This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Foreign IP address appearing within router’s ARP requests

0

Hi there,

I am quite new to programs like Wireshark for sniffing web traffic. However as of recent I have had strange disruptions to my wifi network and I am concerned as I live in a unit where the router is shared amongst 4 other people.

As such I did some basic traffic monitoring to learn about the potential processes and thus stumbled upon this.

I am just looking at ARP traffic to see if there are any strange nuances and I want to clarify this particularly. I slapped on an ARP filter to find some usual devices sending ARP requests to and from my router. However what scared me is the fact there was an IP based in the US that was being identified by my neighbour's computer.

The exact Detail:

"David's Local" ARP Who is 169.254.92.168? Tell 0.0.0.0 My IP does not start with 169 address and furthermore the prior address is linked to a server in Fairfax US, I live in Oceania.

Why is there a Null destination.

Furthermore what creeps me out is, all the devices registered on the network are sending ARP information to a fixed address that is not listed on the devices I have currently idetnified belonging to my network. And based on my neighbour's ARP requests, It keeps asking for an ARP request for This particular address, however the destination is a null address 0.0.0.0

To simplify some of this, there are continual ARP resolution requests to an IP address in my local network that I cannot recognize or identiify, However all ARP requests for this particular IP are directed to a Null address. So basically all requests for ARP are sent to this IP, but an ARP requests for that IP is sent to a null. And to add theres a foreign Ip from another country being requested which is also being told to a null IP.

Please help

asked 23 Jan '17, 18:26

Nilstor's gravatar image

Nilstor
6113
accept rate: 0%


One Answer:

0

It's called Automatic IP Addressing. It's an address range that can be self assigned when there is no response to a DHCP discover. The article below will explain further.

http://packetlife.net/blog/2008/sep/24/169-254-0-0-addresses-explained/

answered 23 Jan '17, 18:53

Rooster_50's gravatar image

Rooster_50
23891218
accept rate: 15%

edited 23 Jan '17, 18:54

Hey Rooster,

Thanks for the response, so would it be fair to say it just indicates theres a device on the local network that is unable to connect to the DHCP server?

To add as well, I was wondering about the null addresses. Why is it so that these IPs are sending these requests to 0.0.0.0.

And sorry to ask further but would you be able to comment about these null addresses for the 2nd IP. To add to what I've found out, my neighbour is the one holding the myseterious IP (contrary to what I thought at first) but the funny thing is, every ARP request directed towards his IP is sent to a null address '0.0.0.0' however all other ARP requests in the network are sent back to their original devices.

My main underlying concern is the possibility of network interference or unauthorized devices taking advantage of the network or a combination of both. I apologize if my response is too wordy and I appreciate your help.

(23 Jan '17, 22:28) Nilstor

DHCP allows you to 'lease' an IP address. For the duration of the lease you may use it, afterwards you have to release it. Usually you try to renew the lease before it expires, but as in your case this sometimes fails. Once expired all you can do is use 0.0.0.0 as your IP address in ARP. Your MAC address is still valid though, so you still receive ARP replies. In short, nothing to worry about, other that failing DHCP service.

(24 Jan '17, 05:51) Jaap ♦

Yes, it most likely indicates a device failed to lease an address from a DHCP server and self-assigned an address in the AIPAP designated range of addresses.

As for the ARP requests for "169.254.x.x tell 0.0.0.0", it is most likely the host attempting IP duplication detection to verify the address is wants to use is not already in use within the broadcast domain by another host before it binds its adapter to the address.

(24 Jan '17, 16:36) Rooster_50