https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3003
Jim Young <jyoung@xxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jyoung@xxxxxxx
--- Comment #13 from Jim Young <jyoung@xxxxxxx> 2008-10-29 20:18:23 PDT ---
Regarding this problem, I've taken a look at the trace files you
included with bug report.
I saw a couple of curious items in the first trace you attached.
You reported that you have a linksys router at 192.168.14.1. But if
you look at the Wireshark's ethernet endpoints report, you actually
appear to have two (2) devices with Cisco/Linksys mac addresses
on your LAN segment (one at 192.168.14,1, the other at
192.168.14.137). You also appear to have two hosts:
Cisco-Li_4b:a4:03 (00:1d:7e:4b:a4:03) 192.168.14.1
Cisco-Li_b6:f7:31 (00:18:39:b6:f7:31) 192.168.14.137
Grandstr_06:8a:80 (00:0b:82:06:8a:80) 192.168.14.109
QuantaCo_0b:10:74 (00:1e:68:0b:10:74) 192.168.14.111
The most curious thing to me is that there are ICMP redirect frames
generated from your machine (00:1e:68:0b:10:74). You can easily
display these frames with the Wireshark display filter:
icmp.type==5
In some ways it appears that this machine is actively attempting
to get a copy of each packet sent on the segment. I'm guessing
you are seeing two copies of each frame because the various
systems first send the frame directly to your system's specific
MAC address (in response to the ICMP redirects), then your
system forwards a copy of the same frame but this time with
the real destination MAC addresses.
The question is WHY your workstation would be sending these
ICMP redirects?
If you are interested in knowing more about ICMP redirects you
can check out the following:
When Are ICMP Redirects Sent?
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml
ICMP Redirect Message
http://en.wikipedia.org/wiki/ICMP_Redirect_Message
Explanation of ICMP Redirect Behavior
http://support.microsoft.com/kb/195686
Here are some things to look at (in no particular order):
Are you running any type of VPN software on these machines?
Do you have multiple NIC cards installed and enabled in these
machines (i.e. wireless and wired)?
Have you accidentally enabled bridging or some type of routing
services on these machines?
Do you have any type of virtual machine software running on
these machines?
Is there any type of common third party application installed
on these machines (besides WinPcap/Wireshark)?
Answering yes to any of these questions may lead you to the
source.
I hope you find this info useful.
Jim Y.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.