Unable To Capture Ping Of Death Atack Packets
My Zyxel 3301 Router is reporting that the Ring Chime Pro v2 on the 5Ghz segment of my LAN is sending Ping Of Death packets. These reported attacks occur 6 hours apart and run at 1 second intervals for a total of 22 packets then stop.
Some of the 22 packets in each block are targeted to my router at 192.168.1.1, others are targeted to external ip addresses including 34.240.249.71 and 154.54.39.118
I have set Wireshark on my Ethernet connected MAC to record traffic to and from the Chime Pro using the filter {host 192.168.1.57} without the brackets with the object of analysing the packets to see what's going on, but Wireshark only seems to capture ARPs to the router which occur 1 every 30 seconds. It never sees or captures the Pings Of Death the router is reporting.
If I ping the Chime Pro using Terminal on my MAC the pings are correctly returned but again Wireshark does not see them. I've tried adding {&& icmp} to the filter but still nothing.
Clearly I'm doing something wrong but I can't work out what.
This is what the router is reporting....
kernel: PING OF DEATH ATTACK:IN=br0 OUT=ppp1 MAC=50:e0:39:19:cc:10:2a:42:01:03:d3:c0:08:00 SRC=192.168.1.57 DST=154.54.39.118 LEN=4460 TOS=0x00 PREC=0x00 TTL=63 ID=22673 PROTO=ICMP TYPE=8 CODE=0 ID=13759 SEQ=3 MARK=0xb0020000
Can someone help with this please?
Thanks in advance and Best Regards.
See Ethernet capture setup on the Wireshark Wiki.
You will need to set the ethernet port to mirror the packets to your laptop connection.
Hi Chuck, and thanks for the quick response. I looked at the Ethernet capture setup link you posted, but if I'm reading it correctly then it only deals with Ethernet to Ethernet devices. The Mac is on an Ethernet segment but the Chime Pro is on a wireless segment. I am capturing ARPs from the Ring Pro but not Pings.
Do I need to have my MAC on the same wireless network instead of Ethernet?
I had a quick scan of some of the Zyxel docs and didn't see where it supports mirroring.
You can try WLAN (IEEE 802.11) capture setup but Monitor Mode capture comes with it's own set of headaches.
If this is to be your Cuckoo's Egg you might temporarily connect the Ring device to a router that support packet capture or add a wireless access point to the Zyxel that support capture.
Thanks again Chuck. I was just reading the WLAN capture setup when your message came in so I took the MAC off ethernet and connected it to the 5Ghz wireless network and I can now record pings from my MAC to the Chime Pro and the Chime's response. Odd that when the MAC is on a Ethernet segment it can see ARPs but not pings on the WLAN. The next expected 'attack' is about 2:50 UK time so I'll see what I can capture and hopefully work out what's going on.
Additional reference for capture: The Network Packet Capture Playbook
ARP is sent to broadcast address so goes out all switch ports on the router.