Revision history [back]
Unknown device showing with Wireshark
As the title says, I have no idea what this device/ip actually is but it was captured after running Wireshark for several hours. I'm new to Wireshark, everything else looks fairly normal but this stands out. 10.0.0.1 is the modem/router. 10.0.0.31 is a Tablet that I own on the network.
Does it look malicious? Here is a copy/paste.
41551 14162.397010 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
41580 14163.919912 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
41632 14166.416413 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
41695 14171.664029 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
41717 14181.903199 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
47162 15347.877721 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188
47178 15349.946954 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188
47190 15352.506272 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188
5103 1344.160169 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 10.0.0.1 (duplicate use of 10.0.0.1 detected!)
Then if I expand the last line:
Frame 5103: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface \Device\NPF_{75115498-92DE-4CC3-B442-F62FE8369339}, id 0
Ethernet II, Src: CIMSYS_ab:cd:ee (00:11:22:ab:cd:ee), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
[Duplicate IP address detected for 10.0.0.1 (00:11:22:ab:cd:ee) - also in use by 10:33:bf:a9:83:be (frame 5100)]
[Frame showing earlier use of IP address: 5100]
[Expert Info (Warning/Sequence): Duplicate IP address configured (10.0.0.1)]
[Duplicate IP address configured (10.0.0.1)]
[Severity level: Warning]
[Group: Sequence]
[Seconds since earlier frame seen: 0]
This associated address (69.171.250.20) seems to be throwing traffic for some reason, here's what it's doing:
44446 10111.039630 10.0.0.220 69.171.250.20 LLMNR 86 Standard query 0x5e80 PTR 20.250.171.69.in-addr.arpa
44448 10111.040569 10.0.0.220 69.171.250.20 TCP 66 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
44456 10111.589353 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
44458 10111.974024 10.0.0.220 69.171.250.20 SSDP 166 M-SEARCH * HTTP/1.1
44459 10111.974141 10.0.0.220 69.171.250.20 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
44460 10111.974311 10.0.0.220 69.171.250.20 UDP 666 61399 → 3702 Len=624
44461 10111.974365 10.0.0.220 69.171.250.20 SSDP 158 M-SEARCH * HTTP/1.1
44462 10111.974645 10.0.0.220 69.171.250.20 MDNS 88 Standard query 0x6d62 PTR _services._dns-sd._udp.local, "QM" question
44468 10112.133824 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
44475 10112.677324 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
44479 10113.220783 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
44480 10113.253152 10.0.0.220 69.171.250.20 UDP 666 61399 → 3702 Len=624
44481 10113.253891 10.0.0.220 69.171.250.20 TCP 66 59518 → 62078 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
44482 10113.254464 10.0.0.220 69.171.250.20 TCP 66 59519 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
44484 10113.268867 10.0.0.220 69.171.250.20 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
44485 10113.331902 10.0.0.220 69.171.250.20 SSDP 158 M-SEARCH * HTTP/1.1
44486 10113.331931 10.0.0.220 69.171.250.20 SSDP 166 M-SEARCH * HTTP/1.1
44489 10114.259710 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59518 → 62078 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
44490 10114.259751 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59519 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
44496 10116.273512 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59518 → 62078 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
44497 10116.273523 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59519 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
Unknown device showing with Wireshark
As the title says, I have no idea what this device/ip actually is but it was captured after running Wireshark for several hours. I'm new to Wireshark, everything else looks fairly normal but this stands out. 10.0.0.1 is the modem/router. 10.0.0.31 is a Tablet that I own on the network.
Does it look malicious? Here is a copy/paste.
41551 14162.397010 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
41580 14163.919912 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
41632 14166.416413 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
41695 14171.664029 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
41717 14181.903199 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
47162 15347.877721 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188
47178 15349.946954 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188
47190 15352.506272 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188
5103 1344.160169 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 10.0.0.1 (duplicate use of 10.0.0.1 detected!)
