Ask Your Question

Why is there traffic from and to an external IP address in my network?

asked 2019-08-17 20:52:39 +0000

msuter gravatar image

updated 2019-08-17 20:56:41 +0000

Hello all,

Today I wanted to capture some things in my network - but before analizing this capture I immediately saw that there is traffic from and to an external IP address. So neither source IP, nor destination IP is from my network. And non of the IPs is my personal public IP from my ISP.

Here is a picture of my capture:

It's a lot of traffic, in less than 10 minutes there were more than one million frames just from these two unknown IP addresses.

Is someone able to explain this behaviour?

I would appreciate any tipps or explanations.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2019-08-17 21:02:56 +0000

grahamb gravatar image

The traffic is UDP multicast. 239.x.x.x is administratively scoped (local to a subnet) so is an address in your network.

edit flag offensive delete link more


Thanks a lot grahamb, I totally forgot about the multicast range. I really appreciate your quick response.

msuter gravatar imagemsuter ( 2019-08-17 21:05:07 +0000 )edit

The source address is a unicast address. It would still be valid to investigate that host (filter on the mac-address) why it is sending packets from an IP that is not known to you.

Also, since there are so many of these packets, there might be a routing loop. What is the ip.ttl of these packets? Do you see any ICMP TTL exceeded packets too?

(Are you able to share a pcap file on any public filesharing service like DropBox, OneDrive, etc.?)

SYN-bit gravatar imageSYN-bit ( 2019-08-18 09:46:17 +0000 )edit

Thank you SYN-bit for your comment. I investigated further and came to the conclusion that the traffic was oridinary as someone was watching IPTV. Thankfully there was no loop. I really appreciate your time and thanks again.

msuter gravatar imagemsuter ( 2019-08-20 22:06:49 +0000 )edit

answered 2019-08-18 14:14:16 +0000

Chuckc gravatar image

Do you have Swisscom TV?

From the screen shot:

    IP address:
    GeoIP2 City Results

        IP Address  Country Code    Location    Postal Code Approximate Coordinates*    Accuracy Radius (km)    ISP Organization    Domain  Metro Code  CH  Switzerland,    Europe      47.1449,    8.1551  100 Swisscom    Swisscom        

    MAC address:
    1c:b0:44:95:a9:70  (AskeyCom)
    Set top boxes:

    One example of UDP port 10000 on Swisscom network:
"For that I use QoS for the UDP port 10000 because it's the port used by the box for the TV streams."

The packets come in every ~1ms so maybe audio only (radio?) or status/guide information?

edit flag offensive delete link more


Scope 239.x.x.x is like RFC1918 of the multicast world. It may be used by any provider and does not have to be unique. So this traffic may indeed be related to IPTV. Especially with 1368 bytes packets. Unless MTU < 1500 this looks like an arbitrary value. If these packets are for MPEG for instance, you end up with frames < 1500 bytes even with L2-L3-L4 headers. MPEG uses 188 bytes frames so seven MPEG frames (188 bytes x 7) is 1316 bytes packet when you add IPv4 (20 bytes) and UDP (8 bytes) this gives 1344 bytes.

Spooky gravatar imageSpooky ( 2019-08-20 21:10:02 +0000 )edit

Thank you bubbasnmp, you are completely right. After some further investigations, I actually found out that it was a Swisscom TV (IPTV) which caused that. And Spooky is right too, this was oridinary traffic as someone was watching TV. Thank you so much for these very interesting and useful information. I would like to give your answer a thumbs up - but I don't have enough points to do it.

msuter gravatar imagemsuter ( 2019-08-20 22:03:52 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-08-17 20:52:39 +0000

Seen: 2,296 times

Last updated: Aug 18 '19