Unknown device showing with Wireshark
As the title says, I have no idea what this device/ip actually is but it was captured after running Wireshark for several hours. I'm new to Wireshark, everything else looks fairly normal but this stands out. 10.0.0.1 is the modem/router. 10.0.0.31 is a Tablet that I own on the network.
Does it look malicious? Here is a copy/paste.
41551 14162.397010 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
41580 14163.919912 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
41632 14166.416413 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
41695 14171.664029 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
41717 14181.903199 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20
47162 15347.877721 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188
47178 15349.946954 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188
47190 15352.506272 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188
5103 1344.160169 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 10.0.0.1 (duplicate use of 10.0.0.1 detected!)
Then if I expand the last line:
Frame 5103: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface \Device\NPF_{75115498-92DE-4CC3-B442-F62FE8369339}, id 0
Ethernet II, Src: CIMSYS_ab:cd:ee (00:11:22:ab:cd:ee), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
[Duplicate IP address detected for 10.0.0.1 (00:11:22:ab:cd:ee) - also in use by 10:33:bf:a9:83:be (frame 5100)]
[Frame showing earlier use of IP address: 5100]
[Expert Info (Warning/Sequence): Duplicate IP address configured (10.0.0.1)]
[Duplicate IP address configured (10.0.0.1)]
[Severity level: Warning]
[Group: Sequence]
[Seconds since earlier frame seen: 0]
This associated address (69.171.250.20) seems to be throwing traffic for some reason, here's what it's doing:
44446 10111.039630 10.0.0.220 69.171.250.20 LLMNR 86 Standard query 0x5e80 PTR 20.250.171.69.in-addr.arpa
44448 10111.040569 10.0.0.220 69.171.250.20 TCP 66 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
44456 10111.589353 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
44458 10111.974024 10.0.0.220 69.171.250.20 SSDP 166 M-SEARCH * HTTP/1.1
44459 10111.974141 10.0.0.220 69 ...
Do you have login access to the router?
Does it support proxy ARP?
Or in this example it was a VPN client misbehaving.
In your capture, the
CIMSYSdevice type is a bit of a red herring.The OUI Lookup Tool maps
CIMSYSto00:11:22which is also in the packet details for the last line.00:11:22:ab:cd:eeDisabe name resolution for the MAC address (
View -> Name Resolution -> Resolve Physical Addresses) and look at the packet list again.Cable modem?
It is a cable modem yes. I disabled the name resolution but it doesn't show anything different? It just shows now as "41551 14162.397010 00:11:22:ab:cd:ee ff:ff:ff:ff:ff:ff ARP 60 Who has 10.0.0.31? Tell 69.171.250.20"
so anyone have any ideas if this looks malicious or not?
It's easier to dig into if you can provide a capture of the trafffic.