This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

llmnr packets data flow

0

what the reason of llmnr packets flow in non ad-hoc network?significant number llmnr protocol packets in one capture can be vulnaribility or victim?

asked 13 Dec '16, 22:29

acropo's gravatar image

acropo
6223
accept rate: 0%


One Answer:

0

LLMNR is the link layer multicast name resolution. This protocol is protocol is used by Windows systems as fallback if they could not translate a hostname to an IP address through DNS.

The presence of LLMNR packet shows, that certain hostnames could not be translated.

LLMNR is nothing bad, if your host does not have a DNS server configured, or if your DNS server(s) are momentarily not available. For ad-hoc networks, that is the usual behavior.

LLMNR might reveal the presence of a rootkit if your hosts are frequently asking for random hostnames. This could be caused by Domain Name Generator (DGA) embedded in the malware.

Please note, that certain browsers try to translate random host names to find out, if the Internet is only available through some captive portal (hotel network etc.)

You can turn off LLMNR through a group policy in your name resolution policy.

answered 14 Dec '16, 08:47

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%