Unknown device showing with Wireshark

asked 2020-10-10 12:49:04 +0000

LazerKong01 gravatar image

updated 2020-10-10 18:03:35 +0000

As the title says, I have no idea what this device/ip actually is but it was captured after running Wireshark for several hours. I'm new to Wireshark, everything else looks fairly normal but this stands out. 10.0.0.1 is the modem/router. 10.0.0.31 is a Tablet that I own on the network.

Does it look malicious? Here is a copy/paste.

41551   14162.397010    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41580   14163.919912    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41632   14166.416413    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41695   14171.664029    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41717   14181.903199    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
47162   15347.877721    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 142.250.31.188
47178   15349.946954    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 142.250.31.188
47190   15352.506272    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 142.250.31.188
5103    1344.160169 CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 10.0.0.1 (duplicate use of 10.0.0.1 detected!)

Then if I expand the last line:

Frame 5103: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface \Device\NPF_{75115498-92DE-4CC3-B442-F62FE8369339}, id 0
Ethernet II, Src: CIMSYS_ab:cd:ee (00:11:22:ab:cd:ee), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
[Duplicate IP address detected for 10.0.0.1 (00:11:22:ab:cd:ee) - also in use by 10:33:bf:a9:83:be (frame 5100)]
    [Frame showing earlier use of IP address: 5100]
        [Expert Info (Warning/Sequence): Duplicate IP address configured (10.0.0.1)]
            [Duplicate IP address configured (10.0.0.1)]
            [Severity level: Warning]
            [Group: Sequence]
    [Seconds since earlier frame seen: 0]

This associated address (69.171.250.20) seems to be throwing traffic for some reason, here's what it's doing:

44446 10111.039630 10.0.0.220 69.171.250.20 LLMNR 86 Standard query 0x5e80 PTR 20.250.171.69.in-addr.arpa

44448 10111.040569 10.0.0.220 69.171.250.20 TCP 66 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

44456 10111.589353 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

44458 10111.974024 10.0.0.220 69.171.250.20 SSDP 166 M-SEARCH * HTTP/1.1

44459 10111.974141 10.0.0.220 69 ... (more)

edit retag flag offensive close merge delete

Comments

Do you have login access to the router?
Does it support proxy ARP?

Or in this example it was a VPN client misbehaving.

In your capture, the CIMSYS device type is a bit of a red herring.
The OUI Lookup Tool maps CIMSYS to 00:11:22 which is also in the packet details for the last line. 00:11:22:ab:cd:ee
Disabe name resolution for the MAC address (View -> Name Resolution -> Resolve Physical Addresses) and look at the packet list again.

Chuckc gravatar imageChuckc ( 2020-10-10 13:23:22 +0000 )edit

Cable modem?

Jaap gravatar imageJaap ( 2020-10-10 14:21:06 +0000 )edit

It is a cable modem yes. I disabled the name resolution but it doesn't show anything different? It just shows now as "41551 14162.397010 00:11:22:ab:cd:ee ff:ff:ff:ff:ff:ff ARP 60 Who has 10.0.0.31? Tell 69.171.250.20"

LazerKong01 gravatar imageLazerKong01 ( 2020-10-10 16:40:18 +0000 )edit

so anyone have any ideas if this looks malicious or not?

LazerKong01 gravatar imageLazerKong01 ( 2020-10-11 03:38:08 +0000 )edit

It's easier to dig into if you can provide a capture of the trafffic.

Chuckc gravatar imageChuckc ( 2020-10-11 05:18:41 +0000 )edit