Ask Your Question

Revision history [back]

Unknown device showing with Wireshark

As the title says, I have no idea what this device/ip actually is but it was captured after running Wireshark for several hours. I'm new to Wireshark, everything else looks fairly normal but this stands out. 10.0.0.1 is the modem/router. Does it look malicious? Here is a copy/paste of it.

41551 14162.397010 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20 41580 14163.919912 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20 41632 14166.416413 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20 41695 14171.664029 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20 41717 14181.903199 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20 47162 15347.877721 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188 47178 15349.946954 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188 47190 15352.506272 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188 5103 1344.160169 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 10.0.0.1 (duplicate use of 10.0.0.1 detected!)

Then if I expand the last line:

Frame 5103: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface \Device\NPF_{75115498-92DE-4CC3-B442-F62FE8369339}, id 0 Ethernet II, Src: CIMSYS_ab:cd:ee (00:11:22:ab:cd:ee), Dst: Broadcast (ff:ff:ff:ff:ff:ff) Address Resolution Protocol (request) [Duplicate IP address detected for 10.0.0.1 (00:11:22:ab:cd:ee) - also in use by 10:33:bf:a9:83:be (frame 5100)] [Frame showing earlier use of IP address: 5100] [Expert Info (Warning/Sequence): Duplicate IP address configured (10.0.0.1)] [Duplicate IP address configured (10.0.0.1)] [Severity level: Warning] [Group: Sequence] [Seconds since earlier frame seen: 0]

Unknown device showing with Wireshark

As the title says, I have no idea what this device/ip actually is but it was captured after running Wireshark for several hours. I'm new to Wireshark, everything else looks fairly normal but this stands out. 10.0.0.1 is the modem/router. 10.0.0.31 is a Tablet that I own on the network.

Does it look malicious? Here is a copy/paste of it.copy/paste.

41551 14162.397010 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20 41580 14163.919912 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20 41632 14166.416413 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20 41695 14171.664029 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20 41717 14181.903199 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 69.171.250.20 47162 15347.877721 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188 47178 15349.946954 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188 47190 15352.506272 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 142.250.31.188 5103 1344.160169 CIMSYS_ab:cd:ee Broadcast ARP 60 Who has 10.0.0.31? Tell 10.0.0.1 (duplicate use of 10.0.0.1 detected!)

Then if I expand the last line:

Frame 5103: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface \Device\NPF_{75115498-92DE-4CC3-B442-F62FE8369339}, id 0 Ethernet II, Src: CIMSYS_ab:cd:ee (00:11:22:ab:cd:ee), Dst: Broadcast (ff:ff:ff:ff:ff:ff) Address Resolution Protocol (request) [Duplicate IP address detected for 10.0.0.1 (00:11:22:ab:cd:ee) - also in use by 10:33:bf:a9:83:be (frame 5100)] [Frame showing earlier use of IP address: 5100] [Expert Info (Warning/Sequence): Duplicate IP address configured (10.0.0.1)] [Duplicate IP address configured (10.0.0.1)] [Severity level: Warning] [Group: Sequence] [Seconds since earlier frame seen: 0]

Unknown device showing with Wireshark

As the title says, I have no idea what this device/ip actually is but it was captured after running Wireshark for several hours. I'm new to Wireshark, everything else looks fairly normal but this stands out. 10.0.0.1 is the modem/router. 10.0.0.31 is a Tablet that I own on the network.

Does it look malicious? Here is a copy/paste.

41551   14162.397010    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41580   14163.919912    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41632   14166.416413    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41695   14171.664029    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41717   14181.903199    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
47162   15347.877721    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 142.250.31.188
47178   15349.946954    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 142.250.31.188
47190   15352.506272    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 142.250.31.188
5103    1344.160169 CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 10.0.0.1 (duplicate use of 10.0.0.1 detected!)

detected!)

