N
njem
Some strange behavior on the network at a non-profit so at a
suggestion I installed Wireshark to capture packets and I get strange
looking behavior. As a comparison I tried it on a couple of other
offices and don't get the same at all. Does this make sense to anyone
or can you point me to some hack-savvy forum where they might?
Below is about 30 lines of capture. On this Sat AM I have only the
server, a workstation, the router and the switch on. The other
stations have been off since the previous evening so all has had time
to get settled. The server, workstation, and router all keep sending
packets asking who has IP address x, and sending "name query" packets.
Then the switch keeps sending "Spanning tree" packets. I'm sure some
of this is normal on startup or periodic refresh but in this case it's
pretty much all the traffic over the course of this 14 second
snapshot.
Thanks,
Tom
No. Time Source Destination
Protocol Info
1 0.000000 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
2 0.016536 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
3 0.413167 IntelCor_07:f5:7d Broadcast
ARP Who has 192.168.0.222? Tell 192.168.0.52
4 0.415835 IntelCor_07:f5:7d Broadcast
ARP Who has 192.168.0.223? Tell 192.168.0.52
5 0.536137 Intel_e9:10:22 Broadcast
ARP Who has 192.168.0.223? Tell 192.168.0.100
6 2.063407 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
7 4.015436 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
8 4.066504 192.168.0.1 192.168.0.100
NBNS Name query NBSTAT
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
9 4.066561 192.168.0.100 192.168.0.1
NBNS Name query response NBSTAT
10 6.015371 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
11 7.396657 IntelCor_07:f5:7d Broadcast
ARP Who has 192.168.0.223? Tell 192.168.0.52
12 7.418780 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<20>
13 7.420473 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
14 7.455501 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
15 8.015308 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
16 8.162190 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<20>
17 8.193556 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
18 8.419973 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
19 8.912166 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<20>
20 8.943526 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
21 9.420014 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
22 9.693746 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
23 10.015487 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
24 10.129539 192.168.0.1 192.168.0.100
NBNS Name query NBSTAT
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
25 10.129594 192.168.0.100 192.168.0.1
NBNS Name query response NBSTAT
26 10.443487 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
27 10.444938 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
28 11.193463 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
29 11.445171 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
30 12.015422 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
31 12.445126 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
32 13.396457 IntelCor_07:f5:7d Broadcast
ARP Who has 192.168.0.223? Tell 192.168.0.52
33 14.015358 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
suggestion I installed Wireshark to capture packets and I get strange
looking behavior. As a comparison I tried it on a couple of other
offices and don't get the same at all. Does this make sense to anyone
or can you point me to some hack-savvy forum where they might?
Below is about 30 lines of capture. On this Sat AM I have only the
server, a workstation, the router and the switch on. The other
stations have been off since the previous evening so all has had time
to get settled. The server, workstation, and router all keep sending
packets asking who has IP address x, and sending "name query" packets.
Then the switch keeps sending "Spanning tree" packets. I'm sure some
of this is normal on startup or periodic refresh but in this case it's
pretty much all the traffic over the course of this 14 second
snapshot.
Thanks,
Tom
No. Time Source Destination
Protocol Info
1 0.000000 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
2 0.016536 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
3 0.413167 IntelCor_07:f5:7d Broadcast
ARP Who has 192.168.0.222? Tell 192.168.0.52
4 0.415835 IntelCor_07:f5:7d Broadcast
ARP Who has 192.168.0.223? Tell 192.168.0.52
5 0.536137 Intel_e9:10:22 Broadcast
ARP Who has 192.168.0.223? Tell 192.168.0.100
6 2.063407 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
7 4.015436 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
8 4.066504 192.168.0.1 192.168.0.100
NBNS Name query NBSTAT
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
9 4.066561 192.168.0.100 192.168.0.1
NBNS Name query response NBSTAT
10 6.015371 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
11 7.396657 IntelCor_07:f5:7d Broadcast
ARP Who has 192.168.0.223? Tell 192.168.0.52
12 7.418780 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<20>
13 7.420473 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
14 7.455501 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
15 8.015308 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
16 8.162190 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<20>
17 8.193556 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
18 8.419973 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
19 8.912166 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<20>
20 8.943526 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
21 9.420014 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
22 9.693746 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
23 10.015487 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
24 10.129539 192.168.0.1 192.168.0.100
NBNS Name query NBSTAT
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
25 10.129594 192.168.0.100 192.168.0.1
NBNS Name query response NBSTAT
26 10.443487 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
27 10.444938 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
28 11.193463 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
29 11.445171 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
30 12.015422 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
31 12.445126 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
32 13.396457 IntelCor_07:f5:7d Broadcast
ARP Who has 192.168.0.223? Tell 192.168.0.52
33 14.015358 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031