Wireshark-users: Re: [Wireshark-users] Odd packets

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Thu, 10 Aug 2006 21:19:49 +0200 (CEST)
Hi,

The big question is: what is this "Other host"?????
It seems that packets from that one show up funny, but what you don't tell
is the telnet session from it to the corp network a succes?
Can you come back on that?

Thanx,
Jaap

On Thu, 10 Aug 2006, Ove Fagerheim wrote:

> Sorry 'bout the lack of info, just didn't want to be too lengthy in my first
> posting.
>
> I have two hosts, one with the ethereal, one ip phone and a Cisco plugged
> into an 8 port 3Com hub. The Cisco has a VPN configured, that is the target
> for all traffic. The Cisco then is plunged into an adsl network. The VPN is
> connected to our corporate network.
>
> As you say, the packets from the ethereal host shows up fine. But, if I,
> from the other host, telnet a remote host (on the corporate net), say telnet
> from 172.30.1.25 -> 10.1.1.10, I get these entries in Ethereal:
>
> Source: 127.0.0.1, Dest 10.1.1.10 type: ICMP Echo Request with 10 bytes of
> data.
>
> Source: 127.0.0.1, Dest 172.30.1.25 type: ICMP Echo Request with 10 bytes of
> data.
>
> If I do a telnet from the ethereal host, the packets shows up correctly.
>
> The same goes for all packets from the ip phone. They all shows up as ping
> packets, although the phone does a successfull tftp download at startup.
>
> I can see all broadcasts and non ip protocols normally, seems it's just ip
> that is suffering.
>
>
> Unfortunately I don't have enough practice with ethereal to see clearly
> what's going on here.
>
> Thank's for answering
> Ove
>
> -----Opprinnelig melding-----
> Fra: Joerg Mayer [mailto:jmayer@xxxxxxxxx]
> Sendt: 10. august 2006 13:02
> Til: Community support list for Wireshark
> Emne: Re: [Wireshark-users] Odd packets
>
> On Wed, Aug 09, 2006 at 11:13:40AM +0200, Ove Fagerheim wrote:
> > Looking at the traffic behind a Cisco 1841, I can see the packet from the
> > Wireshark host fine. All other packets appears as icmp echo request
> packets,
> > and a source address  of 127.0.0.1.
>
> I'm not sure I have all the information to understand what a) your setup
> and b) your problem is.
> So there is a network, then there is a Cisco1841 and then there is the
> host that you use to capture. Wireshark only sees the traffic from and
> to that host, and in addition to that, you see ping requests with a
> sender address of 127.0.0.1? If that is the case, than I think that it
> is normal. If you see no other packets at all (no broadcast or multicast
> packets) then I'm wondering what is going on. it's still interesting,
> that you see ping packets with source localhost. It looks like some
> virus infected host is pinging you with a faked sender address.
>
>  ciao
>      Joerg
>
>
> --
> Joerg Mayer                                           <jmayer@xxxxxxxxx>
> We are stuck with technology when what we really want is just stuff that
> works. Some say that should read Microsoft instead of technology.
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>