Wireshark-bugs: [Wireshark-bugs] [Bug 3003] My NIC replicates RTP packets to the network (same p

Date: Wed, 29 Oct 2008 20:18:25 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3003


Jim Young <jyoung@xxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jyoung@xxxxxxx




--- Comment #13 from Jim Young <jyoung@xxxxxxx>  2008-10-29 20:18:23 PDT ---
Regarding this problem, I've taken a look at the trace files you 
included with bug report.

I saw a couple of curious items in the first trace you attached.   

You reported that you have a linksys router at 192.168.14.1.  But if 
you look at the Wireshark's ethernet endpoints report, you actually 
appear to have two (2) devices with Cisco/Linksys mac addresses 
on your LAN segment (one at 192.168.14,1, the other at 
192.168.14.137). You also appear to have two hosts:

Cisco-Li_4b:a4:03       (00:1d:7e:4b:a4:03)     192.168.14.1
Cisco-Li_b6:f7:31       (00:18:39:b6:f7:31)     192.168.14.137
Grandstr_06:8a:80       (00:0b:82:06:8a:80)     192.168.14.109
QuantaCo_0b:10:74 (00:1e:68:0b:10:74)   192.168.14.111

The most curious thing to me is that there are ICMP redirect frames 
generated from your machine (00:1e:68:0b:10:74).  You can easily 
display these frames with the Wireshark display filter:

   icmp.type==5

In some ways it appears that this machine is actively attempting 
to get a copy of each packet sent on the segment.  I'm guessing
you are seeing two copies of each frame because the various 
systems first send the frame directly to your system's specific 
MAC address (in response to the ICMP redirects), then your 
system forwards a copy of the same frame but this time with 
the real destination MAC addresses.

The question is WHY your workstation would be sending these 
ICMP redirects?

If you are interested in knowing more about ICMP redirects you 
can check out the following:

When Are ICMP Redirects Sent?
 
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml 

ICMP Redirect Message
  http://en.wikipedia.org/wiki/ICMP_Redirect_Message 

Explanation of ICMP Redirect Behavior
  http://support.microsoft.com/kb/195686 

Here are some things to look at (in no particular order):

Are you running any type of VPN software on these machines?

Do you have multiple NIC cards installed and enabled in these
machines (i.e. wireless and wired)?  

Have you accidentally enabled bridging or some type of routing 
services on these machines?

Do you have any type of virtual machine software running on
these machines?

Is there any type of common third party application installed
on these machines (besides WinPcap/Wireshark)?

Answering yes to any of these questions may lead you to the 
source.

I hope you find this info useful.

Jim Y.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.