Ask Your Question
0

HI not sure where to upload this or ask questions about what it is thanks!

asked 2020-01-23 22:27:12 +0000

killerfoxx gravatar image

updated 2020-01-23 23:32:23 +0000

Guy Harris gravatar image

Packets:

Frame 1321: 591 bytes on wire (4728 bits), 591 bytes captured (4728 bits) on interface \Device\NPF_{0B73953C-3C2D-4A0F-92DE-C4FC81698B9A}, id 0
Ethernet II, Src: Cisco-Li_c3:b3:b5 (c8:d7:19:c3:b3:b5), Dst: HitronTe_d0:89:22 (bc:4d:fb:d0:89:22)
Internet Protocol Version 6, Src: 2607:fea8:99a0:1805:6031:4be7:6511:f609 (2607:fea8:99a0:1805:6031:4be7:6511:f609), Dst: e7622.dscg.akamaiedge.net (2600:140a:6000:28e::1dc6)
Transmission Control Protocol, Src Port: 51751 (51751), Dst Port: https (443), Seq: 1, Ack: 1, Len: 517
Transport Layer Security

1313    72.103582   2607:fea8:99a0:1805:6031:4be7:6511:f609 e7622.dscg.akamaiedge.net   TCP 86  51751 → https(443) [SYN] Seq=0 Win=64800 Len=0 MSS=1440 WS=256 SACK_PERM=1
1316    72.117849   e7622.dscg.akamaiedge.net   2607:fea8:99a0:1805:6031:4be7:6511:f609 TCP 86  https(443) → 51750 [SYN, ACK] Seq=0 Ack=1 Win=28800 Len=0 MSS=1440 SACK_PERM=1 WS=128
1318    72.119961   2607:fea8:99a0:1805:6031:4be7:6511:f609 e7622.dscg.akamaiedge.net   TLSv1.3 591 Client Hello
1319    72.123220   e7622.dscg.akamaiedge.net   2607:fea8:99a0:1805:6031:4be7:6511:f609 TCP 86  https(443) → 51751 [SYN, ACK] Seq=0 Ack=1 Win=28800 Len=0 MSS=1440 SACK_PERM=1 WS=128
1320    72.123390   2607:fea8:99a0:1805:6031:4be7:6511:f609 e7622.dscg.akamaiedge.net   TCP 74  51751 → https(443) [ACK] Seq=1 Ack=1 Win=132352 Len=0
1321    72.125417   2607:fea8:99a0:1805:6031:4be7:6511:f609 e7622.dscg.akamaiedge.net   TLSv1.3 591 Client Hello
1538    73.510279   2607:fea8:99a0:1805:6031:4be7:6511:f609 e7622.dscg.akamaiedge.net   TCP 74  51751 → https(443) [RST, ACK] Seq=1218 Ack=13325 Win=0 Len=0
1771    75.751828   2620:1ec:8f8::254   2607:fea8:99a0:1805:6031:4be7:6511:f609 TCP 74  https(443) → 51724 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1790    75.927224   2607:fea8:99a0:1805:6031:4be7:6511:f609 dual-a-0001.a-msedge.net    TLSv1.2 205 Application Data
2187    81.317065   dual-a-0001.a-msedge.net    2607:fea8:99a0:1805:6031:4be7:6511:f609 TCP 74  https(443) → 51709 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
39750   3257.313104 2607:fea8:99a0:1805:6031:4be7:6511:f609 beacons-handoff.gcp.gvt2.com    TCP 74  52359 → https(443) [FIN, ACK] Seq=9184 Ack=213563 Win=131584 Len=0
3   0.817611    fe80::4e0:7c03:ad17:2d09    ff02::16    ICMPv6  90  Multicast Listener Report Message v2
2   0.001120    Android.local   ff02::fb    MDNS    738 Standard query response 0x0000 PTR, cache flush Android.local PTR, cache flush Android.local PTR, cache flush Android.local PTR, cache flush Android.local PTR, cache flush Android.local PTR, cache flush Android.local A, cache flush 192.168.0.12 AAAA, cache flush fd00:bc4d:fbd0:8922:b937:b89a:30fd:b1cf AAAA, cache flush 2607:fea8:99a0:1805:76eb:80ff:fec6:c340 AAAA, cache flush 2607:fea8 ...
(more)
edit retag flag offensive close merge delete