Then if I expand the last line:
Frame 5103: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface \Device\NPF_{75115498-92DE-4CC3-B442-F62FE8369339}, id 0
Ethernet II, Src: CIMSYS_ab:cd:ee (00:11:22:ab:cd:ee), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
[Duplicate IP address detected for 10.0.0.1 (00:11:22:ab:cd:ee) - also in use by 10:33:bf:a9:83:be (frame 5100)]
[Frame showing earlier use of IP address: 5100]
[Expert Info (Warning/Sequence): Duplicate IP address configured (10.0.0.1)]
[Duplicate IP address configured (10.0.0.1)]
[Severity level: Warning]
[Group: Sequence]
[Seconds since earlier frame seen: 0]
This associated address (69.171.250.20) seems to be throwing traffic for some reason, here's what it's doing:
44446 10111.039630 10.0.0.220 69.171.250.20 LLMNR 86 Standard query 0x5e80 PTR 20.250.171.69.in-addr.arpa
20.250.171.69.in-addr.arpa
44448 10111.040569 10.0.0.220 69.171.250.20 TCP 66 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
SACK_PERM=1
44456 10111.589353 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
SACK_PERM=1
44458 10111.974024 10.0.0.220 69.171.250.20 SSDP 166 M-SEARCH * HTTP/1.1
44459 10111.974141 10.0.0.220 69.171.250.20 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
44460 10111.974311 10.0.0.220 69.171.250.20 UDP 666 61399 → 3702 Len=624
Len=624
44461 10111.974365 10.0.0.220 69.171.250.20 SSDP 158 M-SEARCH * HTTP/1.1
44462 10111.974645 10.0.0.220 69.171.250.20 MDNS 88 Standard query 0x6d62 PTR _services._dns-sd._udp.local, "QM" question
question
44468 10112.133824 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
SACK_PERM=1
44475 10112.677324 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
SACK_PERM=1
44479 10113.220783 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
SACK_PERM=1
44480 10113.253152 10.0.0.220 69.171.250.20 UDP 666 61399 → 3702 Len=624
Len=624
44481 10113.253891 10.0.0.220 69.171.250.20 TCP 66 59518 → 62078 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
SACK_PERM=1
44482 10113.254464 10.0.0.220 69.171.250.20 TCP 66 59519 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
SACK_PERM=1
44484 10113.268867 10.0.0.220 69.171.250.20 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
44485 10113.331902 10.0.0.220 69.171.250.20 SSDP 158 M-SEARCH * HTTP/1.1
44486 10113.331931 10.0.0.220 69.171.250.20 SSDP 166 M-SEARCH * HTTP/1.1
44489 10114.259710 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59518 → 62078 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
SACK_PERM=1
44490 10114.259751 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59519 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
SACK_PERM=1
44496 10116.273512 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59518 → 62078 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
SACK_PERM=1 44497 10116.273523 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59519 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
Unknown device showing with Wireshark
As the title says, I have no idea what this device/ip actually is but it was captured after running Wireshark for several hours. I'm new to Wireshark, everything else looks fairly normal but this stands out. 10.0.0.1 is the modem/router. 10.0.0.31 is a Tablet that I own on the network.
Does it look malicious? Here is a copy/paste.
41551 14162.397010 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
41580 14163.919912 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
41632 14166.416413 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
41695 14171.664029 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
41717 14181.903199 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
47162 15347.877721 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188
47178 15349.946954 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188
47190 15352.506272 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188
5103 1344.160169 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 10.0.0.1 (duplicate use of 10.0.0.1 detected!)
