Wireshark · Wireshark-users: Re: [Wireshark-users] Odd packets

Wireshark-users: Re: [Wireshark-users] Odd packets

From: Ove Fagerheim <ove.fagerheim@xxxxxxxxxxxxxxxxxx>

Date: Thu, 10 Aug 2006 14:44:55 +0200

Sorry 'bout the lack of info, just didn't want to be too lengthy in my first
posting.

I have two hosts, one with the ethereal, one ip phone and a Cisco plugged
into an 8 port 3Com hub. The Cisco has a VPN configured, that is the target
for all traffic. The Cisco then is plunged into an adsl network. The VPN is
connected to our corporate network.

As you say, the packets from the ethereal host shows up fine. But, if I,
from the other host, telnet a remote host (on the corporate net), say telnet
from 172.30.1.25 -> 10.1.1.10, I get these entries in Ethereal:

Source: 127.0.0.1, Dest 10.1.1.10 type: ICMP Echo Request with 10 bytes of
data.

Source: 127.0.0.1, Dest 172.30.1.25 type: ICMP Echo Request with 10 bytes of
data.

If I do a telnet from the ethereal host, the packets shows up correctly.

The same goes for all packets from the ip phone. They all shows up as ping
packets, although the phone does a successfull tftp download at startup.

I can see all broadcasts and non ip protocols normally, seems it's just ip
that is suffering.

Unfortunately I don't have enough practice with ethereal to see clearly
what's going on here.

Thank's for answering
Ove

-----Opprinnelig melding-----
Fra: Joerg Mayer [mailto:jmayer@xxxxxxxxx] 
Sendt: 10. august 2006 13:02
Til: Community support list for Wireshark
Emne: Re: [Wireshark-users] Odd packets

On Wed, Aug 09, 2006 at 11:13:40AM +0200, Ove Fagerheim wrote:
> Looking at the traffic behind a Cisco 1841, I can see the packet from the
> Wireshark host fine. All other packets appears as icmp echo request
packets,
> and a source address  of 127.0.0.1.

I'm not sure I have all the information to understand what a) your setup
and b) your problem is. 
So there is a network, then there is a Cisco1841 and then there is the
host that you use to capture. Wireshark only sees the traffic from and
to that host, and in addition to that, you see ping requests with a
sender address of 127.0.0.1? If that is the case, than I think that it
is normal. If you see no other packets at all (no broadcast or multicast
packets) then I'm wondering what is going on. it's still interesting,
that you see ping packets with source localhost. It looks like some
virus infected host is pinging you with a faked sender address.

 ciao
     Joerg

-- 
Joerg Mayer                                           <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

Follow-Ups:
- Re: [Wireshark-users] Odd packets
  - From: Jaap Keuter

Prev by Date: [Wireshark-users] (no subject)
Next by Date: Re: [Wireshark-users] stack mms/COTP/CLNP
Previous by thread: Re: [Wireshark-users] Odd packets
Next by thread: Re: [Wireshark-users] Odd packets
Index(es):
- Date
- Thread