This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

what the reason of llmnr packets flow in non ad-hoc network?significant number llmnr protocol packets in one capture can be vulnaribility or victim?

asked 13 Dec '16, 22:29

acropo's gravatar image

acropo
6223
accept rate: 0%


LLMNR is the link layer multicast name resolution. This protocol is protocol is used by Windows systems as fallback if they could not translate a hostname to an IP address through DNS.

The presence of LLMNR packet shows, that certain hostnames could not be translated.

LLMNR is nothing bad, if your host does not have a DNS server configured, or if your DNS server(s) are momentarily not available. For ad-hoc networks, that is the usual behavior.

LLMNR might reveal the presence of a rootkit if your hosts are frequently asking for random hostnames. This could be caused by Domain Name Generator (DGA) embedded in the malware.

Please note, that certain browsers try to translate random host names to find out, if the Internet is only available through some captive portal (hotel network etc.)

You can turn off LLMNR through a group policy in your name resolution policy.

permanent link

answered 14 Dec '16, 08:47

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×122
×11

question asked: 13 Dec '16, 22:29

question was seen: 1,637 times

last updated: 14 Dec '16, 08:47

p​o​w​e​r​e​d by O​S​Q​A