Then if I expand the last line:

Frame 5103: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface \Device\NPF_{75115498-92DE-4CC3-B442-F62FE8369339}, id 0
Ethernet II, Src: CIMSYS_ab:cd:ee (00:11:22:ab:cd:ee), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
[Duplicate IP address detected for 10.0.0.1 (00:11:22:ab:cd:ee) - also in use by 10:33:bf:a9:83:be (frame 5100)]
    [Frame showing earlier use of IP address: 5100]
        [Expert Info (Warning/Sequence): Duplicate IP address configured (10.0.0.1)]
            [Duplicate IP address configured (10.0.0.1)]
            [Severity level: Warning]
            [Group: Sequence]
    [Seconds since earlier frame seen: 0]

0]

Unknown device showing with Wireshark

As the title says, I have no idea what this device/ip actually is but it was captured after running Wireshark for several hours. I'm new to Wireshark, everything else looks fairly normal but this stands out. 10.0.0.1 is the modem/router. 10.0.0.31 is a Tablet that I own on the network.

Does it look malicious? Here is a copy/paste.

41551   14162.397010    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41580   14163.919912    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41632   14166.416413    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41695   14171.664029    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41717   14181.903199    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
47162   15347.877721    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 142.250.31.188
47178   15349.946954    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 142.250.31.188
47190   15352.506272    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 142.250.31.188
5103    1344.160169 CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 10.0.0.1 (duplicate use of 10.0.0.1 detected!)

Then if I expand the last line:

Frame 5103: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface \Device\NPF_{75115498-92DE-4CC3-B442-F62FE8369339}, id 0
Ethernet II, Src: CIMSYS_ab:cd:ee (00:11:22:ab:cd:ee), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
[Duplicate IP address detected for 10.0.0.1 (00:11:22:ab:cd:ee) - also in use by 10:33:bf:a9:83:be (frame 5100)]
    [Frame showing earlier use of IP address: 5100]
        [Expert Info (Warning/Sequence): Duplicate IP address configured (10.0.0.1)]
            [Duplicate IP address configured (10.0.0.1)]
            [Severity level: Warning]
            [Group: Sequence]
    [Seconds since earlier frame seen: 0]

This associated address (69.171.250.20) seems to be throwing traffic for some reason, here's what it's doing:

44446 10111.039630 10.0.0.220 69.171.250.20 LLMNR 86 Standard query 0x5e80 PTR 20.250.171.69.in-addr.arpa 44448 10111.040569 10.0.0.220 69.171.250.20 TCP 66 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44456 10111.589353 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44458 10111.974024 10.0.0.220 69.171.250.20 SSDP 166 M-SEARCH * HTTP/1.1 44459 10111.974141 10.0.0.220 69.171.250.20 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> 44460 10111.974311 10.0.0.220 69.171.250.20 UDP 666 61399 → 3702 Len=624 44461 10111.974365 10.0.0.220 69.171.250.20 SSDP 158 M-SEARCH * HTTP/1.1 44462 10111.974645 10.0.0.220 69.171.250.20 MDNS 88 Standard query 0x6d62 PTR _services._dns-sd._udp.local, "QM" question 44468 10112.133824 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44475 10112.677324 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44479 10113.220783 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44480 10113.253152 10.0.0.220 69.171.250.20 UDP 666 61399 → 3702 Len=624 44481 10113.253891 10.0.0.220 69.171.250.20 TCP 66 59518 → 62078 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44482 10113.254464 10.0.0.220 69.171.250.20 TCP 66 59519 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44484 10113.268867 10.0.0.220 69.171.250.20 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> 44485 10113.331902 10.0.0.220 69.171.250.20 SSDP 158 M-SEARCH * HTTP/1.1 44486 10113.331931 10.0.0.220 69.171.250.20 SSDP 166 M-SEARCH * HTTP/1.1 44489 10114.259710 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59518 → 62078 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44490 10114.259751 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59519 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44496 10116.273512 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59518 → 62078 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44497 10116.273523 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59519 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

Unknown device showing with Wireshark

As the title says, I have no idea what this device/ip actually is but it was captured after running Wireshark for several hours. I'm new to Wireshark, everything else looks fairly normal but this stands out. 10.0.0.1 is the modem/router. 10.0.0.31 is a Tablet that I own on the network.

