This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

i am using win7 operating system connected wireless to zte F660.

when trying to sniff the traffic using wireshark , i've capture lots of ARP request from unknown interface, which is not exist on my router neither on my window host client.

below is the screenshot:

the unknown interface shows "78:19:f7:40:b7:c5" as its mac address http://imgur.com/a/Nsyrp

my lan interface http://imgur.com/a/8NKMF

my wlan interface http://imgur.com/a/EMCzl

I'm not an network administrator and i hope someone can light me up.

i really appreciate for your help.

thanks

asked 27 Jul '16, 17:58

noobie's gravatar image

noobie
6113
accept rate: 0%

edited 27 Jul '16, 17:59

Cable modem user?

(27 Jul '16, 22:37) Jaap ♦

@Jaap, yes sir

it is ADSL fiber optic modem,and i connect using wifi to the modem.

it is strange because i catch lots of internal ips with different range than my network

(30 Jul '16, 11:49) noobie

From the strange subnet ARP packets, it looks like there are at least 5 devices.

Two IP senders [10.11.48.2 & 10.11.48.3] and they are asking for three other devices MAC address [10.11.50.43, 10.11.51.28 & 10.11.51.220]. So it's most likely that they are all on a subnet 10.11.48.0/22 (range: 10.11.48.1 ~ 10.11.51.255).

Also look at your LAN 4 interface. It doesn't show IP address of that interface, but you can see both send & receive traffic (and not in any small numbers either).

But as you're attached to WLAN on subnet 192.168.0.0/16, these packets shouldn't be broadcast to you at all as it's an entirely different subnet.

Likewise, the strange ARP request packets don't have any replies over a several minute span meaning that this is only 1 way traffic you're seeing. That too is strange because the ARP requesting devices have a specific IP whom they are probably talking to and thus there should be two way traffic. But that's not the case.

As such, I recommend you look at the IP settings for your LAN 4 first and if it is in the 10.11.48.0/22 range, then perhaps your router is set to bridging mode?

And if LAN 4 is NOT in the 10.11.48.0/22 range, then perhaps somebody elses wireless packets are bleeding over and you're picking them up and capturing them. But if you don't use 10.11.48.0/22 subnet range, then there will be no route from your router to that subnet and thus you will only see one way incoming packets, but no returned packets which is what this looks like.

FWIW

permanent link

answered 30 Jul '16, 19:01

wbenton's gravatar image

wbenton
29227
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×114
×66
×4

question asked: 27 Jul '16, 17:58

question was seen: 1,792 times

last updated: 30 Jul '16, 19:01

p​o​w​e​r​e​d by O​S​Q​A