Then if I expand the last line:
Frame 5103: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface \Device\NPF_{75115498-92DE-4CC3-B442-F62FE8369339}, id 0
Ethernet II, Src: CIMSYS_ab:cd:ee (00:11:22:ab:cd:ee), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
[Duplicate IP address detected for 10.0.0.1 (00:11:22:ab:cd:ee) - also in use by 10:33:bf:a9:83:be (frame 5100)]
[Frame showing earlier use of IP address: 5100]
[Expert Info (Warning/Sequence): Duplicate IP address configured (10.0.0.1)]
[Duplicate IP address configured (10.0.0.1)]
[Severity level: Warning]
[Group: Sequence]
[Seconds since earlier frame seen: 0]
This associated address (69.171.250.20) seems to be throwing traffic for some reason, here's what it's doing:
44446 10111.039630 10.0.0.220 69.171.250.20 LLMNR 86 Standard query 0x5e80 PTR 20.250.171.69.in-addr.arpa 44448 10111.040569 10.0.0.220 69.171.250.20 TCP 66 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44456 10111.589353 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44458 10111.974024 10.0.0.220 69.171.250.20 SSDP 166 M-SEARCH * HTTP/1.1 44459 10111.974141 10.0.0.220 69.171.250.20 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> 44460 10111.974311 10.0.0.220 69.171.250.20 UDP 666 61399 → 3702 Len=624 44461 10111.974365 10.0.0.220 69.171.250.20 SSDP 158 M-SEARCH * HTTP/1.1 44462 10111.974645 10.0.0.220 69.171.250.20 MDNS 88 Standard query 0x6d62 PTR _services._dns-sd._udp.local, "QM" question 44468 10112.133824 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44475 10112.677324 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44479 10113.220783 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44480 10113.253152 10.0.0.220 69.171.250.20 UDP 666 61399 → 3702 Len=624 44481 10113.253891 10.0.0.220 69.171.250.20 TCP 66 59518 → 62078 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44482 10113.254464 10.0.0.220 69.171.250.20 TCP 66 59519 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44484 10113.268867 10.0.0.220 69.171.250.20 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> 44485 10113.331902 10.0.0.220 69.171.250.20 SSDP 158 M-SEARCH * HTTP/1.1 44486 10113.331931 10.0.0.220 69.171.250.20 SSDP 166 M-SEARCH * HTTP/1.1 44489 10114.259710 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59518 → 62078 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44490 10114.259751 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59519 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44496 10116.273512 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59518 → 62078 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44497 10116.273523 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59519 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
Unknown device showing with Wireshark
As the title says, I have no idea what this device/ip actually is but it was captured after running Wireshark for several hours. I'm new to Wireshark, everything else looks fairly normal but this stands out. 10.0.0.1 is the modem/router. 10.0.0.31 is a Tablet that I own on the network.
Does it look malicious? Here is a copy/paste.
Then if I expand the last line:
Unknown device showing with Wireshark
As the title says, I have no idea what this device/ip actually is but it was captured after running Wireshark for several hours. I'm new to Wireshark, everything else looks fairly normal but this stands out. 10.0.0.1 is the modem/router. 10.0.0.31 is a Tablet that I own on the network.
Does it look malicious? Here is a copy/paste.copy/paste of it.
41551 14162.397010 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20 41580 14163.919912 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20 41632 14166.416413 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20 41695 14171.664029 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20 41717 14181.903199 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20 47162 15347.877721 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188 47178 15349.946954 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188 47190 15352.506272 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188 5103 1344.160169 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 10.0.0.1 (duplicate use of 10.0.0.1 detected!)
Then if I expand the last line:
Frame 5103: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface \Device\NPF_{75115498-92DE-4CC3-B442-F62FE8369339}, id 0 Ethernet II, Src: CIMSYS_ab:cd:ee (00:11:22:ab:cd:ee), Dst: Broadcast (ff:ff:ff:ff:ff:ff) Address Resolution Protocol (request) [Duplicate IP address detected for 10.0.0.1 (00:11:22:ab:cd:ee) - also in use by 10:33:bf:a9:83:be (frame 5100)] [Frame showing earlier use of IP address: 5100] [Expert Info (Warning/Sequence): Duplicate IP address configured (10.0.0.1)] [Duplicate IP address configured (10.0.0.1)] [Severity level: Warning] [Group: Sequence] [Seconds since earlier frame seen: 0]