Does it look malicious? Here is a copy/paste.

41551   14162.397010    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41580   14163.919912    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41632   14166.416413    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41695   14171.664029    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
41717   14181.903199    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 69.171.250.20
47162   15347.877721    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 142.250.31.188
47178   15349.946954    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 142.250.31.188
47190   15352.506272    CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 142.250.31.188
5103    1344.160169 CIMSYS_ab:cd:ee Broadcast   ARP 60  Who has 10.0.0.31? Tell 10.0.0.1 (duplicate use of 10.0.0.1 detected!)

Then if I expand the last line:

Frame 5103: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface \Device\NPF_{75115498-92DE-4CC3-B442-F62FE8369339}, id 0
Ethernet II, Src: CIMSYS_ab:cd:ee (00:11:22:ab:cd:ee), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
[Duplicate IP address detected for 10.0.0.1 (00:11:22:ab:cd:ee) - also in use by 10:33:bf:a9:83:be (frame 5100)]
    [Frame showing earlier use of IP address: 5100]
        [Expert Info (Warning/Sequence): Duplicate IP address configured (10.0.0.1)]
            [Duplicate IP address configured (10.0.0.1)]
            [Severity level: Warning]
            [Group: Sequence]
    [Seconds since earlier frame seen: 0]

This associated address (69.171.250.20) seems to be throwing traffic for some reason, here's what it's doing:

44446 10111.039630 10.0.0.220 69.171.250.20 LLMNR 86 Standard query 0x5e80 PTR 20.250.171.69.in-addr.arpa 20.250.171.69.in-addr.arpa

44448 10111.040569 10.0.0.220 69.171.250.20 TCP 66 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 SACK_PERM=1

44456 10111.589353 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 SACK_PERM=1

44458 10111.974024 10.0.0.220 69.171.250.20 SSDP 166 M-SEARCH * HTTP/1.1

44459 10111.974141 10.0.0.220 69.171.250.20 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

44460 10111.974311 10.0.0.220 69.171.250.20 UDP 666 61399 → 3702 Len=624 Len=624

44461 10111.974365 10.0.0.220 69.171.250.20 SSDP 158 M-SEARCH * HTTP/1.1

44462 10111.974645 10.0.0.220 69.171.250.20 MDNS 88 Standard query 0x6d62 PTR _services._dns-sd._udp.local, "QM" question question

44468 10112.133824 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 SACK_PERM=1

44475 10112.677324 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 SACK_PERM=1

44479 10113.220783 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59516 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 SACK_PERM=1

44480 10113.253152 10.0.0.220 69.171.250.20 UDP 666 61399 → 3702 Len=624 Len=624

44481 10113.253891 10.0.0.220 69.171.250.20 TCP 66 59518 → 62078 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 SACK_PERM=1

44482 10113.254464 10.0.0.220 69.171.250.20 TCP 66 59519 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44484 10113.268867 10.0.0.220 69.171.250.20 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> 44485 10113.331902 10.0.0.220 69.171.250.20 SSDP 158 M-SEARCH * HTTP/1.1 44486 10113.331931 10.0.0.220 69.171.250.20 SSDP 166 M-SEARCH * HTTP/1.1 44489 10114.259710 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59518 → 62078 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44490 10114.259751 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59519 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44496 10116.273512 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59518 → 62078 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 44497 10116.273523 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59519 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

44484 10113.268867 10.0.0.220 69.171.250.20 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

44485 10113.331902 10.0.0.220 69.171.250.20 SSDP 158 M-SEARCH * HTTP/1.1

44486 10113.331931 10.0.0.220 69.171.250.20 SSDP 166 M-SEARCH * HTTP/1.1

44489 10114.259710 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59518 → 62078 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

44490 10114.259751 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59519 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

44496 10116.273512 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59518 → 62078 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

44497 10116.273523 10.0.0.220 69.171.250.20 TCP 66 [TCP Retransmission] 59519 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1