Comments

Hi Guy I dont have Avast on my computer and I dont have a phone or Linkedin account

killerfoxx gravatar imagekillerfoxx ( 2020-01-27 15:36:59 +0000 )edit

2 Answers

Sort by » oldest newest most voted
0

answered 2020-01-24 03:32:59 +0000

Guy Harris gravatar image

Note that there are no "beacons" in the Wi-Fi sense, just packets going to a domain whose name begins with "beacon-handoff".

gvt2.com appears to be something Google-related; there's some code in Google's Chromium that uses it, and a VMware "Network Requirements for Android" pagealso mentions several Google domains, including gvt2.com.

So those TCP connections are probably some flavor of Android phoning home.

The akamaiedge.net traffic is probably talking to Akamai "edge cache" machinesthat store Web pages closer (in network-hop terms) to your machine - i.e., closer to the "edge" of the network - than the server is. I'll bet that the [a-z]-msedge.net is the same, with "Akamai" replaced by "Microsoft" (I'm guessing you're not running Microsoft's Edge browser on your phone, so that's probably not what the "edge" is).

MDNS is "Multicast DNS", which is used to do local host name lookup and service discovery. (Bonjour! :-)) The CACHE-FLUSH message is used when announcing services; as the Wikipedia page in question says, "The CACHE-FLUSH bit is used to instruct neighbor-nodes that the record should overwrite, rather than be appended onto, any existing cached entries...".

avast.com is an antivirus company, so the traffic is probably antivirus-related (checking for, or receiving, new definitions for new viruses?).

linkedin.com is LinkedIn.

The ICMPv6 packets with "Neighbor" in the name are part of the Neighbor Discovery Protocol, doing network configuration.

edit flag offensive delete link more

Comments

Thanks I tried to unplug router and plug back in again and this is what wireshark told me

60231 TLS: Server Hello, Change Cipher Spec, Encrypted Handshake Message
24913 TCP: [TCP Window Update] 53162 → https(443) [ACK] Seq=6008 Ack=2401165 Win=2116608 Len=0
1332 DNS: DNS query retransmission. Original request in frame 1331
1473 TCP: New fragment overlaps old data (retransmission?)
48002 TCP: TCP Zero Window segment
8818 TCP: This frame is a (suspected) out-of-order segment
1342 DNS: DNS response retransmission. Original response in frame 1341
1332 DNS: DNS query retransmission. Original request in frame 1331
4647 TLS: This session reuses previously negotiated keys (Session resumption)
3327 TCP: The acknowledgment number field is nonzero while the ACK flag is not set
138 TCP: Connection finish (FIN)
54 TCP: Connection establish request (SYN): server port 443
3 SSDP: NOTIFY * HTTP/1.1\r\n
ether host 00:00:5e ...
(more)
killerfoxx gravatar imagekillerfoxx ( 2020-01-25 14:54:11 +0000 )edit

It presumably also told you where those packets came from or went to; just saying what the packets are only tells you that 1) something's using TCP, 2) something's using TLS (presumably over TCP), something's doing DNS lookups (which you sort of have to do if you want to access anything on the Internet), something's using ARP (which you have to do in order to use IPv4 on a network), something's using SSDP (I think printers tend do do that), and something's using mDNS (a number of systems, especially Apple systems, tend to do that; it and SSDP are both used to find other devices on the network, among other purposes).

Guy Harris gravatar imageGuy Harris ( 2020-01-25 18:33:09 +0000 )edit

Hey Guy thanks for analyzing watching the video someone else recommended, I dont use Edge at all least fave of all browsers would prefer firefox!lol! Also I dont have a cell phone or printer, and did find polk magnifi mini so strange thank you for all your help!

killerfoxx gravatar imagekillerfoxx ( 2020-01-31 06:50:31 +0000 )edit
0

answered 2020-01-24 01:26:14 +0000

h1ghchilled gravatar image

It shows the communication between your android-device and Rogers Communications Canada Inc. via ipv6-protocol.

edit flag offensive delete link more

Comments

thank you:)

killerfoxx gravatar imagekillerfoxx ( 2020-01-31 06:51:00 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-01-23 22:27:12 +0000

Seen: 1,839 times

Last updated: Jan 25 '20