 60 netiq > rtip [SYN] Seq=1902520936 Win=64240[Malformed Packet] Vmware_9c:15:f5 Digiboar_9c:1a:20 28663 2015-11-17 10:14:12.301107000 10.7.x.y 10.0.x.x TCP 60 brlp-3 > rtip [SYN] Seq=1075763157 Win=64240[Malformed Packet] Vmware_9c:1a:20 Digiboar_44:bf:f5 asked 17 Nov '15, 02:32  pproost |
One Answer:
Maybe there are just two packets, because all the packets with the src So that assumption means that these packets are circling in the network and it doesn´t matter if the src hosts are active or not. The reason for that I just can guess… maybe it is because the destination IP is the network address or the mac is not known in the network or a bug or…??? answered 17 Nov '15, 14:14  Christian_R edited 17 Nov '15, 15:36 Hi, thanks for you answer. I also noticed the same thing and I'm suspecting that there's something wrong with the spanning-tree in our network and that there's a kind of flooding going on. But unfortunately my Cisco knowledge isn't good enough to be sure so I'll have to contact our network specialist when I'm back at the office tomorrow. (17 Nov '15, 14:23) pproost We're still investigating the network problem/cause but were able to get the rogue packets of the network by creating two vm's with the mac addresses of the rogue packets so the packets had somewhere to go. Maybe it can help someone else with the same problem. (19 Nov '15, 01:49) pproost Smart idea with that dummy MAC. Have tried a firmware update at the switches? (19 Nov '15, 02:02) Christian_R |
Can you share a capture in a publicly accessible spot, e.g. CloudShark?
https://www.cloudshark.org/captures/661de826c909