Unknown device showing with Wireshark

retag add tags

As the title says, I have no idea what this device/ip actually is but it was captured after running Wireshark for several hours. I'm new to Wireshark, everything else looks fairly normal but this stands out. 10.0.0.1 is the modem/router. 10.0.0.31 is a Tablet that I own on the network.

Does it look malicious? Here is a copy/paste.

41551   14162.397010    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41580   14163.919912    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41632   14166.416413    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41695   14171.664029    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41717   14181.903199    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
47162   15347.877721    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 142.250.31.188
47178   15349.946954    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 142.250.31.188
47190   15352.506272    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 142.250.31.188
5103    1344.160169 CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 10.0.0.1 (duplicate use of 10.0.0.1 detected!)

Then if I expand the last line:

Frame 5103: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface \Device\NPF_{75115498-92DE-4CC3-B442-F62FE8369339}, id 0
Ethernet II, Src: CIMSYS_ab:cd:ee (00:11:22:ab:cd:ee), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
[Duplicate IP address detected for 10.0.0.1 (00:11:22:ab:cd:ee) - also in use by 10:33:bf:a9:83:be (frame 5100)]
    [Frame showing earlier use of IP address: 5100]
        [Expert Info (Warning/Sequence): Duplicate IP address configured (10.0.0.1)]
            [Duplicate IP address configured (10.0.0.1)]
            [Severity level: Warning]
            [Group: Sequence]
    [Seconds since earlier frame seen: 0]

This associated address (69.171.250.20) seems to be throwing traffic for some reason, here's what it's doing:

44446 10111.039630 10.0.0.220 69.171.250.20 LLMNR 86 Standard query 0x5e80 PTR 20.250.171.69.in-addr.arpa

44448 10111.040569 10.0.0.220 69.171.250.20 TCP 66 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

44456 10111.589353 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

44458 10111.974024 10.0.0.220 69.171.250.20 SSDP 166 M-SEARCH * HTTP/1.1

44459 10111.974141 10.0.0.220 69 ... (more)

LazerKong01

asked 2020-10-10 12:49:04 +0000, updated 2020-10-10 18:03:35 +0000

edit flag offensive 0 remove flag close merge delete

Comments

Do you have login access to the router?
Does it support proxy ARP?

Or in this example it was a VPN client misbehaving.

In your capture, the CIMSYS device type is a bit of a red herring.
The OUI Lookup Tool maps CIMSYS to 00:11:22 which is also in the packet details for the last line. 00:11:22:ab:cd:ee
Disabe name resolution for the MAC address (View -> Name Resolution -> Resolve Physical Addresses) and look at the packet list again.

Chuckc (2020-10-10 13:23:22 +0000) edit

Cable modem?

Jaap (2020-10-10 14:21:06 +0000) edit

It is a cable modem yes. I disabled the name resolution but it doesn't show anything different? It just shows now as "41551 14162.397010 00:11:22:ab:cd:ee ff:ff:ff:ff:ff:ff ARP 60 Who has 10.0.0.31? Tell 69.171.250.20"

LazerKong01 (2020-10-10 16:40:18 +0000) edit

so anyone have any ideas if this looks malicious or not?

LazerKong01 (2020-10-11 03:38:08 +0000) edit

It's easier to dig into if you can provide a capture of the trafffic.

Chuckc (2020-10-11 05:18:41 +0000) edit

add a comment see more comments

Unknown device showing with Wireshark

Comments

1 Answer

Comments

Your Answer

Unknown device showing with Wireshark edit

Comments

1 Answer

Comments

Your Answer

Unknown device showing with Wireshark